Customizing the HTTP Proxy Configuration
Typically, a Unix/Linux system running the Server Suite Agent for *NIX is located on a private network. By default, the agent uses the Cloud Connector as a HTTP proxy server for connecting to the Cloud Connector to, for example, perform multi-factor authentication.
However, you may prefer to reconfigure the agent to use a different proxy server. The following sections explain how to do that.
Requirements
The configuration described in these sections require the following conditions:
- The HTTP proxy server is used only for communication between the agent and the Delinea Platform. It does not provide proxy services for another purpose.
- All of the Agents must use the same proxy server.
- You have installed DirectControl on the system.
Also note the following points:
- All of the agents use a single proxy server configuration (multiple configurations not supported)
- The machine password keytab must contain at least two versions of the key.
- This proxy server configuration supports all zone types.
- The information in the following sections does not apply to Mac OS X.
Configure the Agent to Use a Custom HTTP Server
To configure the Agent to use a custom HTTP server, use the following command syntax to set the custom HTTP proxy server:
adwebproxyconf --set,-S [--username,-u <username>]
[--password, -p <password>] [--machine,-m]
[--server,-s <servername:port|"">]
[--authreq,-r <trueZZ_BAR_ZZfalseZZ_BAR_ZZ"">] [--authtype, -t <type>],
'--version,-v','--help,-h' and '--verbose,-V'
For example, enter the following command (replacing the angle brackets and placeholders with actual values):
adwebproxyconf --set --username <username>
--password <password> --server <servername:port>
–-authreq <true> --authtype <type>
Change the value of adclient.cloud.direct.connection to false.
Verify that the new configuration works. Enter:
adwebproxyconf --test --cip <cip url>
--server <servername:port>
For more information, see Command Reference.
HTTP Proxy Credential Local Storage
This section describes how the HTTP proxy credentials are stored locally on the Unix/Linux system that’s running the agent.
The HTTP proxy credentials are be stored only in the local kset file: /var/centrifydc/httpproxy.cred
This httpproxy.cred file is only readable and write-able by root.
For security, remove httpproxy.cred. from the system when you remove the system from the domain.
For security, the proxy user's password is encrypted before being stored in httpproxy.cred.
Password Encryption
The proxy user's password is encrypted using the system's principal key, which is normally stored in /etc/krb5.keytab.
It should use the latest key to do encrypt the password. By default, it uses AES256-CTS-HMAC-SHA1-96 encryption.
If the key for a particular encryption type is not available, the Agent uses the next preferred and available encryption type that has a key in the system’s keytab file.
When the system password changes, the agent uses it to re-encrypts the proxy server password. The system keytab file keeps the two latest versions of key.
If the Agent on the Unix/Linux system has FIPS Mode enabled, only a FIPS-compliant encryption type is allowed to encrypt the proxy credential password.
If a password is encrypted with non-FIPS-compliant encryption type, even if the machine keytab contains a valid key, the agent will not be able to decrypt it. If that happens, set the proxy password again so that it is encrypted using a FIPS-compliant encryption type.
Encrypted Password Storage
The encrypted password and relevant information is represented in ASN.1 as shown below and is encoded using ASN.1 Basic Encoding Rule (BER) as defined in Section 5.1 of the RFC 4511 LDAP Protocol (https://www.ietf.org/rfc/rfc4511.txt):
username STRING,
kvno UInt32,
etype Int32,
cipher OCTET_STRING
}
Int32 ::= INTEGER (-2147483648..2147483647) -- signed values re-presentable in 32 bits
UInt32 ::= INTEGER (0..4294967295) -- unsigned 32 bit values
Where:
- username: The proxy user's name.
- kvno: The version number of the key under which the data is encrypted
- etype: The encryption type used to encrypt the cipher. The encryption type number MUST be a type that is supported by the Kerberos protocol.
- cipher: The encrypted password
Local Machine Account Support
In some cases, the current system account’s Kerberos credentials should be configured, the username be S-1-5-18, and the cipher part must contain an octet string with 0 length.
