Configuring security certificates for Jazz Reporting Service servers

You must install a secure sockets layer (SSL) certificate for the server that runs the Jazz Reporting Service so that client web browsers can run widgets (gadgets) on other servers' dashboards. The simplest and most secure solution is to purchase and install an SSL certificate from a certificate authority. If your organization does not purchase these certificates, as a minimum you must generate a self-signed certificate on the Jazz Reporting Service server and ask your users to import it into the certificate store of their browsers. If you do not complete this step, report managers cannot add Jazz Reporting Service widgets to Jazz™ dashboards and users cannot view these reports in the dashboards.

Before you begin

You must have JazzAdmins or JazzProjectAdmins privileges.

About this task

If your organization purchases certificates from a certificate authority, you can import them to your application server, and no action is required by your users.

Otherwise, Jazz Reporting Service requires as a minimum its own self-signed certificate. Because self-signed certificates are not issued by a known certificate authority, they are typically not trusted by most browsers. To work around this limitation, you must generate these certificates, optionally export them to a Personal Information Exchange Syntax Standard (PKCS #12) file, and then ask your users to import them into the certificate store of their browsers.

The self-signed certificate that you generate must map to the server name shown in the URL that is used to access the application.

It is easier for Chrome and Internet Explorer users to install a PKSC#12 (.p12) file that you provide, rather than import a self-signed certificate themselves.

The following steps describe how to generate certificates in Apache Tomcat server. For information about creating self-signed certificates and a keystore on IBM® WebSphere® Application Server, see Installing a security certificate in the CLM documentation.

Procedure

  1. On the Apache Tomcat server that runs Jazz Reporting Service, create a self-signed certificate.
    1. From the [JRSInstallDir]/server/jre/bin folder (or the folder that contains the Java™ runtime environment you use with Jazz Reporting Service), start the ikeyman application.
      Note: The installation folder for Jazz Reporting Service ([JRSInstallDir]) might be the same as other applications such as Jazz Team Server or IBM Rational® Team Concert.
    2. Click the Key Database File > Open.
    3. Browse to [JRSInstallDir]/server/tomcat and open the file that is named ibm-team-ssl.keystore; then, click OK.
    4. In the Password Prompt window, enter ibm-team, which is the default password for the default Rational solution for CLM installation; then, click OK.
    5. Delete the existing ibm-team certificate.
    6. Click New Self-Signed.
    7. Complete the required fields in the form. For the Key Label and Common Name fields, specify the fully qualified machine name that runs Jazz Reporting Service.
    8. Click OK. A self-signed certificate for Jazz Reporting Service is created, which your users can now install into the certificate store of their browsers.
  2. Optional: You can now export this self-signed certificate to a .p12 file. Providing this file to your Chrome and Internet Explorer users makes it easier for them to configure their browsers.
    1. In the ikeyman application, in the Key database content section, select the new certificate and click Export/Import.
    2. Select Export Key.
    3. From the Key file type menu, select PKCS12.
    4. Save the file as a .p12 file in a convenient folder; then, click OK.
    5. Specify and confirm a password to protect the target key database, and click OK.
  3. Close the ikeyman application.
  4. Restart Jazz Team Server.
  5. Send the following items to your users:

Feedback