Skip to content
CA Single Sign-On - 12.52 SP1
Documentation powered by DocOps

How to Configure an Apache Reverse Proxy Server

Last update August 29, 2016

You can configure an Apache web server to function as a reverse proxy server with any CA Single Sign-On agent. The following process lists the steps for configuring an Apache reverse proxy server:

Update the Apache Web Server Configuration File

Update the configuration file of Apache web server to make the Apache web server function as a reverse proxy server with a CA Single Sign-On agent.

Follow these steps:

  1. Open the httpd.conf file available at the following location:

  2. Add the following directives to the httpd.conf file:
    Allows mapping of remote servers to the local server. The values in this directive use the format /local_virtual_pathpartial_URL_of_remote_server. Example:

    ProxyPass /realma/

    Allows adjustment of the location header by the Apache server on HTTP redirect responses. The values in this directive use the following format /local_virtual_pathpartial_URL_of_remote_server. Example:

    ProxyPassReverse /realma/

  3. For the Apache web server, add the following ProxyPass settings to the configuration file.

    # SiteMinder Administrative UI

    <Location "/iam/siteminder/">

       <IfModule proxy_module>

          ProxyPass http://hostname:port/iam/siteminder/

          ProxyPassReverse http://hostname:port/iam/siteminder/

    # Alternate unavailable page

      ErrorDocument 503 /siteminderagent/adminui/HTTP_SERVICE_UNAVAILABLE.html
    # CA Styles r5.1.1
    <Location "/castylesr5.1.1/">

       <IfModule proxy_module>

          ProxyPass http://hostname:port/castylesr5.1.1/

          ProxyPassReverse http://hostname:port/castylesr5.1.1/


    hostname:port refers to the host and port of the application server running the Administrative UI.

  4. Uncomment the following line in the configuration file.

    LoadModule proxy_module modules/
  5. Save and close the configuration file.
  6. Restart the Apache web server.

Update the Agent Configuration Parameters for an Agent

For Apache-based servers behind the Apache reverse proxy server, update the following agent configuration parameters.

Follow these steps:

  1. Set the ProxyAgent parameter to yes. This parameter specifies if a Web Agent is acting as a reverse proxy agent. The default is No.

    When the value of this parameter is yes, the CA Single Sign-On agent on the front-end server preserves the original URL that the user requested in the SM_PROXYREQUEST HTTP header. This header is created whenever protected and unprotected resources are requested. The back-end server can read this header to obtain information about the original URL.

  2. Set the ProxyTimeout parameter. This parameter specifies the number of seconds the reverse proxy server waits for the agent that is deployed behind it to respond to a request. The default value is 120 seconds.
  3. (Optional) Set the ProxyTrust parameter. This parameter instructs the agent on a destination server to trust authorizations received from a CA SSO agent on a proxy server. A destination server is a server that is behind a reverse proxy server. 

    Setting this value to yes increases efficiency because only the agent on the proxy server contacts the Policy Server for authorization. The agent operating on the destination server does 
    not contact the Policy Server again to reauthorize users. The default value is No.
  4. Edit the BadURLChars parameter by removing all occurrences of the percent character (%)  from the list:

  5. Set the httpsports parameter to indicate to the Apache server which port is set up for SSL.
  6. Restart the Apache web server.

Was this helpful?

Please log in to post comments.