Disabling web server for the Web Console
You can disable the web server for the PCA Web Console. Disabling the web server prevents users from accessing the PCA Web Console.
To disable the web Server for the Web Console:
- Run the following command.
tealeaf disable httpd
- If the Web Console is running, stop it using the following command.
tealeaf stop httpd
- If the previous command does not stop the HTTPd process, verify that no user has the Web Console open in a browser window.
- If you run the previous command without success, you can use the following command to stop any orphaned HTTPd processes:
- Log in as root.
- Run the following command:
killall httpd
PortalStatus
needs the web server to retrieve status information. If you disable the web server,PortalStatus
is no longer able to retrieve the status information for the PCA.
Disabling Web Console access through port 8080
You can configure the PCA to disable the port for the PCA Web Console. By disabling the port, remote users cannot access the Web Console.
To turn off Web Console access via port 8080:
- Edit file
/usr/local/ctccap/etc/runtime.conf
. - Search for the following line:
httpd_port_enable=
- If the line does not exist, add it.
- Set the value after the equals sign to
"NO"
.For example:httpd_port_enable="NO"
- Save the file.
- The updated configuration file takes effect the next time the web server starts.
Enabling Web Console access through a single IP address
You can specify a single IP address which can access the Web Console. Limiting access to a single IP address helps to prevent unauthorized access through an unknown system.
To allow access to the Web Console from one IP address:
- Edit the file
/usr/local/ctccap/etc/runtime.conf
. - Search for the following line:
httpd_console_allow_from=
- If the line does not exist, add it.
- Set the value after the equals sign to the IP address from which you would to access the Web Console.
For example:
httpd_console_allow_from=1.2.3.4
- The updated configuration file takes effect the next time the web server starts.
Applying authentication when accessing the Web Console
You can improve security by enabling authentication to the Web Console.
When you use the following procedure to restrict access to the Web Console, you must use the file name index.php
when you access the Web Console's default page. For example, after you apply the following steps, the following URL is not displayed as the default Web Console page for the PCA 1.2.3.4.
http://1.2.3.4:8080/
You must specify the index.php
page as follows.
http://1.2.3.4:8080/index.php
This restriction also applies to following HTTPS access:
https://1.2.3.4:8443/index.php
To require username/password when you access the Web Console:
Create the Web Server user database file by using the following commands:
- Edit the file
/usr/local/ctccap/etc/runtime.conf
. - Search the file for:
httpd_userauth_
- If the string is not present, add the following parameters to the end of the file. If these entries exist, edit them to the following values:
- For Basic Authentication:
httpd_userauth_enable="YES" httpd_userauth_realm="PCAv2" httpd_userauth_require="valid-user" httpd_userauth_type="Basic"
Note: Values forhttpd_userauth_enable
must be in all capital letters, as in the previous example (YES
). - For Digest Authentication:
httpd_userauth_enable='YES' httpd_userauth_realm="PCAv2" httpd_userauth_require="valid-user" httpd_userauth_type="Digest"
To generate password:/usr/local/ctccap/bin/htdigest /usr/local/ctccap/etc/tealeaf-web.usersdigest "realm" "UserName"
In the case where you are upgrading:- Compare
with/usr/local/ctccap/httpd.conf.default
/usr/local/ctccap/httpd.conf
- copy LoadModule auth_digest_module libexec/mod_auth_digest.so to /usr/local/ctccap/httpd.conf.
- Restart PCA.
- Compare
- For Basic Authentication:
- To add a user or change their password, use one of the following commands, replacing
johndoe
with the name of the new or existing user:With the following command, you are prompted to enter the new password when the command is run:
Note: Use this method for creating passwords. If this method is not used, passwords cannot be longer than 8 characters.For Basic Authority:
When the/usr/local/ctccap/bin/htpasswd -m \ /usr/local/ctccap/etc/tealeaf-web.users johndoe
-b
option is added, the password (mypassword
) can be specified as part of the command:/usr/local/ctccap/bin/htpasswd -mb \ /usr/local/ctccap/etc/tealeaf-web.users johndoe mypassword
For Digest Authority:/usr/local/ctccap/bin/htdigest \ /usr/local/ctccap/etc/tealeaf-web.usersdigest "realm" "UserName"
- The changes mentioned in the previous command do not affect PortalStatus's use of the web server to retrieve status information.
- The updated configuration file takes effect the next time the Web Server starts.
Applying configuration changes immediately
You can apply configuration changes to your PCA by restarting the service.
To apply changes to the configuration file /usr/local/ctccap/etc/runtime.conf immediately, run the following commands to stop the web server and then start it.
- Run
tealeaf stop httpd
to stop the service. - Run
tealeaf start httpd
to start the service.