How to set up a reverse proxy server for an IBM Rational Jazz Team Server

Add another layer of security

This brief article explains how to set up a reverse proxy server for an IBM® Rational® Jazz Team Server™ and the security effect of that change.

Share:

Anuradha Ramamoorthy (ranuradh@us.ibm.com), Staff Software Engineer, IBM

Anu Ramamoorthy is a Staff Software Engineer working on the Rational System and Integration Test Team. She has been working in the software industry for close to 10 years, and has been a part of IBM Rational for the past 5 years. She has worked on a number of test automation and performance projects for IBM Rational Software including being a lead of ClearCase Remote Client performace testing. Currently she is the lead for the RTC SVT Performance testing efforts.



14 October 2008

Also available in Chinese

How reverse proxy servers work with Jazz.net

A proxy server is a server (a computer system or a software application) that forwards requests to other servers. A reverse proxy server or surrogate server is a proxy server that is associated with one or more servers, such as in front of a group of Web servers. Typically, proxy servers are set up to route all connections coming from the Internet that are addressed to one of the Web servers, however the proxy server may either handle the request or pass it wholly or partially to the main Web servers.

The proxy server can provide an additional layer of defense by separating the type of server that is behind the reverse proxy. This configuration can protect the servers that are further up the chain, mainly through obfuscation.

The reverse proxy server enables the jazz.net name to serve content from the jazzdev server. However, Jazz.net's proxy does not allow total access to the jazzdev server through jazz.net. This adds a level of security that applies to non-IBM® users. The future plan is to enable caching for better performance.

Why proxy?

Other than for security, proxy servers can provide load balancing between your Web servers, apply encryption, and streamline server-client transactions using a number of techniques, including caching of static content, compression, and "spoon-feeding" of dynamically-generated Web pages.

System environment

The following applications were used in this example:

  • IBM® HTTP Server Version 6.1
  • IBM® WebSphere® Application Server Version 6.1, Fix Pack 13
  • Mozilla Firefox® Version 3.0.1 or later

Proxy server setup

  1. Install IBM HTTP Server on the reverse proxy server.
  2. Go to the IBM Key Management tool on the HTTP server (sometimes referred to as IKeyMan), create a personnel certificate, and extract it to this location (merely an example):
    D:\Program Files\HTTP Server
  3. Modify the httpd.conf file by adding the lines shown in code Listing 1.

Note:
Make sure that the .so file exists in D:\Program Files\HTTP Server \modules.

Listing 1. Code to add to the httpd.conf file
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so
LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
LoadModule proxy_http_module modules/mod_proxy_http.so

Listen 0.0.0.0:443 – This is for the server to listen in the default SSL Port
LoadModule ibm_ssl_module "D:\Program Files\IBM\HTTPServer\modules\mod_ibm_ssl.so"
ProxyRequests off
SSLProxyEngine on
ProxyPass / https://RTCAppserver:9443/

<Location />

  ProxyPassReverse / 
</Location>

KeyFile "D:\Program Files\IBM\HTTPServer\key.kdb"

<virtualhost *:443>
SSLEnable
KeyFile "D:\Program Files\IBM\HTTPServer\key.kdb"

SSLCipherSpec 27
SSLCipherSpec 21
SSLCipherSpec 23
SSLCipherSpec 3A
SSLCipherSpec 34
SSLCipherSpec 35
</virtualhost>

Note:

  • SSLDisable is to disable for the rest. We have it enabled for the virtual hosts that connect
  • SSL CipherSpec refers to specific SSL codes.
  1. Stop and restart the HTTP server.
  2. In the Web browser, type this URL: https://rtcserver:9443/jazz/web

Server certificate setup

Extract the server certificate by following these steps:

