Navigating the Apache Server tab

The Apache Server tab displays some common parameters associated with the server. You can use the Apache Server tab to configure and maintain the Apache TLS server, including the certificate management. For more information, see Security-certificates.To edit the server page title or redirection URL host, click Edit.

To generate new certificates:

1. View the current certificate.
2. Download the certificate CSR. 
3. Click Certificates to upload formal certificates.
4. Click Restart Service to restart the Apache TLS service. You must restart the Apache TLS service after a certificate is uploaded or changed, 

Apache TLS process and files

The Apache TLS software resides in a new BMC Defender directory at the file path installationDirectory\apache-tls, with the following subdirectories. Replace installationDirectory with the directory in which you installed the product. The default directory is C:\Program Files\BMC Software\BMC Defender.

The Apache executable module, residing in the bin directory, is named CO-apache-tls.exe so that you can identify this process in the Windows Task Manager. There are generally two copies of this process executing, servicing HTTP requests at the port number specified when configuring the program.

Removing non-secure HTTP

With the enhanced encryption software installed, BMC Defender generally runs two different Apache servers. The CO-apache.exe program continues to listen to the standard port of 80 (a non-secure port specified during BMC Defender installation). The CO-apache-tls.exe program listens at the SSL port of 443 (a secure port specified during the Enhanced Encryption software installation).

In this configuration, four different Apache processes run at the BMC Defender Server and is visible in the Windows Task Manager.

To enhance security, you can permanently disable the non-secure Apache server and prevent it from starting when the node boots. The procedure for disabling this server is as follows:

1. Log on to the BMC Defender Server web interface by using an admin type logon, and navigate to the System > Schedule window. (This window controls what processes are launched when the server program starts and stops.)
2. In the System > Schedule window, delete the start and stop references for the installationDirectory\apache\CO-apache.exe program from the list of programs executed on startup. (Click Edit for the installationDirectory\apache\CO-apache.exe and then set the value to disable or delete the entry.)
3. For added safety, you can delete or rename the installationDirectory\apache\CO-apache.exe file to make sure this process is not accidentally restarted. (To modify this file it requires that you terminate the CO-apache.exe process, such as using the Windows Task Manager, or by first shutting down the BMC Defender Framework Service.)

After you perform this procedure, the BMC Defender Server is accessible only by using an https:// -type URL.

Permanently redirecting HTTP to HTTPS

As a final and optional step, the administrator can uncomment the directives at the bottom of the installationDirectory\conf\httpd.conf file to enable permanent redirection of all HTTP requests to secure HTTPS. The directives to redirect an HTTP request to an HTTPS request are clearly marked towards the bottom of the  file, as follows:

The preceding directives, that use the standard Apache rewrite engine functions, are generally commented out of the configuration so that the administrator must explicitly enable redirection.

After making the preceding changes, the administrator should stop and restart the Apache TLS service to force the server to re-read the configuration file. The operator can then test the system by accessing the site with http://, and verifying that the site redirects automatically to be https://.