Securing the Add Numbers service

You can use a secure connection to access the Add Numbers service.

To experiment with discovering, recording and virtualizing HTTPS traffic, the Add Numbers Client and Server supports HTTPS.

You can also use the Add Numbers example application to verify your HTTPS certificate configuration.

Note: For instructions about using the Add Numbers service over a non-secure connection, see Starting the Add Numbers server and client. The following procedure covers only the differences between starting a secure and a non-secure connection. For more information about the Add Numbers service, see The Add Numbers service.
  1. From a Command Prompt or Terminal window, start the Add Numbers Server and complete the information that is described in Starting the Add Numbers server and client.
  2. Change the Protocol field to HTTPS.
  3. On the SSL page, default values are preset for all fields. For a simple test, you can use these default values with no changes. Otherwise, you can select an SSL Protocol and enter a Key Store and Key Store Password. If you select Mutual Authentication, you can use the default values for Trust Store and Trust Store Password, or provide your own values. When you finish, return to the Settings page and click Start Service.
  4. Start the Add Numbers Client as described in Starting the Add Numbers server and client.
  5. Make sure that the Host Adapter and Port Number fields have the same values as those fields in the server. Change the Protocol field to HTTPS.
You can now run the Add Numbers service over a secure connection.

To use topology discovery, recording, or service virtualization on this secure connection, see Using discovery, recording or virtualization with the Add Numbers service and HTTPS.

To use the Add Numbers client to validate your HTTPS certificate configuration, see Using the Add Numbers Client to validate the HTTP certificate configuration.

Using discovery, recording or virtualization with the Add Numbers service and HTTPS

You can start the Add Numbers Client for topology discovery, recording, or service virtualization.

To experiment with discovering, recording, or virtualizing HTTPS traffic, the Add Numbers Client and Server supports HTTPS. The following steps explain how to configure the Add Numbers Client to enable topology discovery, recording, or virtualization.

Configuring the Add Numbers Client to use the HTTPS proxy

Follow the instructions in Securing the Add Numbers service.
To enable topology discovery, recording, or virtualization for requests that are sent by the Add Numbers Client, it must be configured to send its requests through the HTTPS proxy.

The HTTPS proxy can be used in two different modes: as a standard proxy, or as a reverse proxy (by using forwarding rules). The difference between these two modes is described in Virtualizing HTTP.

  1. To use the HTTPS proxy in standard mode:
    1. Ensure that the HTTPS proxy is running. See Starting and stopping the HTTP/TCP proxy.
    2. Close the Add Numbers Client window.
    3. Use a text editor to open the Add Numbers Client startup script startup.bat file in the install_dir/examples/addnumbersclient directory.
      On Windows™ systems:
      1. Comment out the first line that refers to AddNumbersClient.jar:
        @rem %JAVA_HOME%\bin\java %NET_PROPS% %SSL_PROPS% -jar AddNumbersClient.jar
      2. Remove the comment characters from the line that contains proxy information. By default, the proxy hostname is localhost and the default port number is 3128. Separate properties are provided for HTTP and HTTPS. To use a different proxy host, change the appropriate values of -Dhttps.proxyHost=localhost -Dhttps.proxyPort=3128.
        %JAVA_HOME%\bin\java %NET_PROPS% %SSL_PROPS% -Dhttp.proxyHost=localhost -Dhttp.proxyPort=3128 -Dhttps.proxyHost=localhost -Dhttps.proxyPort=3128 -Dhttp.nonProxyHosts=  -jar AddNumbersClient.jar
      3. Save and close the file.
      On non-Windows platforms:
      1. Comment out the line that refers to AddNumbersClient.jar:
        # "$_RUNJAVA" "${SSL[@]}" -jar "$_SCRIPTDIR/AddNumbersClient.jar"
      2. Remove the comment character from the line that contains proxy information. By default, the proxy hostname is localhost and the default port number is 3128. Separate properties are provided for HTTP and HTTPS. To use a different proxy host, change the appropriate values of -Dhttps.proxyHost=localhost -Dhttps.proxyPort=3128.
        "$_RUNJAVA" "${SSL[@]}" -Dhttp.proxyHost=localhost -Dhttp.proxyPort=3128 -Dhttps.proxyHost=localhost -Dhttps.proxyPort=3128 -Dhttp.nonProxyHosts= -jar "$_SCRIPTDIR/AddNumbersClient.jar"
      3. Save and close the file.
  2. To use the HTTPS proxy in reverse proxy mode:
    1. Configure the HTTPS proxy to contain a forwarding rule that is listening on some available local port, for example 2001 (that is, the bind attribute) and is forwarding to the port that the Add Numbers Server is listening on, which by default is localhost:8088 (if the proxy is on the same computer as the Add Numbers Server). See Configuring a HTTP(S) reverse proxy or TCP port forwarding.
    2. Change the host and port in the Add Numbers Client to point to the host on which the proxy is running, and the bind port that the forward rule is listening on (in this example, localhost and 2001).
The Add Numbers Client now tries to send its HTTPS traffic through the proxy. However, it fails to make a connection as it does not trust the certificate that is being presented by the proxy. Before the proxy was configured, it received the certificate that was presented by the Add Numbers Server, which it already trusts. Now the client is receiving a certificate from the proxy, and needs to be configured to trust this certificate.
Configure the client to trust the certificate. See Updating the Add Numbers Client's keystore.

Updating the Add Numbers Client's keystore

If you are using the default localhost SSL configuration, you must configure the Add Numbers Client to trust the HTTPS proxy before you use the client with the proxy. One way to do that is to import the CA certificate that the proxy uses to sign its own certificates into the Add Numbers Client's existing keystore, as shown in this procedure.
  1. Open a new Command Prompt or Terminal window with appropriate permissions.
  2. Change your working directory to install_dir/examples/addnumbersclient.
  3. Copy the following file to the current directory:
    QualityServer_install_dir/httptcp/greenhat.jks
    Note: The directory from which you are copying is the installation directory for Rational Integration Tester rather than for Rational Integration Tester.
    .
  4. Enter the following command:
    ../../jre/bin/keytool -export -alias mykey -file green.crt -keystore greenhat.jks
    The following message is displayed:
    Enter keystore password:
    Enter the following password:
    passphrase
    The following message is displayed:
    Certificate stored in file <green.crt>
  5. Enter the following command:
    ../../jre/bin/keytool -import -trustcacerts -alias root -file green.crt -keystore addNumbersClient.jks
    The following message is displayed:
    Enter keystore password:
    Enter the following password:
    secret
    Information about the certificate is displayed, and then the following message is displayed:
    Trust this certificate? [no]:
    Enter the following response:
    yes
    The following message is displayed:
    Certificate was added to keystore

You can now start the Add Numbers Client for topology discovery, recording, or service virtualization. See Topology Discovery overview, Recording Studio, and Rational Test Virtualization Server overview.

Additionally, to validate your security certificate configuration, see Configuring the Add Numbers Client to use the HTTPS proxy.

Using the Add Numbers Client to validate the HTTP certificate configuration

Follow the steps in Securing the Add Numbers service and, if you are using the HTTPS proxy, Using discovery, recording or virtualization with the Add Numbers service and HTTPS.
In HTTPS, the client checks that the certificate that was presented by the server is not only a trusted certificate (or signed by a trusted certificate authority (CA)) but the client also checks that the certificate is valid for the host that it is connecting to. The following steps explain how to validate that the server or proxy certificate is configured correctly. This procedure can be used to validate a certificate that is configured on the Add Numbers Server, on the HTTPS proxy, or on a stub (if you are making a direct connection to the stub).

The Add Numbers Client by default checks that the certificate is trusted. However, if you want to check that the server certificate is valid for the host that the Add Numbers Client is connecting to, you must enable hostname validation. (The hostname validation is disabled by default to allow portability of the Add Numbers Server when used for other procedures).

  1. From a Command Prompt or Terminal window, start the Add Numbers Client and complete the steps that are described in Starting the Add Numbers server and client.
  2. Change the Protocol field to HTTPS.
  3. Configure the server or proxy with the certificate you want to use:
    1. If you are connecting to the Add Numbers Server: Configure the keystore on the SSL page of the Add Numbers Server window. See Securing the Add Numbers service.
    2. If you are using the HTTPS proxy: Configure the HTTPS proxy to use the identity store (keystore) that contains the certificate that is used for the HTTPS communication. See HTTPS configuration settings in Modifying the configuration settings of the HTTP/TCP proxy.
    3. If you are connecting directly to a stub, configure the identity store that is used by that stub's transport. See Identity stores and SSL and Creating physical web server resources.
  4. Configure the Add Numbers Client's truststore to point to a keystore that contains the certificate that was given to the server, the proxy, or the stub (or that contains a certificate from that certificates chain of trust). See Updating the Add Numbers Client's keystore.
  5. On the SSL page of the Add Numbers Client, select Verify the server hostname against the certificate.
You can now run the Add Numbers service over a secure connection. The client now displays an error if the server presents a certificate that the client cannot or does not trust, or a certificate that does not match the hostname of the server, or if there are any other problems establishing a secure connection by using that certificate configuration.