How reverse proxy servers work with Jazz.net
A proxy server is a server (a computer system or a software application) that forwards requests to other servers. A reverse proxy server or surrogate server is a proxy server that is associated with one or more servers, such as in front of a group of Web servers. Typically, proxy servers are set up to route all connections coming from the Internet that are addressed to one of the Web servers, however the proxy server may either handle the request or pass it wholly or partially to the main Web servers.
The proxy server can provide an additional layer of defense by separating the type of server that is behind the reverse proxy. This configuration can protect the servers that are further up the chain, mainly through obfuscation.
The reverse proxy server enables the jazz.net name to serve content from the jazzdev server. However, Jazz.net's proxy does not allow total access to the jazzdev server through jazz.net. This adds a level of security that applies to non-IBM® users. The future plan is to enable caching for better performance.
The following applications were used in this example:
- IBM® HTTP Server Version 6.1
- IBM® WebSphere® Application Server Version 6.1, Fix Pack 13
- Mozilla Firefox® Version 3.0.1 or later
Proxy server setup
- Install IBM HTTP Server on the reverse proxy server.
- Go to the IBM Key Management tool on the HTTP server (sometimes referred
to as IKeyMan), create a personnel certificate, and extract it to this location
(merely an example):
D:\Program Files\HTTP Server
- Modify the httpd.conf file by adding the lines shown in code Listing 1.
Make sure that the .so file exists in D:\Program Files\HTTP Server \modules.
Listing 1. Code to add to the httpd.conf file
LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_connect_module modules/mod_proxy_connect.so LoadModule proxy_ftp_module modules/mod_proxy_ftp.so LoadModule proxy_http_module modules/mod_proxy_http.so Listen 0.0.0.0:443 â This is for the server to listen in the default SSL Port LoadModule ibm_ssl_module "D:\Program Files\IBM\HTTPServer\modules\mod_ibm_ssl.so" ProxyRequests off SSLProxyEngine on ProxyPass / https://RTCAppserver:9443/ <Location /> ProxyPassReverse / </Location> KeyFile "D:\Program Files\IBM\HTTPServer\key.kdb" <virtualhost *:443> SSLEnable KeyFile "D:\Program Files\IBM\HTTPServer\key.kdb" SSLCipherSpec 27 SSLCipherSpec 21 SSLCipherSpec 23 SSLCipherSpec 3A SSLCipherSpec 34 SSLCipherSpec 35 </virtualhost>
- SSLDisable is to disable for the rest. We have it enabled for the virtual hosts that connect
- SSL CipherSpec refers to specific SSL codes.
- Stop and restart the HTTP server.
- In the Web browser, type this URL:
Server certificate setup
Extract the server certificate by following these steps:
- Start Mozilla Firefox® Version 3.0.1 or later.
- Click Tools > Options.
- On the Advanced panel of the Options dialog box, click the Encryption tab, and click View Certificates.
- On the Servers tab of the Certificate Manager dialog box, click Add Exception.
- In the Add Security Exception dialog, under Location, enter the URL of your Web server (in this example, https://188.8.131.52:9443/jazz/web), and click Get Certificate (see Figure 1).
Figure 1. Add a security exception to the Firefox browser
- Click View, and in the Certificate Viewer dialog box, click the Details tab, and then click Export (Figure 2).
Figure 2. Certificate Viewer
- In the Save Certificate To File dialog, under File name, enter a name for the certificate.
- Under Save as type, select X509 Certificate (DER) and click Save.
- In the Certificate Viewer dialog, click Close.
- In the Add Security Exception dialog, click Confirm Security Exception, as shown in Figure 3.
Figure 3. Confirm the certificate
- In the Certificate Manager dialog, click OK, and then click OK again in the Firefox Options dialog box.
- Copy the *.der certificate to the proxy server.
- Go back to the HTTP server and add the certificate to the trusted site by using the IBM Key Management tool.
- Select the personnel certificate, add signer certificates (Figure 4), and then add the server certificate from the copied location.
Figure 4. Add certificates
- Restart the HTTP server.
Setup Jazz server authentication
Convert the IBM® Rational® Jazz Team Server™ to support Basic authentication by modifying the web.xml file and adding the code in Listing 2.
Listing 2. Code to add to the web.xml file
<login-config> <realm-name>Default Realm</realm-name> <auth-method>BASIC</auth-method> </login-config> D:\Program Files\IBM\WebSphere\AppServer\profiles\AppSrv01\config\cells\ qwin451Node01Cell\applications\jazz_war.ear\deployments\jazz_war\jazz.war\WEB-INF D:\Program Files\IBM\WebSphere\AppServer\profiles\AppSrv01\ installedApps\qwin451Node01Cell\jazz_war.ear\jazz.war\WEB-INF (this one is optional)
- Comment out "Form" in web.xml, save and close the file.
- Restart the application server.
You should now be able to access your IBM Rational Team Concert server through
the reverse proxy server:
- For more information, read TN0013: Jazz Team Server Authentication Explained This tech note on the Jazz.net site (registration required) explains the authentication mechanism used by IBM Rational Jazz Team Server and the rationale for the design. It also describes how to change the configuration to use alternate authentication methods and to unsecure feed URLs for a custom deployment, along with the tradeoffs associated with each configuration. .
- Read TN0014: Updating the Deployment Descriptor for a Previously-Deployed Java EE Web Application Archive. This article on the Jazz.net site explains how to modify the Rational Jazz Team Server Java™ Enterprise Edition Web Application Archive (WAR file) after it has been deployed. Instructions cover both the Apache Tomcat and IBM® WebSphere® Application Server environments.
- Get Jazz and Rational Team Concert downloads and updates and participate in the forum discussions at Jazz.net. Registration required (free). This is also where you can enter and review enhancement requests and bug reports.
- Visit the Rational software area on developerWorks for technical resources and best practices for Rational Software Delivery Platform products.
- Explore Rational computer-based, Web-based, and instructor-led online courses. Hone your skills and learn more about Rational tools with these courses, which range from introductory to advanced. The courses on this catalog are available for purchase through computer-based training or Web-based training. Additionally, some "Getting Started" courses are available free of charge.
- Subscribe to the Rational Edge newsletter for articles on the concepts behind effective software development.
- Subscribe to the IBM developerWorks newsletter, a weekly update on the best of developerWorks tutorials, articles, downloads, community activities, webcasts and events.
- Browse the technology bookstore for books on these and other technical topics.
Get products and technologies
- Visit the Rational Team Concert area on developerWorks for articles, downloads and other technical resources.
- Download trial versions of IBM Rational software.
- Download these IBM product evaluation versions and get your hands on application development tools and middleware products from DB2®, Lotus®, Tivoli®, and WebSphere®.
- Join a Jazz Forum where you can ask specific questions related to the platform.
- Check out developerWorks blogs and get involved in the developerWorks community.