Apache (Linux)

Prerequisites

  1. Ensure that application/service users have the appropriate read/write permission to perform the CLM actions on the server device, if the access elevation is selected as None.
    When the access elevation is sudo or dzdo, all the commands used to perform the CLM operations will be executed with sudo or dzdo.
  2. Verify that the commands needing sudo or dzdo access have been enabled on the server.
  3. Ensure that the following packages are installed to facilitate device addition:
    • sudo/dzdo (optional, as per the access elevation selected)
    • timeout
    • base64
  4. Ensure that the target IP address is accessible from the cloud connector and the port is open.
  5. Make sure that the language setting for the Apache Server is set to English. Ensure that the sudo prompt string follows the standard Linux format, which is typically "[sudo] password for <your_username>:"
  6. Only certifiticates in .pem, .crt, and .cer formats and key files are discovered.
  7. SSH private keys cannot be used in conjunction with password-enabled sudo/dzdo settings. Therefore, if an SSH key is used for authentication, ensure that the sudo/dzdo configuration is set to passwordless.
  8. Certificates are not identified from the path that does not have the required permission such as 640 for the user. Ensure that the file is the same as configured in device addition; hence, configure the certificates in the config files with accessible path or change file permissions to make the files accessible.
  9. Verify the existence of httpd.conf file in the system by scanning from root directory. Use the command: find / -name “httpd.conf”.
  10. Check for the ServerRoot location in the httpd file. Make sure it holds forward slashes(/) as path separator as in other Linux-based file locations. (This might lead to failure in managing Apache server installed on the Windows machines).

Onboarding Apache (Linux) Server

  1. Go to (Menu) > CERT+ > ADMINISTRATION > Device Management.
    By default, the ADC tab opens.
  2. Click the Server tab.
  3. Click the (Add) icon.
    The Device details page is displayed.
  4. Select Apache Linux from the Vendors list.
  5. In the Server details section, select/enter the details as follows.
    Table 1. Server Details - Field Description Table
    Fields Description
    *Server Type Select the Apache radio button.
    *Server name Enter the name of the designated Linux server.
    *IP address/FQDN Enter the IP address of the Apache Server or its fully qualified domain name (FQDN) that is to be onboarded.
    Data center Choose the desired data center.
    Onboarding Group Select the onboarding group to assign the device.
    Note: Devices without an assigned group are automatically mapped to the Default group during migration, onboarding, and when edited without existing group mappings.
    Communication mode Select the SSH or SSM protocol to be used for communication between the AppViewX node and the Apache server. SSH is the preferred communication mode.
    *SSH Port Retain the value 22; it is the default port used for the SSH communication mode. (The field is not displayed for SSM communication mode.)
    Cert Sync Choose from any of the following:
    • Managed - AppViewX performs the config fetch operations and the certificates are discovered and managed in the inventory. CLM actions (push & bind, rollback etc.) can be performed on them.
    • Monitored - AppViewX performs the config fetch operations and the certificates are downloaded in the inventory in the read-only state. CLM actions cannot be performed on them.
    • Ignored - AppViewX only performs the config fetch operations for the devices. There is no certificate discovery performed.
    *: Mandatory fields
  6. In the Credentials section, select/enter the details as indicated below. The credentials entered in this section are used to authenticate the session between the AppViewX node and the Apache server device.
    If Communication mode = SSH the fields are as follows:
    Table 2. Credentials - Field Description Table
    Fields Description
    *Credential Type Select the credential type from the dropdown.
    • Manual entry (default)
    • Credential List - AppViewX
    • SSH
    Note:
    • If Credential list - AppViewX is selected, the *Credentials list dropdown field is displayed. Select any of the preconfigured credential values.
    • If SSH is selected, enter the *Username, *Upload key file, and enter the Passphrase for authentication.
    *Username Enter the designated username for authentication. (field displayed for manual entry and SSH)
    *Password Enter the secure password. (field displayed for manual entry only)
    *: Mandatory fields
    If Communication mode = SSM the fields are as follows:
    Table 3. Credentials - Field Description Table
    Fields Description
    *Credential Type Select the credential type from the dropdown.
    • Manual entry (default)
    • Credential List - cloudAccount
    Note: If Credential list - Appviewx is selected, the *Credentials list dropdown field is displayed. Select any of the preconfigured credential values. (The field label changes to *Account Name if SSM is the communication mode)
    *Access key Enter the access key to login to the EC2 instance of the AWS cloud machine.
    *Secret key Enter the secret key to login to the EC2 instance of the AWS cloud machine.
    *: Mandatory fields
  7. In the Vendor Specific Details section, select/enter the details as indicated below.
    If Communication mode = SSH the fields are as follows:
    Table 4. Vendor Specific Details - Field Description Table
    Fields Description
    *Access Elevation Select from the following:.
    • sudo - to execute with root privileges using sudo access
    • dzdo - to execute with root privileges using dzdo access
    Note: SSH key-based authentication doesn't support password enabled sudo/dzdo.
    File Upload Temp Path This field is displayed when the Access Elevation = sudo or dzdo. Enter the temporary directory/path where certificates or keys are stored during certificate push actions.