  1. Start Mozilla Firefox® Version 3.0.1 or later.
  2. Click Tools > Options.
  3. On the Advanced panel of the Options dialog box, click the Encryption tab, and click View Certificates.
  4. On the Servers tab of the Certificate Manager dialog box, click Add Exception.
  5. In the Add Security Exception dialog, under Location, enter the URL of your Web server (in this example, https://9.34.106.118:9443/jazz/web), and click Get Certificate (see Figure 1).
Figure 1. Add a security exception to the Firefox browser
image of dialog box
  1. Click View, and in the Certificate Viewer dialog box, click the Details tab, and then click Export (Figure 2).
Figure 2. Certificate Viewer
image of dialog box
  1. In the Save Certificate To File dialog, under File name, enter a name for the certificate.
  2. Under Save as type, select X509 Certificate (DER) and click Save.
  3. In the Certificate Viewer dialog, click Close.
  4. In the Add Security Exception dialog, click Confirm Security Exception, as shown in Figure 3.
Figure 3. Confirm the certificate
image of dialog box
  1. In the Certificate Manager dialog, click OK, and then click OK again in the Firefox Options dialog box.
  2. Copy the *.der certificate to the proxy server.
  3. Go back to the HTTP server and add the certificate to the trusted site by using the IBM Key Management tool.
  4. Select the personnel certificate, add signer certificates (Figure 4), and then add the server certificate from the copied location.
Figure 4. Add certificates
image of IBM Key Management tool workspace

Click here to view a larger version of this image.

  1. Restart the HTTP server.

Setup Jazz server authentication

Convert the IBM® Rational® Jazz Team Server™ to support Basic authentication by modifying the web.xml file and adding the code in Listing 2.

Listing 2. Code to add to the web.xml file
<login-config>
<realm-name>Default Realm</realm-name>
<auth-method>BASIC</auth-method>
</login-config> 

D:\Program Files\IBM\WebSphere\AppServer\profiles\AppSrv01\config\cells\
qwin451Node01Cell\applications\jazz_war.ear\deployments\jazz_war\jazz.war\WEB-INF

D:\Program Files\IBM\WebSphere\AppServer\profiles\AppSrv01\
installedApps\qwin451Node01Cell\jazz_war.ear\jazz.war\WEB-INF (this one is optional)
  1. Comment out "Form" in web.xml, save and close the file.
  2. Restart the application server.

You should now be able to access your IBM Rational Team Concert server through the reverse proxy server:
https://proxyserver/jazz/web

Resources

Learn

  • For more information, read TN0013: Jazz Team Server Authentication Explained This tech note on the Jazz.net site (registration required) explains the authentication mechanism used by IBM Rational Jazz Team Server and the rationale for the design. It also describes how to change the configuration to use alternate authentication methods and to unsecure feed URLs for a custom deployment, along with the tradeoffs associated with each configuration. .
  • Read TN0014: Updating the Deployment Descriptor for a Previously-Deployed Java EE Web Application Archive. This article on the Jazz.net site explains how to modify the Rational Jazz Team Server Java™ Enterprise Edition Web Application Archive (WAR file) after it has been deployed. Instructions cover both the Apache Tomcat and IBM® WebSphere® Application Server environments.
  • Get Jazz and Rational Team Concert downloads and updates and participate in the forum discussions at Jazz.net. Registration required (free). This is also where you can enter and review enhancement requests and bug reports.
  • Visit the Rational software area on developerWorks for technical resources and best practices for Rational Software Delivery Platform products.
  • Explore Rational computer-based, Web-based, and instructor-led online courses. Hone your skills and learn more about Rational tools with these courses, which range from introductory to advanced. The courses on this catalog are available for purchase through computer-based training or Web-based training. Additionally, some "Getting Started" courses are available free of charge.
  • Subscribe to the Rational Edge newsletter for articles on the concepts behind effective software development.
  • Subscribe to the IBM developerWorks newsletter, a weekly update on the best of developerWorks tutorials, articles, downloads, community activities, webcasts and events.
  • Browse the technology bookstore for books on these and other technical topics.

Get products and technologies

Discuss

Comments

developerWorks: Sign in

Required fields are indicated with an asterisk (*).


Need an IBM ID?
Forgot your IBM ID?


Forgot your password?
Change your password

By clicking Submit, you agree to the developerWorks terms of use.

 


The first time you sign into developerWorks, a profile is created for you. Information in your profile (your name, country/region, and company name) is displayed to the public and will accompany any content you post, unless you opt to hide your company name. You may update your IBM account at any time.

All information submitted is secure.

Choose your display name



The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerWorks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

Required fields are indicated with an asterisk (*).

(Must be between 3 – 31 characters.)

By clicking Submit, you agree to the developerWorks terms of use.

 


All information submitted is secure.

Dig deeper into Rational software on developerWorks


static.content.url=http://www.ibm.com/developerworks/js/artrating/
SITE_ID=1
Zone=Rational
ArticleID=344214
ArticleTitle=How to set up a reverse proxy server for an IBM Rational Jazz Team Server
publish-date=10142008