Deploy CA TDM in a Security Zone

You can install CA TDM in a security zone, where there are untrusted and semi-trusted segments. When you deploy  in a security zone, we recommend that you split the Web Server from the App Server layer. The installation and configuration of Apache HTTPd Server is not covered in this documentation.
tdm38
You can install CA TDM in a security zone, where there are untrusted and semi-trusted segments. When you deploy
Test Data Management
 in a security zone, we recommend that you split the Web Server from the App Server layer. The installation and configuration of Apache HTTPd Server is not covered in this documentation.
Architecture
This process assumes the existence of two Windows servers.
  • The first server is in the untrusted zone, and serves static HTML and JS content for the
    Test Data Management
     Web Portal application.
  • The second server is in the semi-trusted zone, and serves the application APIs.
Connections between the trusted and untrusted zone go through a firewall, which is only open to the address of the untrusted zone server.
Install TDM components in the semi-trusted and untrusted zones
Install TDM components in the semi-trusted and untrusted zones
Install Software Components
  1. Install the folllowing components in both the semi-trusted and untrusted zones.
    • CA TDM Repository
    • CA TDM GTServer
    • CA TDM Portal
  2. Install the following component only in the untrusted zone.
    • Apache HTTPd server — including Visual Studio 2015 and latest Windows updates
  3. Verify that DataMaker and 
    CA Agile Requirements Designer
     are licensed on both servers.
  4. Verify that the CA TDM Portal can be accessed on port 8080 of both servers.
In the untrusted zone, you require the GTServer, GT Repository, and WebPortal only during the installation process. After Installation, you can remove these applications from the untrusted zone. 
  1. Log on to the server in the untrusted zone.
  2. Open the web apps directory. 
    C:\Program Files\CA\CA Test Data Manager Portal\tomcat\webapps
  3. Delete all the
    TDM*.war
    files, and folders whose names begin with
    TDM
  4. Keep the folder and WAR file for TestDataManager.
  5. Stop the DBMS service. 
  6. Restart the CA Test Data Manager Portal service.
Configure Apache HTTPd for reverse proxy
On the untrusted server, you configure the Apache HTTPd server for reverse proxy by applying the following changes. Note: CA may extend this list of URL endpoints in the future as further CA TDM API services are made available.
  1. Edit the Apache httpd config file.
    C:\Apache24\conf\httpd.conf
  2. Uncomment the following lines in the apache httpd config file to enable reverse proxy:
    LoadModule proxy_module modules/mod_proxy.so
    LoadModule proxy_connect_module modules/mod_proxy_connect.so
    LoadModule proxy_http_module modules/mod_proxy_http.so
    LoadModule rewrite_module modules/mod_rewrite.so
  3. Add the following rules to the httpd.conf file to route the API traffic to the semi-trusted server:
    ProxyRequests off
     
    ProxyPass        /TestDataManager/api http://semi-trusted.domain.com:8080/TestDataManager/api
    ProxyPassReverse /TestDataManager/api http://semi-trusted.domain.com:8080/TestDataManager/api
    ProxyPass        /TestDataManager/user http://semi-trusted.domain.com:8080/TestDataManager/user
    ProxyPassReverse /TestDataManager/user http://semi-trusted.domain.com:8080/TestDataManager/user
    ProxyPass        /TestDataManager http://untrusted.domain.com:8080/TestDataManager
    ProxyPassReverse /TestDataManager http://untrusted.domain.com:8080/TestDataManager
    ProxyPass        /TDMConnectionProfileService http://semi-trusted.domain.com:8080/TDMConnectionProfileService
    ProxyPassReverse /TDMConnectionProfileService http://semi-trusted.domain.com:8080/TDMConnectionProfileService
    ProxyPass        /tdmJobEngineService http://semi-trusted.domain.com:8080/tdmJobEngineService
    ProxyPassReverse /tdmJobEngineService http://semi-trusted.domain.com:8080/tdmJobEngineService
    ProxyPass        /TDMProjectService http://semi-trusted.domain.com:8080/TDMProjectService
    ProxyPassReverse /TDMProjectService http://semi-trusted.domain.com:8080/TDMProjectService
    ProxyPass        /TDMService http://semi-trusted.domain.com:8080/TDMService
    ProxyPassReverse /TDMService http://semi-trusted.domain.com:8080/TDMService
    ProxyPass        /tdmwebModelingService http://semi-trusted.domain.com:8080/tdmwebModelingService
    ProxyPassReverse /tdmwebModelingService http://semi-trusted.domain.com:8080/tdmwebModelingService
  4. Substitute the hostname
    semi-trusted.domain.com
     in these rules with the hostname or address of your semi-trusted server. 
  5. Substitute the hostname
    untrusted.domain.com
     in these rules with the hostname or address of your untrusted server. 
  6. Save the configuration file and restart the Apache server. 
Verify the Configuration
  1. Open a browser to connect to the Apache server on port 80 of the untrusted host.
    The logon page displays. 
  2. Create a connection profile through the CA TDM Portal as a test.
  3. Verify that this connection is created in the gtrep_profile table of the
    semi-trusted
    repository.
  4. Verify that this connection is
    not
    created in the gtrep_profile table of the
    untrusted
    repository.
Remove API Services From the Untrusted Server
  1. Open the Windows Control Panel, click Services, and stop the CA Test Data Manager Portal service.
  2. Open the Windows File Explorer, and navigate to the Tomcat webapps folder at
    C:\Program Files\CA\CA Test Data Manager Portal\tomcat\webapps
  3. Delete the following folders and WAR files:
    • TDMConnectionProfileService
    • TDMJobEngineService
    • TDMProjectService
    • TDMPublisherService
    • TDMService
    • TDMWebModelingService
  4. Return to the Services control panel and restart the CA Test Data Manager Portal service.
    The API services are no longer accessible on the untrusted server.