Polarion Software Weblog

The described scenario assumes you want to open Polarion ALM to external customers or suppliers

If you are just running a Polarion ALM instance that is directly accessible from the Internet you also expose your Subversion repository , confidential content is accessible from outside.

Actually the Subversion repository is already protected by the access file, but it is easy to expose content by mistake.

This blog describes an approach to open Polarion ALM to external customers and avoid the risk described above.

Internal users access Polarion ALM directly from inside the internal network. The change will be transparent for them.

External users access Polarion ALM via a proxy provided by Apache. This proxy will forward safe requests only which don’t reveal internal content of your repository, even if Subversion’s access file is not configured to hide that information.

Basic configuration of the proxy
The basic configuration of the Apache running the proxy is quite simple.

Adding the following lines to the default configuration is sufficient (replace <polarion-server> with the URL of your Polarion server):
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
ProxyRequests Off
ProxyPass /polarion <polarion-server>/polarion
ProxyPassReverse /polarion <polarion-server>/polarion

With this configuration all requests to <external-server>/polarion will be passed to <internal-server>/polarion. Please make sure that the Firewall grants access from external-server to internal-server on port 80.

Securing the Proxy
With this configuration an external user could still access files in the repository. Actually, it is not that bad, as the user has to know the exact path of the file he tries to access.

Following line closes this possibility:
ProxyPass /polarion/webdav !

Unfortunately this configuration has a disadvantage: It will also disable access to LiveDocuments using Word and Excel for the external users.

Re-enabling access to Attachment
Disabling all access to the repository also prevents users from downloading attachments.

To enable download of attachments, the /svnwebclient/fileDownload.jsp URL has to be forwarded to the internal server.

Add following lines to the configuration of your Apache acting as proxy:
ProxyPass /svnwebclient/fileDownload.jsp <polarion-server>/svnwebclient/fileDownload.jsp
ProxyPassReverse /svnwebclient/fileDownload.jsp <polarion-server>/svnwebclient/fileDownload.jsp

Doing that without any additional precautions is risky: Again, the access of the external user to files in the repository is only restricted by the access configuration.

An additional layer of security can be implemented by restricting the parameters of the URL to only allow download of files inside the project(s) the external user is able to access. This is achieved by using mod_rewrite to redirect every forbidden access to a nonexistent URL.

Add following lines to your configuration:
LoadModule rewrite_module modules/mod_rewrite.so
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/svnwebclient/fileDownload.jsp$
RewriteCond %{QUERY_STRING} !^.*&url=<project-location>
RewriteRule .* /nonexistent

<project-location> has to be replaced with the location of the project in the repository, all slashes (/) in have to be replaced with %2F and a %2F should be appended at the end.

Example:
Assuming you want to expose Library project from the Polarion demo-data and your internal Polarion server has the URL http://polarion.

You can get the location of the project from the Overview Topic of the project.

The location is Demo%20Projects/demolibrary, the string to use is Demo%20Projects%2Fdemolibrary%2F

The resulting configuration to use for the proxy is:

LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
ProxyRequests Off
ProxyPass /polarion http://polarion/polarion
ProxyPassReverse /polarion http://polarion/polarion
ProxyPass /polarion/webdav !
ProxyPass /svnwebclient/fileDownload.jsp http://polarion/svnwebclient/fileDownload.jsp
ProxyPassReverse /svnwebclient/fileDownload.jsp http://polarion/svnwebclient/fileDownload.jsp
LoadModule rewrite_module modules/mod_rewrite.so
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/svnwebclient/fileDownload.jsp$
RewriteCond %{QUERY_STRING} !^.*&url=Demo%20Projects%2Fdemolibrary%2F
RewriteRule .* /nonexistent

Best Wishes
Benjamin

The following statement will enable log rotation for Apache. The command is specified for installation in a Windows system. Please check paths for you own installation.
CustomLog “|C:/Polarion3.1.1/bundled/apache_2.0.59/bin/rotatelogs.exe C:/Polarion3.1.1/data/logs/apache/access.log 60″ common

Log rotation works by a pipe to the rotatelogs.exe, which itself can be configured to rotate logs by time or by size. Try rotatelogs -? to get help.

