Using a reverse proxy server for TAD4D/LMT
Intended audience
The intended recipient of this document is a TAD4D/LMT administrator and the staff responsible for the configuration of TAD4D/LMT agents.
Purpose of the document
It is a good practice to place a dedicated HTTP server in the front of the TAD4D/LMT server. TAD4D/LMT server is an application, which is installed on WebSphere Application Server (WAS). WAS provides all services that TAD4D/LMT server needs. The main usage of a WebSphere web container, which handles web traffic in default installation of TAD4D/LMT, is dispatching incoming requests. A solution, which is recommended by IBM to take that role for a WebSphere server is IBM HTTP Server (IHS). IHS is based on Apache 2.0 and provides a rich set of Apache features in addition to IBM enhancements. Placing IHS between the client and WAS provides an additional layer which could be used i.a. to harden the installation or to manage clients' load better. Beside a regular usage as an external server, IHS can be especially useful in the cases when the TAD4D/LMT server is located in the network which can not be directly accessed by the agents.
The purpose of that document is thus to provide the technical staff involved in the configuration of the TAD4D server and agents with guidelines on how to configure the TAD4D/LMT components to use IHS as a reverse proxy in the minimal and medium security configuration in order to address the last usage cases mentioned above.
Forward proxy server vs reverse proxy server
the proxy server, requesting some service, such as a file, connection, web page, or other resource available from a different server.
Forward web proxies are able to retrieve a wide range of sources from the content. A client usually connects via a proxy server because the client can not access the resources directly or because a proxy server can access a destination server in a more economical way. Generally, clients ought to have appropriate entries in their configuration defining where a forwarding proxy server can be found. Usage of transparent web proxy does not require that type of configuration i.e. explicitly enabling proxy usage in client configuration but in our case reverse proxies serve our purpose better.
A reverse proxy is a proxy server that is recognized by the clients as an ordinary server. Requested content can be retrieved from one or more origin servers but still to the client it looks like a content of one server and the response is returned as if it came directly from the proxy server. The client can not request content other then included in the predefined list configured on a reverse proxy server.
Types of configuration
The procedures shown below use a reverse proxy type of configuration. The customers who already have a number of agents deployed without proxy defined can use the reverse proxy type of configuration because it does not force the need of modifying all agents' configuration. In order to stay with the agents' configuration but redirect the agents' traffic to a new IHS server it could be enough to change the appropriate DNS entry.
The procedures include agent's change in configuration for customers who will have a need to modify the default ports for some reason. The default communication port is shown as commented out for reference in that case.
There are two procedures of configuration presented below.
The first procedure, simply shows how to configure an IHS as a reverse
– i.e. 9988 and configuring IHS to send the traffic to that new port would eliminate need to reconfigure the agents.
The second procedure shows how to use the IHS as a revers proxy with SSL. Usage of secure communication protocol in agent server communication forces termination of the SSL tunnel on a reverse proxy. We assume that the customer is certain about the communication network between reverse proxy and the TAD4D/LMT server thus all requests from the reverse proxy are forwarded to an unencrypted port of the TAD4D server. If the assumption is false and there is a need to protect that traffic, a secure communication channel such as VPN could be established to tunnel that traffic. The consequence of decrypting the agents' traffic and sending it to an open port is that only the minimal communication level can be chosen on the TAD4D server. If an administrator wants to block the unencrypted communication between the agents and server, an appropriate firewall rule should be applied to block the unencrypted agent-server traffic. An administrator should, however, ensure that the unencrypted traffic from the reverse proxy is not blocked because it will block agents that use SSL reverse proxy traffic.
Software used in configuration:
IHS
The piece of software which will act as a reverse proxy server is IBM HTTP Server (IHS). IHS is a part of the WebSphere package and it can be downloaded via the standard IBM distribution channel. The IHS server should be located in the place where it can be accessed by agents and at the same time it can access the TAD4D server.
An IHS can be downloaded from Downloads > “No Charge products, tools and toolkits” section.
Its documentation is available at Infocenter website.
A platform specific paths of configuration files and instructions of installation can be consulted in the documentation available from that page.
Agent
The TAD4D/LMT agent is a part of the standard installation. We assume that agents are already distributed and configured. In order to verify agents configuration the following chapter can be used. It can be
http://publib.boulder.ibm.com/infocenter/tivihelp/v53r1/index.jsp?topic=
%2Fcom.ibm.lmt75.doc%2Fcom.ibm.license.mgmt.reference.doc%2Fr_agent_files.html The command tlmagent which is often used in a procedure below has three useful parameters: “tlmagent -e”, which stops the agent,
“tlmagent -g”, which starts the agent and “tlmagent -p”, which checks the agent-server communications.
Note: Both procedures use IHS in the reverse proxy mode.
