Creating and installing security certificates to implement SSL

In order to implement SSL, a web server must have an associated certificate for each external interface (IP address) that accepts secure connections.
Important: This document does not provide complete details for configuring WebSphere® authentication or SSL, which is a complex topic. Detailed information about the various authentication and encryption options is covered in the WebSphere Application Server product documentation. For more information, go to the WebSphere product documentation and use this phrase in search: Securing applications and their environment.
After deploying your Jazz™ Team Server-based applications on an application server you have several options

The Jazz Team Server includes a self-signed certificate for SSL with the Apache Tomcat server.

Important: Rational® Engineering Lifecycle Manager's keystore file and DOORS® Web Access's keystore file must share the same hostname value; if they do not the two products will not be able to communicate with one another.
Rational Engineering Lifecycle Manager Tomcat server and DOORS Web Access Tomcat server each have a SSL certificate. The certificates are located in directories specified in each server's server.xml file:
  • Rational Engineering Lifecycle Manager: <RELM Install Path>/server/tomcat/conf/server.xml
  • DOORS Web Access: <DWA Install Path>/server/conf/server.xml
Each of these will list a "keystoreFile" parameter pointing to the keystore file.
By default the Rational Engineering Lifecycle Manager specifies the host as "localhost" whereas DOORS Web Access specifies an actual hostname. There are several options to resolve this:
  • Generate a new keystore for Rational Engineering Lifecycle Manager which specifies the actual host name as the host, and replace the default Rational Engineering Lifecycle Manager keystore with this new keystore.
  • If you install DOORS Web Access before Rational Engineering Lifecycle Manager, change Rational Engineering Lifecycle Manager to use DOORS Web Access's keystore by modifying its path in the server.xml file. Ensure you also modify the password setting (keystorePass) to match DOORS Web Access's keystore.
  • If you install Rational Engineering Lifecycle Manager before DOORS Web Access, change DOORS Web Access to use Rational Engineering Lifecycle Manager's keystore. Ensure you also modify the password setting (keystorePass) to match Rational Engineering Lifecycle Manager's keystore.

Creating a self-signed certificate

The IBM® JRE that is included with Jazz Team Server includes an IBM tool that is useful for managing keys on the server. The keytool program is located in the JazzInstallDir/server/jre/bin/ directory.

The keytool program can help you create your own self-signed certificate that identifies the host by its network name. Alternatively, you can request a certificate that is signed by a trusted certificate authority (CA). A self-signed certificate requires acceptance by the web browser.

For more information about the keytool program, see: http://download.oracle.com/javase/6/docs/technotes/tools/windows/keytool.html.

Installing a security certificate

You can replace the self-signed certificate with a certificate that belongs to your company.

For Apache Tomcat, in the JazzInstallDir/server/tomcat/conf/server.xml file Apache Tomcat is configured to read the server certificate from the JazzInstallDir/server/tomcat/ibm-team-ssl.keystore file. The default keystore password is set to ibm-team. This keystore includes a self-signed certificate that identifies the server as "localhost". Change the default keystore password to improve security.

For more information on security certificates for Apache Tomcat, read the following: Tomcat SSL Configuration

For information on security certificates for WebSphere Application Server, read the following topics:

Feedback