Apache Linux Integration Kit

Deploying the Apache agent

To use the Apache agent, copy the files to your Apache directory and modify your Apache configuration.

About this task

The PingFederate Apache agent is represented by the <apache_home>/conf/mod_pf.conf Apache module (dynamic library) and an auxiliary OpenToken library. The behavior of the Apache agent is controlled by properties contained in the mod_pf.conf file.

Steps

  1. Download the Apache Linux Integration Kit .zip archive from the Add-ons tab of the PingFederate downloads page or the Ping Identity Marketplace.

  2. In the Apache Linux Integration Kit .zip archive, copy the contents of the apache-agent/lib directory that corresponds to your Linux version into your Apache /modules directory. If the files already exist, overwrite them.

    For an Apache HTTP Server running on Canonical Ubuntu, use the modules found in the corresponding version’s subdirectory: Apache_2.4/Ubuntu<version>_64.

  3. For new installations, in the integration-kit apache-agent/config directory, copy the mod_pf.conf, start_page_template.html, fragment_preservation_request_template.html, and the error_page_template.html files into the /conf directory of your Apache installation (or the /etc/apache2/conf-available/ directory in Ubuntu).

  4. Copy the agent-config.txt file that you downloaded in Configuring an OpenToken SP Adapter instance to the Apache /conf folder.

  5. If you’re using Security Enhanced Linux, run the following commands as the root user:

    chcon --reference /usr/sbin/httpd /etc/httpd/modules/mod_pf.so
chcon --reference /usr/sbin/httpd /etc/httpd/modules/libopentoken.so

    This allows the agent to run in the httpd context.

    The preceding paths assume the default Linux installation.

  6. In the Apache httpd.conf file, add the following statement above any other LoadModule statements:

    LoadModule access_compat_module modules/mod_access_compat.so
LoadFile modules/libopentoken.so
LoadModule pf_module modules/mod_pf.so
PingFederateConfigurationFile conf/mod_pf.conf

    Depending on the Ubuntu version, the module installation with default Apache could require additional steps. If so, perform steps 6a - 6c. Otherwise, skip to step 7.

    1. Place the .so files in the /usr/lib/apache2/modules/ directory.

      Result:

      A configuration file (/etc/apache2/mods-available/mod_pf.load) is created to load the module. It contains the following statements:

      LoadModule access_compat_module /usr/lib/apache2/modules/mod_access_compat.so
LoadFile  /usr/lib/apache2/modules/libopentoken.so
LoadModule pf_module  /usr/lib/apache2/modules/mod_pf.so

    2. Link this file as enabled modules in the /etc/apache2/mods-enabled/ directory:

      sudo ln -s ../mods-available/mod_pf.load mod_pf.load

    3. Link the /etc/apache2/conf-available/mod_pf.conf file as enabled conf in the /etc/apache2/conf-enabled file:

      sudo ln -s ../conf-available/mod_pf.conf mod_pf.conf

  7. Add the following statement within all Directory contexts that the agent should handle:

    AuthType PFApacheAgent

    Use a "deny by default" configuration for all directories that you want the Apache agent to protect:

    Order Deny,Allow
Deny from all

    Learn more about AuthType examples in Apache Integration Kit AuthType examples in the Ping Identity Knowledge Base.

  8. Restart Apache.