Use NGINX as a reverse proxy to access an IBM Sterling Order Management environment

Introduction

Each client that needs to connect to the IBM Sterling™ Order Management next-generation platform is required to create and import a client certificate. This process is not ideal if there are a many clients to manage. This article explains how to configure a reverse proxy (NGINX) with a single client certificate in order to manage the mTLS handshake with an IBM Sterling Order Management next-generation environment.

Note: This document is an example and it is not production ready. Ensure tht your networking and security team is involved in configuring a proper NGINX server.

Image 1

Assumptions

  • You use the IBM Sterling Order Management next-generation platform and you want to create and manage a single client certificate for all Order Management on Cloud clients in your network.
  • You are familiar with technologies such as Docker and NGINX and you are comfortable using the Linux command line. The steps in this tutorial have not been tested on Windows or OSX, but similar commands are available for those operating systems.
  • You understands basic networking concepts.

Prerequisites

Estimated time

Expect this tutorial to take about 30 minutes to complete.

Steps

These steps use a container-based NGINX but the same default.conf file settings are applicable to NGINX installed directly on a host.

Copy NGINX files to the local file system

  1. To work with the nginx configuration files, start a temporary container:
    docker run --name tmp-nginx-container -d nginx
  1. Extract the default nginx directory to a folder on your local system, such as $HOME/nginx:
    docker cp tmp-nginx-container:/etc/nginx/$HOME/nginx
  1. Delete the temporary container:
    docker rm -f tmp-nginx-container

Create a client certificate on the IBM Sterling Order Management environment

  1. In the IBM Sterling Self Service Tool generate a client certificate for the environment and save it to $HOME/nginx
  2. Run the following command to extract the key and cert as .pem files, supply the password when prompted:
    cd $HOME/nginx
    openssl pkcs12 -in $FILENAME.p12 -nokeys -out client.pem
    openssl pkcs12 -in $FILENAME.p12 -nocerts -nodes -out client.key

Create a self-signed certificate for NGINX

  1. Using openssl, generate a self-signed certificate for use with NGINX:
    cd $HOME/nginx
    openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem

Configure NGINX

  1. In a text editor open $HOME/nginx/conf.d/default.conf and delete the existing configurations.
  2. Copy the following configuration $HOME/nginx/conf.d/default.conf and replace the URL in both proxy_pass fields with the appropriate URL for your environment:
    server {
        listen 80;
        listen [::]:80;
        server_name localhost;

        location / {
            proxy_pass https://EXAMPLE-prod-4.oms.supply-chain.ibm.com/;
            proxy_ssl_server_name on;
            proxy_http_version 1.1;
            proxy_ssl_certificate /etc/nginx/client.pem;
            proxy_ssl_certificate_key /etc/nginx/client.key;
            proxy_ssl_session_reuse on;
            ######
            ## Settings specific to a Docker container mapped to non-80/443 port on host
            absolute_redirect off;
        }
    }

    server {
        listen 443 ssl;
        listen [::]:443 ssl;
        server_name localhost;
        ssl_certificate     /etc/nginx/certificate.pem;
        ssl_certificate_key /etc/nginx/key.pem;
        ssl_protocols       TLSv1.2;
        ssl_ciphers         HIGH:!aNULL:!MD5;
        location / {
            proxy_pass https://EXAMPLE-prod-4.oms.supply-chain.ibm.com/;
            proxy_ssl_server_name on;
            proxy_http_version 1.1;
            proxy_ssl_certificate /etc/nginx/client.pem;
            proxy_ssl_certificate_key /etc/nginx/client.key;
            proxy_ssl_session_reuse on;
            ######
            ## Settings specific to a Docker container mapped to non-80/443 port on host
            absolute_redirect off;
        }
    }

Start NGINX

  1. Start a NGINX container with options for SSL and non-SSL ports and a volume pointed to the $HOME/nginx directory on the host mapped to /etc/nginx/ within the container:
    docker run --name nginx -p 9080:80 -p 9443:443 --rm -v $HOME/nginx:/etc/nginx/:Z nginx

Validation

  1. In a browser, access nginx by using either of the following URLs:
http://localhost:9080/smcfs/console/login.jsp
https://localhost:9443/smcfs/console/login.jsp
  1. Confirm that the browser routes to the IBM Sterling Order Management next-generation platform environment and does not prompt you to supply a client certificate.
  2. Log in to the Sterling OMS console and confirm that the broswer redirects to the OMS console home page.
  3. Repeat with URLs for all other applications in your IBM Sterling Order Management environment.

Summary

This tutorial demonstrated how to create an NGINX container with Docker and configure it to act as a reverse proxy to handle mTLS handshakes with IBM Sterling Order Management. This configuration allows many clients to communicate with an IBM Sterling Order Management next-generation platform environment through the proxy while requiring only a single client certificate. This process simplifies overall operational tasks.

Related information