Skip to main content

How to set up a reverse proxy server for an IBM Rational Jazz Team Server

Add another layer of security

Anuradha Ramamoorthy (ranuradh@us.ibm.com), Staff Software Engineer, IBM
Anu Ramamoorthy is a Staff Software Engineer working on the Rational System and Integration Test Team. She has been working in the software industry for close to 10 years, and has been a part of IBM Rational for the past 5 years. She has worked on a number of test automation and performance projects for IBM Rational Software including being a lead of ClearCase Remote Client performace testing. Currently she is the lead for the RTC SVT Performance testing efforts.

Summary:  This brief article explains how to set up a reverse proxy server for an IBM® Rational® Jazz Team Server™ and the security effect of that change.

Date:  14 Oct 2008
Level:  Intermediate
PDF:  A4 and Letter (299KB | 10 pages)Get Adobe® Reader®
Activity:  877 views

How reverse proxy servers work with Jazz.net

A proxy server is a server (a computer system or a software application) that forwards requests to other servers. A reverse proxy server or surrogate server is a proxy server that is associated with one or more servers, such as in front of a group of Web servers. Typically, proxy servers are set up to route all connections coming from the Internet that are addressed to one of the Web servers, however the proxy server may either handle the request or pass it wholly or partially to the main Web servers.

The proxy server can provide an additional layer of defense by separating the type of server that is behind the reverse proxy. This configuration can protect the servers that are further up the chain, mainly through obfuscation.

The reverse proxy server enables the jazz.net name to serve content from the jazzdev server. However, Jazz.net's proxy does not allow total access to the jazzdev server through jazz.net. This adds a level of security that applies to non-IBM® users. The future plan is to enable caching for better performance.

Why proxy?

Other than for security, proxy servers can provide load balancing between your Web servers, apply encryption, and streamline server-client transactions using a number of techniques, including caching of static content, compression, and "spoon-feeding" of dynamically-generated Web pages.

System environment

The following applications were used in this example:

  • IBM® HTTP Server Version 6.1
  • IBM® WebSphere® Application Server Version 6.1, Fix Pack 13
  • Mozilla Firefox® Version 3.0.1 or later

Proxy server setup

  1. Install IBM HTTP Server on the reverse proxy server.
  2. Go to the IBM Key Management tool on the HTTP server (sometimes referred to as IKeyMan), create a personnel certificate, and extract it to this location (merely an example):
    D:\Program Files\HTTP Server
  3. Modify the httpd.conf file by adding the lines shown in code Listing 1.

Note:
Make sure that the .so file exists in D:\Program Files\HTTP Server \modules.


Listing 1. Code to add to the httpd.conf file
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so
LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
LoadModule proxy_http_module modules/mod_proxy_http.so

Listen 0.0.0.0:443 – This is for the server to listen in the default SSL Port
LoadModule ibm_ssl_module "D:\Program Files\IBM\HTTPServer\modules\mod_ibm_ssl.so"
ProxyRequests off
SSLProxyEngine on
ProxyPass / https://RTCAppserver:9443/

<Location />

  ProxyPassReverse / 
</Location>

KeyFile "D:\Program Files\IBM\HTTPServer\key.kdb"

<virtualhost *:443>
SSLEnable
KeyFile "D:\Program Files\IBM\HTTPServer\key.kdb"

SSLCipherSpec 27
SSLCipherSpec 21
SSLCipherSpec 23
SSLCipherSpec 3A
SSLCipherSpec 34
SSLCipherSpec 35
</virtualhost>

Note:

  • SSLDisable is to disable for the rest. We have it enabled for the virtual hosts that connect
  • SSL CipherSpec refers to specific SSL codes.
  1. Stop and restart the HTTP server.
  2. In the Web browser, type this URL: https://rtcserver:9443/jazz/web

Server certificate setup

Extract the server certificate by following these steps:

  1. Start Mozilla Firefox® Version 3.0.1 or later.
  2. Click Tools > Options.
  3. On the Advanced panel of the Options dialog box, click the Encryption tab, and click View Certificates.
  4. On the Servers tab of the Certificate Manager dialog box, click Add Exception.
  5. In the Add Security Exception dialog, under Location, enter the URL of your Web server (in this example, https://9.34.106.118:9443/jazz/web), and click Get Certificate (see Figure 1).

Figure 1. Add a security exception to the Firefox browser
image of dialog box

  1. Click View, and in the Certificate Viewer dialog box, click the Details tab, and then click Export (Figure 2).

Figure 2. Certificate Viewer
image of dialog box

  1. In the Save Certificate To File dialog, under File name, enter a name for the certificate.
  2. Under Save as type, select X509 Certificate (DER) and click Save.
  3. In the Certificate Viewer dialog, click Close.
  4. In the Add Security Exception dialog, click Confirm Security Exception, as shown in Figure 3.

Figure 3. Confirm the certificate
image of dialog box

  1. In the Certificate Manager dialog, click OK, and then click OK again in the Firefox Options dialog box.
  2. Copy the *.der certificate to the proxy server.
  3. Go back to the HTTP server and add the certificate to the trusted site by using the IBM Key Management tool.
  4. Select the personnel certificate, add signer certificates (Figure 4), and then add the server certificate from the copied location.