The given statement is suitable for the access log file, which receive most of the log output. Look for further log configuration in httpd.conf and adopt them appropriately to rotate all Apache log files.

Best Wishes
Matthias

If you switch on SSL, users have to type the URL beginning with https://<server name> /Polarion. If they miss the “https”, they will not reach the page. You can help your users with an automatic redirect in the Apache configuration.

httpd.conf

remove the comment on the line:
LoadModule rewrite_module modules/mod_rewrite.so

Locate the following statement:
Listen 80

Add the following statements:
Listen 8888

The port 8888 will be used for communication between Apache and Polarion, since Polarion is not able to use SSL. In ssl.conf the access to this port is limited to localhost.

ssl.conf:
Append the following section to the file:

#– rewrite the standard page to the ssl page
<IfModule mod_rewrite.c>
RewriteEngine on
#RewriteLog “path to logfile”
#RewriteLogLevel 9

####
# Only apply the rules, if the port is not SSL (443)
# or the local port (8888)
####

ReWriteCond %{SERVER_PORT} (443||8888)$

####
# Redirect only access to repo and Polarion to the
# SSL port. The other stuff is not sensitive and can
# remain on the old port.
####

RewriteRule (repo/.*) https://%{HTTP_HOST}/$1 [NC,L]
RewriteRule (polarion/.*) https://%{HTTP_HOST}/$1 [NC,L]
</IfModule>

Best Wishes
Matthias

The image folder is hidden in the Polarion installation. When you customize Polarion, you will need the images e.g. when you look up new icons for workflow states or work item types.

To make them easily accessible, you could copy the images to subversion and check out the images in the Apache configuration. By adding some statements in the Apache configuration, access to the icons becomes easy. Another advantage is you can modify the images and check them in. All changes will still be persistent if Polarion needs to be updated.

Location of the images:

<Polarion installation folder>/Polarion/plugins/ com.polarion.java2js.server_3.1.0/webapp/ria/images

Copy this folder and it content to subversion. Check out the folder in the apache configuration, for example in the subfolder “images”. You could also add a cron job (or a task in Windows) to do a nightly update on that folder.

To publish the folder in Apache, use the following section at the end of the httpd.conf:

Alias /images/ “C:/Programme/Polarion 3.1/bundled/apache_2.0.59/images/”

<Directory “C:/Polarion/bundled/apache_2.0.59/images”>
Options Indexes MultiViews
IndexOptions +FoldersFirst +IgnoreCase
AllowOverride None
Order allow,deny
Allow from all

<FilesMatch “Thumbs.db”>
Order deny,allow
Deny from All
</FilesMatch>
</Directory>

Best Wishes
Matthias

To start Polarion as service you should perform following steps:

• Download the Windows XP Professional Ressource Kit. There is a version, which Microsoft request Money for it. I searched with Google and found a resource kit for Windows Server 2003, which applies also for Windows XP Professional, which can be downloaded from the WEB.
• It contains a little tool, called sc.exe. It gives the possibility to install programs as service. Use the following arguments:
  sc create Polarion binpath= “C:\Programme\Polarion 3.1\polarion\polarion.exe” type= share start= auto depend= Apache2Polarion
  The identifier of the parameters include the ‘=’ at the end. The space to the parameter value is mandatory. The command inserts also the dependency to apache appropriately.
• The so created service will terminate when you log off. To hinder this, you need to add the option “-Xrs” to the java environment. With this option java will not listen to the terminal. The options for the java.exe are specified in the file polarion.ini file in
  /polarion/polarion.ini. Just append a new line with the option.
• In the next step I opened the Computer Manager and edited the newly created service. I assigned it to the local account “Polarion” and inserted the password of that account. The Computer Manager itself added the right for the account to run services.
  Pay attention that the account is set to “may not change password” and “password never expires”.

That’s it. You are now ready to start the service from the Computer Manager. It will not die, when you log off, it will start when the computer is started.

Attention: The Computer Manager will complain that Polarion does not start. Polarion takes a lot of time to start. The Computer Manager should be more patient, but it is not. Check the Task Manager to see Polarion running. It is a java.exe running on the account you assigned it to.

Attention II: The Computer Manager will not be able to stop Polarion, because it believes Polarion is not running. To stop Polarion you have to use the stop tool provided by Polarion.

Best Wishes
Matthias