    Example: /tmp/files

    Note: It is used as an intermediate location to store the actual keystore and then perform actions on the certificates in the keystore. The keystore is then moved back to the original location after performing the actions.
    *: Mandatory fields
    If Communication mode = SSM the fields are as follows:
    Table 5. Vendor Specific Details - Field Description Table
    Fields Description
    *Region Enter the geographic region of the AWS instance.

    Example: us-east-2
    *Instance id Enter the unique identifier for an EC2 instance in AWS.

    It is required to perform actions or execute commands on a specific EC2 instance

    Example: i-02573cafcftext
    *SSM document name Enter the name of the SSM document that contains the script or action to be executed on the EC2 instance.

    Example: AWS-RunShellScript is an SSM document that allows you to execute shell scripts on EC2 instances.
    *SSM document version Specify the version of the SSM document to be executed.

    Example: 1
    *S3 bucket name Enter the S3 bucket name used to store command output or logs executed in the EC2 instance.

    Example: avxdiscoverydocument-c2
    Proxy required Select the checkbox to enable the secure proxy service.
    Account number Enter the 12-digit AWS account number.

    Example: 012345678901
  8. In the Certificate details section, enter the details as indicated below.
    Table 6. Certificate Details - Field Description Table
    Fields Description
    Certificate location Enter the actual directory/path where certificates are stored in the Apache server.

    Example: /cert/files
    Key location Enter the actual directory/path where keys are stored in the Apache server.

    Example: /key/files
    Intermediate location Enter the temporary or intermediate directory/path where certificates and keys are stored in the Apache server.

    Example: /inter/files
  9. Click Add.
    Once the server is added successfully, the certificate location will be listed in the table.
  10. (optional step) Click the (Delete) icon, if you want to delete the certificate details from the list.
  11. Click Save.

Validating the Device

After the device is onboarded successfully, follow the steps to validate the device communication with AppViewX:
  1. Go to ADMINISTRATION > Device Management.
    By default, the ADC tab opens.
  2. Click the Server tab.
    The Server Inventory page is displayed.
  3. Check that the device name appears in the inventory (Name column) with the specified status in the Status column.
    The status column will have the value Managed/Monitored/Ignored if the connection is successful or displays Failed/Unresolved in case of failure.
  4. From the Status column, click the Managed/Monitored/Ignored/Failed/Unresolved.
    Device Status Log pop-up is displayed.
  5. Expand each value in the pop-up to know the Device communication, Device Version, Instance Information, and Certificate Discovery From Device.

What's Next

Once you have onboarded and validated the device connection, you are ready to proceed with the any of the following certificate actions: