Configuring Apache HTTP Server as a reverse proxy for Rational DOORS Web Access

You can configure Apache HTTP Server as a reverse proxy for Rational DOORS Web Access. A reverse proxy server provides an extra layer of security, protects HTTP servers in the network, and improves the performance of Secure Sockets Layer (SSL) requests. When you use a reverse proxy, you can change your deployment topology later, as needed.

Before you begin

  1. Install Rational DOORS Web Access, but do not start the Rational DOORS Web Access components or server.
  2. Install Apache HTTP Server.

About this task

A reverse proxy server is a special HTTP server that prevents direct access to the content HTTP server. All requests for content go through a publicly visible reverse proxy server URI and are then redirected to the private Rational DOORS Web Access server URI.
The use of a reverse proxy server provides several advantages:
  • Future deployment topology changes: When you use a reverse proxy in your deployment, you can provide one host name in your public URL regardless of how many machines and port numbers the applications are deployed on. As a result, you can change your deployment topology later.
  • Security: The reverse proxy server provides an extra layer of security and can protect other HTTP servers in the communication network. If you are using a firewall between the reverse proxy server and the content HTTP server, you can configure the firewall to allow only HTTP requests from the reverse proxy server.
  • Performance: You can equip the reverse proxy server with SSL acceleration hardware that can improve the performance of SSL requests.
In this procedure, you do these steps:
  1. Prepare the SSL keystore.
  2. Modify the httpd.conf and httpd-ssl.conf files.
  3. Start Apache HTTP Server.
  4. Start Rational DOORS Web Access components.
  5. Start Rational DOORS Web Access server.

Procedure

  1. Prepare the SSL keystore:
    1. Create or open your SSL keystore in the supplied IBM Key Management Utility (IKeyMan) SSL tool.
    2. When you save your keystore, select the option to save the password to a stash file.
    3. Record this information:
      • The default SSL certificate label
      • The path to the keystore file
      • The path to the stash file
  2. Configure the Apache HTTP Server to process SSL requests by editing the httpd.conf file, which is in the conf directory in the Apache installation.
    1. Uncomment these modules:
      • LoadModule proxy_module modules/mod_proxy.so
      • LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
      • LoadModule proxy_http_module modules/mod_proxy_http.so
      • LoadModule ssl_module modules/mod_ssl.so
    2. Go to the SSL configuration section, which starts with #Secure (SSL/TLS) connections.
    3. In that section, add these entries: 
      #
# reverse proxy
#
SSLProxyEngine On
ProxyPreserveHost On
    4. Add entries to identify the host domain: 
      ProxyPass / https://host_domain:DWA_Tomcat_port/
ProxyPassReverse / https://host_domain:DWA_Tomcat_port/
      For example: 
      ProxyPass / https://private_host.com:7443/
ProxyPassReverse / https://private_host.com:7443/
      Note: In this example, the proxy port that is visible to end users is set to 8443 and proxy requests are redirected to port 7443 on the private_host server. Depending on your environment, the ports that the proxy server and Apache Tomcat are configured to use might be set to different values to avoid port conflicts.
    5. Uncomment this line: 
      Include conf/extra/httpd-ssl.conf
      For more information about configuring reverse proxies, see Apache Module mod_proxy in the Apache Software Foundation documentation.
  3. Edit the httpd-ssl.conf file, which is in the /conf/extra directory in the Apache installation.
    1. Update the host name and the port that SSL is configured on.
    2. Update the settings as required, including these settings:
      • SSLCertificateFile
      • SSLCertificateKeyFile
      Note: If the SSLCertificateKeyFile key file is protected by a password, the password must be entered each time the server starts. You can remove the password, but before you do, consider the security implications of this action for your environment.
      For more information about editing HTTP SSL files, see Apache Core Features and Apache Module mod_ssl in the Apache Software Foundation documentation.
  4. Start Apache HTTP Server. Any errors are written to the error.log file, which is in the Apache installation in the /logs folder.
  5. Start Rational DOORS Web Access components.
  6. Start Rational DOORS Web Access server.
  7. Set the Rational DOORS Web Access public URL and port to the reverse proxy server by entering this dbadmin command: 
    dbadmin -dwaHost reverse_proxy_url -dwaPort reverse_proxy_portnumber
    For more information about the dbadmin command, see Configuring the Rational DOORS database server.