Command Reference
adwebproxyconf
The adwebproxyconf command configures the HTTP proxy server settings and credentials on the local system. Typical use cases are:
- Set up the HTTP proxy credential to be used by agent.
- Delete the HTTP proxy credentials.
- Get information about the HTTP proxy credentials.
- Test the proxy connection using the configured credentials
- Test the proxy connection using the supplied credentials
Requirements
- Only root can run this command.
- To run, the system must have joined a zone.
Synopsis
adwebproxyconf --set,-S [--username,-u \<username\>]
[--password, -p \<password\>] [--machine,-m]
[--server,-s \<servername:port\|""\>]
[--authreq,-r \<trueZZ_BAR_ZZfalseZZ_BAR_ZZ""\>]
[--authtype,-t \<basicZZ_BAR_ZZdigestZZ_BAR_ZZntlmZZ_BAR_ZZnegotiateZZ_BAR_ZZanyauthZZ_BAR_ZZ""\>],
'--version,-v','--help,-h' and '--verbose,-V'
adwebproxyconf --delete,-D
adwebproxyconf --list,-L
adwebproxyconf --test,-T \<--cip,-c \<cip url\> \>
[--server, -s \<servername:port\>]
[--username,-u \<username\>]
[--password, -p \<password\>] [--machine,-m]
Command Options
--set,-S
Set the HTTP proxy server and credentials for the local system. After using adwebproxyconf -S, use adreload to force the agent process (adclient) to reload its configuration files.
the configuration properties in the /etc/
centrifydc.conf file and in other files in the /etc/
centrifydc directory.
--delete,-D
Delete the HTTP proxy credentials from the local computer and reset the HTTP Proxy configurations in centrifydc.conf:
- HTTP Proxy Server
- HTTP Proxy authentication type
- HTTP Proxy authentication required
--list,-L
List the HTTP proxy username and server from the configuration on the local system.
--test,-T
Test the HTTP proxy credential using configured or supplied settings.
--username,-u <username>
Proxy username. If a username is not supplied but --password is supplied, the username defaults to Administrator'
--password, -p <password>
Proxy user's password, if not provided, will be prompted
--machine,-m
Use local machine account for proxy authentication, and SPNEGO authentication is used.
This option cannot be used with -u, -p, or -t.
--authreq,-r <trueZZ_BAR_ZZfalseZZ_BAR_ZZ"">
Specify if HTTP Proxy authentication is required in centrifydc.conf, Optional.
Can use individually or with other options.
--authtype,-t <basicZZ_BAR_ZZdigestZZ_BAR_ZZntlmZZ_BAR_ZZnegotiateZZ_BAR_ZZanyauthZZ_BAR_ZZ"">
Specify if HTTP Proxy authentication type in centrifydc.conf. Optional.
Please refer to above section for valid values.
Can use individually or with other options.
--server, -s <servername:port|"">
Specify HTTP Proxy Server to use to update to centrifydc.conf. Optional.
Empty string unsets the value in centrifydc.conf.
Can use individually or with other options.
--version,-v
Specify the version.
--help,-h
Get command line help.
--verbose,-V
Get additional details while the settings are being applied.
--cip,-c <cip url>
Specify the URL of the identity platform.
Must be specified.
--server, -s <servername:port>
Specify HTTP Proxy Server to test.
If not specified, get it from centrifydc.conf
--username,-u <username>
Proxy username.
If not specified, get it from proxy cred file.
-–password,-p <password>
Proxy user's password.
If username is specified, but password is not, prompt for it.
If both username and password are not specified, get it from proxy cred file.
-–machine,-m
Use local machine account for proxy authentication, and SPNEGO auth type is used.
This option cannot be used with -u, -p, or -t.
This test option always use the proxy credential to check the connection to CIP thru the specified HTTP Proxy server.
You can also use the adcdiag command to check HTTP proxy server settings.
