Installing and Configuring the EmpowerID Reverse Proxy on Linux

The EmpowerID Reverse Proxy is a server application that sits in front of Web servers, assuming the name and IP addresses of those servers in order to provide authentication and authorization to users requesting the resources (in the form of URIs) provided by those servers. Incoming requests are intercepted by the Reverse Proxy Server and directed to the EmpowerID IdP, where users must authenticate before authorization for the requested resources can be granted.

In this topic, we use the terms "Reverse Proxy," "Reverse Proxy Server," and "Proxy Server" interchangeably.

The EmpowerID Reverse Proxy Server is a server-side JavaScript application managed by Node.js. As such, Node must be installed on the server before the Reverse Proxy Server can be configured for use. Additionally, the Reverse Proxy Server uses the Forever node module to keep the server up and running. The Reverse Proxy installer you received from EmpowerID checks to see if these prerequisites are installed. If they are not, installer will install them for you.

Installing and configuring the EmpowerID Reverse Proxy on Linux involves the following:

  1. Creating a SQL Login on the EmpowerID database for the Reverse Proxy (see prerequisite information)
  2. Extracting the ProxyServer.X.X.X.tar.gz file.
  3. Making the installer executable.
  4. Executing the installer.
  5. Editing the Reverse Proxy config.txt file for your environment.
  6. Saving the SQL Login password in an encrypted file.
  7. Starting the Reverse Proxy Server service.

SQL Login Prerequisite:

As the Reverse Proxy authenticates users against the EmpowerID database, you need to provide it with a SQL login that has rights to the EmpowerID database. Expand the below drop-down for step-by-step directions on creating the login in SQL Server.

  • Create SQL Login
    1. Open SQL Server Management Studio.
    2. From Object Explorer, create a Login and set the Default database to the instance of the EmpowerID database in your environment. Note that SQL Serve authentication is used.
    3. From the Login Properties dialog, set the User Mapping to EmpowerID Service and public.
    4. To verify the login, open a new instance of the Connect to Server dialog, select SQL Server Authentication and enter the credentials you just created.

To install the EmpowerID Reverse Proxy

  1. Run the following command to extract the ProxyServer.X.X.X.tar.gz file you received from EmpowerID.
    tar -xzf Proxy\ Server.tar.gz
  2. Optional: Run the following commands to navigate to the folder with the Proxy Server install script and view the README file for the Reverse Proxy.
    • To navigate to the folder with the install script
      cd Proxy\ Server/linuxInstallScripts
    • To view the README
      cat README
  3. Run the following command to make the installer executable:
    sudo chmod +x install.sh
  4. Run the following command to execute the installer. When executed, the installer checks to see if you have node and forever installed—installing them if you do not—and then installs the EmpowerID Proxy Server.
    sudo ./install.sh
  5. After installing the EmpowerID Proxy Server, run the following command to open the config.txt file. The file needs to be edited for your environment.
    sudo vi /usr/local/empoweridRP/Proxy\ Server/config.txt
  6. In the config.txt file, locate FILEPATH_PEM_VERIFY_CERT and replace the value with the path to the SAML certificate used in your environment. This certificate is used to verify the integrity of the identity assertion issued by the EmpowerID IdP. Be sure the certificate exists in the designated location.
  7. In the config.txt file, locate EID_IDP_URL and replace the value with the URL to the SAML IdP authentication endpoint in your environment. This path should be as follows: https://sso.empoweriam.com/EmpowerIDWebIdPForms/SamlSsoAuthentication, where "sso.empoweriam.com" is the FQDN (or a resolvable alias) of the EmpowerID server hosting the SAML IdP authentication endpoint in your environment.
  8. In the config.txt file, locate SESSION_DURATION_MINUTES and specify the length of time for which you want the cookie issued by the reverse proxy server to remain valid. When a cookie expires, the user to whom the cookie belongs must re-authenticate for further access.
  9. In the config.txt file, locate IP_ADDRESS, HTTP_PORT and HTTPS_PORT and specify the IP address and the ports to which the reverse proxy needs to listen for incoming traffic. If the reverse proxy is the only application listening on the http and https ports, you can leave the IP_ADDRESS value set to 0.0.0.0.
  10. In the config.txt file, locate dband replace the userName, passwordEncryptedFilePath, options and server values with those for your environment.
    • DB_UserName - This is the SQL login you created for the Reverse Proxy in the prerequisites section.
    • DB_PASSWORD_ENCRYPTED_FILE_PATH - This is the path to the encrypted password the Reverse Proxy uses for the SQL login.
      Simply specify the path for now. This path as well as the encrypted password will be generated once the config file has been completely updated.
    • DB_DATABASE - This is the name of the EmpowerID database in your environment.
    • DB_SERVER - This is the name or IP address of the SQL server in your environment.
  11. In the config.txt file, locate Rotating File Log settings and specify the desired Log_File_Period and Log_File_Count settings.
  12. Save your changes and exit the config file.
  13. Run the following command to save the SQL login password in an encrypted file, replacing SQL_LOGIN_PASSWORD_HERE with the password you set for your SQL login.

    sudo node /usr/local/empoweridRP/Proxy\ Server/encryptPassword.js "YOUR_SQL_LOGIN_PASSWORD_HERE""/usr/local/empoweridRP/sqlPassword.txt"
  14. Once you have completed the configuration, you can run the following commands to start and stop the Proxy Server:
    • To start the Proxy Server
      sudo /etc/init.d/EmpowerIDProxyServer start
    • To stop the Proxy Server
      sudo /etc/init.d/EmpowerIDProxyServer stop
    Now that you have installed and configured the Reverse Proxy for your environment, you need to create an application for it in EmpowerID. For step-by-step directions, see Creating a Web Access Management application in EmpowerID.