A proxy server is a server (a computer system or a software application) that forwards requests to other servers. A reverse proxy server or surrogate server is a proxy server that is associated with one or more servers, such as in front of a group of Web servers. Typically, proxy servers are set up to route all connections coming from the Internet that are addressed to one of the Web servers, however the proxy server may either handle the request or pass it wholly or partially to the main Web servers.
The proxy server can provide an additional layer of defense by separating the type of server that is behind the reverse proxy. This configuration can protect the servers that are further up the chain, mainly through obfuscation.
The reverse proxy server enables the jazz.net name to serve content from the jazzdev server. However, Jazz.net's proxy does not allow total access to the jazzdev server through jazz.net. This adds a level of security that applies to non-IBM® users. The future plan is to enable caching for better performance.
The following applications were used in this example:
- IBM® HTTP Server Version 6.1
- IBM® WebSphere® Application Server Version 6.1, Fix Pack 13
- Mozilla Firefox® Version 3.0.1 or later
- Install IBM HTTP Server on the reverse proxy server.
- Go to the IBM Key Management tool on the HTTP server (sometimes referred
to as IKeyMan), create a personnel certificate, and extract it to this location
(merely an example):
D:\Program Files\HTTP Server
- Modify the httpd.conf file by adding the lines shown in code Listing 1.
Make sure that the .so file exists in D:\Program Files\HTTP Server \modules.
Listing 1. Code to add to the httpd.conf file
LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_connect_module modules/mod_proxy_connect.so LoadModule proxy_ftp_module modules/mod_proxy_ftp.so LoadModule proxy_http_module modules/mod_proxy_http.so Listen 0.0.0.0:443 â This is for the server to listen in the default SSL Port LoadModule ibm_ssl_module "D:\Program Files\IBM\HTTPServer\modules\mod_ibm_ssl.so" ProxyRequests off SSLProxyEngine on ProxyPass / https://RTCAppserver:9443/ <Location /> ProxyPassReverse / </Location> KeyFile "D:\Program Files\IBM\HTTPServer\key.kdb" <virtualhost *:443> SSLEnable KeyFile "D:\Program Files\IBM\HTTPServer\key.kdb" SSLCipherSpec 27 SSLCipherSpec 21 SSLCipherSpec 23 SSLCipherSpec 3A SSLCipherSpec 34 SSLCipherSpec 35 </virtualhost>
- SSLDisable is to disable for the rest. We have it enabled for the virtual hosts that connect
- SSL CipherSpec refers to specific SSL codes.
- Stop and restart the HTTP server.
- In the Web browser, type this URL:
Extract the server certificate by following these steps:
- Start Mozilla Firefox® Version 3.0.1 or later.
- Click Tools > Options.
- On the Advanced panel of the Options dialog box, click the Encryption tab, and click View Certificates.
- On the Servers tab of the Certificate Manager dialog box, click Add Exception.
- In the Add Security Exception dialog, under Location, enter the URL of your Web server (in this example, https://22.214.171.124:9443/jazz/web), and click Get Certificate (see Figure 1).
Figure 1. Add a security exception to the Firefox browser
- Click View, and in the Certificate Viewer dialog box, click the Details tab, and then click Export (Figure 2).
Figure 2. Certificate Viewer
- In the Save Certificate To File dialog, under File name, enter a name for the certificate.
- Under Save as type, select X509 Certificate (DER) and click Save.
- In the Certificate Viewer dialog, click Close.
- In the Add Security Exception dialog, click Confirm Security Exception, as shown in Figure 3.
Figure 3. Confirm the certificate
- In the Certificate Manager dialog, click OK, and then click OK again in the Firefox Options dialog box.
- Copy the *.der certificate to the proxy server.
- Go back to the HTTP server and add the certificate to the trusted site by using the IBM Key Management tool.
- Select the personnel certificate, add signer certificates (Figure 4), and then add the server certificate from the copied location.
Figure 4. Add certificates
Click here to view a larger version of this image.
- Restart the HTTP server.
Convert the IBM® Rational® Jazz Team Server™ to support Basic authentication by modifying the web.xml file and adding the code in Listing 2.
Listing 2. Code to add to the web.xml file
<login-config> <realm-name>Default Realm</realm-name> <auth-method>BASIC</auth-method> </login-config> D:\Program Files\IBM\WebSphere\AppServer\profiles\AppSrv01\config\cells\ qwin451Node01Cell\applications\jazz_war.ear\deployments\jazz_war\jazz.war\WEB-INF D:\Program Files\IBM\WebSphere\AppServer\profiles\AppSrv01\ installedApps\qwin451Node01Cell\jazz_war.ear\jazz.war\WEB-INF (this one is optional)
- Comment out "Form" in web.xml, save and close the file.
- Restart the application server.
You should now be able to access your IBM Rational Team Concert server through
the reverse proxy server:
- For more information, read
TN0013: Jazz Team Server Authentication Explained
This tech note on the Jazz.net site (registration required) explains the authentication mechanism used by IBM Rational Jazz Team Server and the rationale for the design.
It also describes how to change the configuration to use alternate authentication methods and to unsecure feed URLs for a custom deployment,
along with the tradeoffs associated with each configuration.
TN0014: Updating the Deployment Descriptor for a Previously-Deployed Java EE Web
Application Archive. This article on the Jazz.net site explains how to modify the
Rational Jazz Team Server Java™ Enterprise Edition Web Application Archive (WAR file)
after it has been deployed. Instructions cover both the Apache Tomcat and IBM®
WebSphere® Application Server environments.
- Get Jazz and Rational Team Concert downloads and
updates and participate in the forum discussions at
Jazz.net. Registration required (free). This is
also where you can enter and review enhancement requests and bug reports.
- Visit the
Rational software area on developerWorks
for technical resources and best practices for Rational Software Delivery Platform
Rational computer-based, Web-based, and instructor-led online courses.
Hone your skills and learn more about Rational tools with these courses, which
range from introductory to advanced. The courses on this catalog are available for
purchase through computer-based training or Web-based training. Additionally, some
"Getting Started" courses are available free of charge.
- Subscribe to the
Rational Edge newsletter
for articles on the concepts behind effective software development.
- Subscribe to the
IBM developerWorks newsletter,
a weekly update on the best of developerWorks tutorials, articles, downloads,
community activities, webcasts and events.
- Browse the
for books on these and other technical topics.
Get products and technologies
- Visit the Rational Team Concert area on developerWorks for articles, downloads and other technical resources.
trial versions of IBM Rational software.
- Download these
IBM product evaluation versions
and get your hands on application development tools and middleware products from
DB2®, Lotus®, Tivoli®, and WebSphere®.
- Join a Jazz Forum where you can ask specific questions related to the platform.
- Check out
developerWorks blogs and
get involved in the
Anu Ramamoorthy is a Staff Software Engineer working on the Rational System and Integration Test Team. She has been working in the software industry for close to 10 years, and has been a part of IBM Rational for the past 5 years. She has worked on a number of test automation and performance projects for IBM Rational Software including being a lead of ClearCase Remote Client performace testing. Currently she is the lead for the RTC SVT Performance testing efforts.