Skip to main content

PCA administration

PCA administration

Configuring Web Console security

Disabling web server for the Web Console

You can disable the web server for the PCA Web Console. Disabling the web server prevents users from accessing the PCA Web Console.

To disable the web Server for the Web Console:

  1. Run the following command. 
    tealeaf disable httpd
  2. If the Web Console is running, stop it using the following command. 
    tealeaf stop httpd
    • If the previous command does not stop the HTTPd process, verify that no user has the Web Console open in a browser window.
    • If you run the previous command without success, you can use the following command to stop any orphaned HTTPd processes:
      1. Log in as root.
      2. Run the following command: 
        killall httpd
  3. PortalStatus needs the web server to retrieve status information. If you disable the web server, PortalStatus is no longer able to retrieve the status information for the PCA.

Disabling Web Console access through port 8080

You can configure the PCA to disable the port for the PCA Web Console. By disabling the port, remote users cannot access the Web Console.

To turn off Web Console access via port 8080:

  1. Edit file /usr/local/ctccap/etc/runtime.conf.
  2. Search for the following line: 
    httpd_port_enable=
  3. If the line does not exist, add it.
  4. Set the value after the equals sign to "NO".
    For example: 
    httpd_port_enable="NO"
  5. Save the file.
  6. The updated configuration file takes effect the next time the web server starts.

Enabling Web Console access through a single IP address

You can specify a single IP address which can access the Web Console. Limiting access to a single IP address helps to prevent unauthorized access through an unknown system.

To allow access to the Web Console from one IP address:

  1. Edit the file /usr/local/ctccap/etc/runtime.conf.
  2. Search for the following line: 
    httpd_console_allow_from=
  3. If the line does not exist, add it.
  4. Set the value after the equals sign to the IP address from which you would to access the Web Console.
    For example: 
    httpd_console_allow_from=1.2.3.4
  5. The updated configuration file takes effect the next time the web server starts.

Applying authentication when accessing the Web Console

You can improve security by enabling authentication to the Web Console.

When you use the following procedure to restrict access to the Web Console, you must use the file name index.php when you access the Web Console's default page. For example, after you apply the following steps, the following URL is not displayed as the default Web Console page for the PCA 1.2.3.4.

http://1.2.3.4:8080/

You must specify the index.php page as follows.

http://1.2.3.4:8080/index.php

This restriction also applies to following HTTPS access:

https://1.2.3.4:8443/index.php

To require username/password when you access the Web Console:

Create the Web Server user database file by using the following commands:

  1. Edit the file /usr/local/ctccap/etc/runtime.conf.
  2. Search the file for: 
    httpd_userauth_
  3. If the string is not present, add the following parameters to the end of the file. If these entries exist, edit them to the following values:
    1. For Basic Authentication: 
      
httpd_userauth_enable="YES"
httpd_userauth_realm="PCAv2"
httpd_userauth_require="valid-user"
httpd_userauth_type="Basic"
      Note: Values for httpd_userauth_enable must be in all capital letters, as in the previous example (YES).
    2. For Digest Authentication: 
      
httpd_userauth_enable='YES'
httpd_userauth_realm="PCAv2"
httpd_userauth_require="valid-user"
httpd_userauth_type="Digest"
      To generate password: 
      /usr/local/ctccap/bin/htdigest 
/usr/local/ctccap/etc/tealeaf-web.usersdigest "realm" "UserName"
      In the case where you are upgrading:
      1. Compare 
        /usr/local/ctccap/httpd.conf.default
        with 
        /usr/local/ctccap/httpd.conf
      2. copy LoadModule auth_digest_module libexec/mod_auth_digest.so to /usr/local/ctccap/httpd.conf.
      3. Restart PCA.
  4. To add a user or change their password, use one of the following commands, replacing johndoe with the name of the new or existing user:

    With the following command, you are prompted to enter the new password when the command is run:

    Note: Use this method for creating passwords. If this method is not used, passwords cannot be longer than 8 characters.
    For Basic Authority: 
    /usr/local/ctccap/bin/htpasswd -m \
/usr/local/ctccap/etc/tealeaf-web.users johndoe
    When the -b option is added, the password (mypassword) can be specified as part of the command: 
    /usr/local/ctccap/bin/htpasswd -mb \
/usr/local/ctccap/etc/tealeaf-web.users johndoe mypassword
    For Digest Authority: 
    
/usr/local/ctccap/bin/htdigest \
/usr/local/ctccap/etc/tealeaf-web.usersdigest "realm" "UserName"
  5. The changes mentioned in the previous command do not affect PortalStatus's use of the web server to retrieve status information.
  6. The updated configuration file takes effect the next time the Web Server starts.

Applying configuration changes immediately

You can apply configuration changes to your PCA by restarting the service.

To apply changes to the configuration file /usr/local/ctccap/etc/runtime.conf immediately, run the following commands to stop the web server and then start it.

  1. Run tealeaf stop httpd to stop the service.
  2. Run tealeaf start httpd to start the service.

Related articles

community icon

Join the community

Ask questions, share best practices, and connect with fellow marketers.

Ask a question

Academy

Read how-to articles, guides, and more to help you on the path to success.

Learn more