The usage of proxy in agent's configuration will prevent all the communication between an agent and a server.
TAD4D/LMT console
As in the case of agents we assume that the TAD4D/LMT server is up and running and that the reader is familiar with the TAD4D/LMT console. If the reader needs to learn about TAD4D or LMT products he or she can found more information about TAD4D and LMT via links below:
TAD4D
http://publib.boulder.ibm.com/infocenter/tivihelp/v54r1/index.jsp?
topic=%2Fcom.ibm.tad4d75.doc%2Fic-homepage_tad4d.html LMT
http://publib.boulder.ibm.com/infocenter/tivihelp/v53r1/index.jsp?
topic=%2Fcom.ibm.lmt75.doc%2Fic-homepage_lmt.html
Procedure of configuration using agent without
encryption
IBM HTTP Server 1. Install the IHS
2. Choose a port which the IHS can use for incoming traffic.
Note: In the procedure we chose port 80 for the
communication between the agent and the IHS server.
3. Load modules necessary to enable the IHS in the reverse proxy server mode.
Note: All the changes in configuration of the IHS mentioned in the procedure should be done in httpd.conf file located in conf folder of the IHS home folder.
4. Make sure that IHS is bound to the port you have chosen.
5. Redirect traffic to the TAD4D/LMT server (tadd is the TAD4D server name).
6. Restart the IHS server.
TAD4D/LMT agent
7. Check the configuration and functioning of the agent without the reverse proxy server.
8. Modify agent port if necessary.
9. Make sure that the proxy is not enabled in the agent's configuration.
10. Make sure that the minimal level of security is set in the agent's configuration.
11. Restart the agent and check if it can connect to the the TAD4D/LMT server.
Procedure of configuration using agent with
encryption between agent and IHS
TAD4D/LMT server
Export the certificate and private key from the TAD4D server:
1. From the TAD4D/LMT console run WebSphere console.
2. Run “SSL Certificate and key management” tool.
3. Click “iLMTkeystore”.
4. Click “Personal Certificate”.
5. Mark “lmt server” checkbox and click “export” button.
6. Save the certificate and private keys to encrypted file on you server's hard drive.
Note: The default password of iLMTKeystore is tlcm01test
7. Transfer securely the file to the IHS server.
Note: Security TAD4D/LMT with server depends on keeping the private key confidential. Apply the appropriate measure to protect it.
8. From the screen from the point 5. use “extract” button to extract the server certificate which will be used for the agents.
IHS server
The changes done on IHS server include: a creation of a container for a certificate, filling it with the certificate exported from WAS and a configuration of IHS to terminate a SSL tunnel using the certificate.
Note: First two tasks can be done either using graphical (steps 9.-11.) or using a command line interface (steps 12.-16.).
Then the steps 17. and 18. should be executed to cover the third task.
Graphical user interface version of procedure
9. Using iKeyMan create a container in the IHS server.
Note: iKeyMan is a part of the IHS package and it can be found in the bin folder of the IHS distribution.
10. Click “import” button to import the key and certificate exported from the TAD4D/LMT server.
11. Ensure that the certificate is a default certificate in the container.
Command line version of procedure
14. Import the key and certificate exported from the TAD4D/LMT server.
15. Mark an imported certificate a default one
16. Verify if the certificate is well imported and marked as default
A configuration IHS to terminate a SSL – a common part of IHS configuration procedure
17.Enable the SSL tunnel termination in the IHS configuration file –
18.Restart the IHS server.
Agent
19.Copy the cert.arm certificate extracted in point 8 of the procedure into the $agent_base_data_dir/keydb folder on agent machine. The $agent_base_data_dir folder is defined in the agent's configuration file.
20. Ensure that the agent's secure communication port is the same as the one which the IHS listens on defined in point 12.
21. Enable the medium level communication on agent.
22. Restart the agent and check if it is able to connect the server.
Procedure of configuration with encryption
agent-IHS and IHS-TAD4D
TAD4D/LMT server
Follow procedure for TAD4D server from the previous section.
IHS server
Please read procedure of IHS configuration from the previous section.
You will find there sections of importing certificates to keystores using both GUI and command line.
1. Using iKeyMan (GUI) or gsk7cmd create a container key-agent- ihs.kdb in the IHS server.
2. Import the key exported form the TAD4D server to “Personal Certificates” of the container.
3. Using iKeyMan (GUI) or gsk7cmd create a container key-ihs- was.kdb in the IHS server.
4. Import the certificate exported form the TAD4D server to “Singer certificates” of the container.
5. Enable modules mod_proxy.so and mod_proxy_http.so in his configuration file (httpd.conf)
6. Configure IHS to terminate SSL connections coming from agents
7. Configure IHS to access TAD4D server via SSL tunnel
8. Restart the IHS server.
Agent
Follow procedure for TAD4D agent from the previous section.