Figure 4. Add certificates
image of IBM Key Management tool workspace

Click here to view a larger version of this image.
  1. Restart the HTTP server.

Setup Jazz server authentication

Convert the IBM® Rational® Jazz Team Server™ to support Basic authentication by modifying the web.xml file and adding the code in Listing 2.


Listing 2. Code to add to the web.xml file
<login-config>
<realm-name>Default Realm</realm-name>
<auth-method>BASIC</auth-method>
</login-config> 

D:\Program Files\IBM\WebSphere\AppServer\profiles\AppSrv01\config\cells\
qwin451Node01Cell\applications\jazz_war.ear\deployments\jazz_war\jazz.war\WEB-INF

D:\Program Files\IBM\WebSphere\AppServer\profiles\AppSrv01\
installedApps\qwin451Node01Cell\jazz_war.ear\jazz.war\WEB-INF (this one is optional)

  1. Comment out "Form" in web.xml, save and close the file.
  2. Restart the application server.

You should now be able to access your IBM Rational Team Concert server through the reverse proxy server:
https://proxyserver/jazz/web


Resources

Learn

  • For more information, read TN0013: Jazz Team Server Authentication Explained This tech note on the Jazz.net site (registration required) explains the authentication mechanism used by IBM Rational Jazz Team Server and the rationale for the design. It also describes how to change the configuration to use alternate authentication methods and to unsecure feed URLs for a custom deployment, along with the tradeoffs associated with each configuration. .

  • Read TN0014: Updating the Deployment Descriptor for a Previously-Deployed Java EE Web Application Archive. This article on the Jazz.net site explains how to modify the Rational Jazz Team Server Java™ Enterprise Edition Web Application Archive (WAR file) after it has been deployed. Instructions cover both the Apache Tomcat and IBM® WebSphere® Application Server environments.

  • Get Jazz and Rational Team Concert downloads and updates and participate in the forum discussions at Jazz.net. Registration required (free). This is also where you can enter and review enhancement requests and bug reports.

  • Visit the Rational software area on developerWorks for technical resources and best practices for Rational Software Delivery Platform products.

  • Explore Rational computer-based, Web-based, and instructor-led online courses. Hone your skills and learn more about Rational tools with these courses, which range from introductory to advanced. The courses on this catalog are available for purchase through computer-based training or Web-based training. Additionally, some "Getting Started" courses are available free of charge.

  • Subscribe to the Rational Edge newsletter for articles on the concepts behind effective software development.

  • Subscribe to the IBM developerWorks newsletter, a weekly update on the best of developerWorks tutorials, articles, downloads, community activities, webcasts and events.

  • Browse the technology bookstore for books on these and other technical topics.

Get products and technologies

Discuss

About the author

Anu Ramamoorthy is a Staff Software Engineer working on the Rational System and Integration Test Team. She has been working in the software industry for close to 10 years, and has been a part of IBM Rational for the past 5 years. She has worked on a number of test automation and performance projects for IBM Rational Software including being a lead of ClearCase Remote Client performace testing. Currently she is the lead for the RTC SVT Performance testing efforts.

Comments (Undergoing maintenance)

Back to top

Trademarks  |  My developerWorks terms and conditions

Close [x]

Help: Update or add to My dW interests

What's this?

This little timesaver lets you update your My developerWorks profile with just one click! The general subject of this content (AIX and UNIX, Information Management, Lotus, Rational, Tivoli, WebSphere, Java, Linux, Open source, SOA and Web services, Web development, or XML) will be added to the interests section of your profile, if it's not there already. You only need to be logged in to My developerWorks.

And what's the point of adding your interests to your profile? That's how you find other users with the same interests as yours, and see what they're reading and contributing to the community. Your interests also help us recommend relevant developerWorks content to you.

View your My developerWorks profile

Return from help

Close [x]

Help: Remove from My dW interests

What's this?

Removing this interest does not alter your profile, but rather removes this piece of content from a list of all content for which you've indicated interest. In a future enhancement to My developerWorks, you'll be able to see a record of that content.

View your My developerWorks profile

Return from help

static.content.url=http://www.ibm.com/developerworks/js/artrating/
SITE_ID=1
Zone=Rational
ArticleID=344214
ArticleTitle=How to set up a reverse proxy server for an IBM Rational Jazz Team Server
publish-date=10142008
author1-email=ranuradh@us.ibm.com
author1-email-cc=rhalden@us.ibm.com

Table of contents

Local resources

My developerWorks community

Interact, share, and communicate with developers worldwide.

My developerWorks overview

Tags

Help
Use the search field to find all types of content in My developerWorks with that tag.

Use the slider bar to see more or fewer tags.

Popular tags shows the top tags for this particular content zone (for example, Java technology, Linux, WebSphere).

My tags shows your tags for this particular content zone (for example, Java technology, Linux, WebSphere).

Use the search field to find all types of content in My developerWorks with that tag. Popular tags shows the top tags for this particular content zone (for example, Java technology, Linux, WebSphere). My tags shows your tags for this particular content zone (for example, Java technology, Linux, WebSphere).

 

Dig deeper into Rational on developerWorks

Rate a product. Write a review.

Rate a product. Write a review.

Write a review for Rational products today!

Special offers

Develop & test in the cloud using Rational software

No Charge Code Lotus Domino Designer

Supercharge your build and release capabilities

More offers