In order to implement SSL, a web server must have an associated
certificate for each external interface (IP address) that accepts
secure connections.
Important: This document does not provide complete details
for configuring WebSphere® authentication
or SSL, which is a complex topic. Detailed information about the various
authentication and encryption options is covered in the WebSphere Application Server product documentation.
For more information, go to the
WebSphere product
documentation and use this phrase in search:
Securing applications
and their environment.
After deploying your
Jazz™ Team Server-based
applications on an application server you have several options
- Purchase a certificate from a well-known trusted Certificate Authority
and install it.
- Create and install a self-signed certificate.
- If you do not need encryption, configure the server for HTTP rather
than HTTPS access (not recommended for a production environment).
The Jazz Team Server includes
a self-signed certificate for SSL with the Apache Tomcat server.
Important: Rational® Engineering Lifecycle
Manager's
keystore file and DOORS® Web
Access's keystore file must share the same hostname value; if
they do not the two products will not be able to communicate with
one another.
Rational Engineering Lifecycle
Manager Tomcat
server and DOORS Web Access
Tomcat server each have a SSL certificate. The certificates are located
in directories specified in each server's
server.xml file:
- Rational Engineering Lifecycle
Manager: <RELM
Install Path>/server/tomcat/conf/server.xml
- DOORS Web Access: <DWA
Install Path>/server/conf/server.xml
Each of these will list a "keystoreFile" parameter pointing to
the keystore file.
By default the
Rational Engineering Lifecycle
Manager specifies
the host as "localhost" whereas DOORS Web
Access specifies an actual hostname. There are several options to
resolve this:
- Generate a new keystore for Rational Engineering Lifecycle
Manager which
specifies the actual host name as the host, and replace the default Rational Engineering Lifecycle
Manager keystore
with this new keystore.
- If you install DOORS Web
Access before Rational Engineering Lifecycle
Manager,
change Rational Engineering Lifecycle
Manager to
use DOORS Web Access's
keystore by modifying its path in the server.xml file.
Ensure you also modify the password setting (keystorePass)
to match DOORS Web Access's
keystore.
- If you install Rational Engineering Lifecycle
Manager before DOORS Web Access, change DOORS Web Access to use Rational Engineering Lifecycle
Manager's
keystore. Ensure you also modify the password setting (keystorePass)
to match Rational Engineering Lifecycle
Manager's
keystore.
Creating a self-signed certificate
The IBM® JRE that is included with Jazz Team Server includes an IBM tool that is useful for managing
keys on the server. The keytool program is located in the JazzInstallDir/server/jre/bin/ directory.
The
keytool program can help you create your own self-signed certificate
that identifies the host by its network name. Alternatively, you can
request a certificate that is signed by a trusted certificate authority
(CA). A self-signed certificate requires acceptance by the web browser.
For
more information about the keytool program, see: http://download.oracle.com/javase/6/docs/technotes/tools/windows/keytool.html.
Installing a security certificate
You can
replace the self-signed certificate with a certificate that belongs
to your company.
For Apache Tomcat, in the JazzInstallDir/server/tomcat/conf/server.xml file
Apache Tomcat is configured to read the server certificate from the JazzInstallDir/server/tomcat/ibm-team-ssl.keystore file.
The default keystore password is set to ibm-team.
This keystore includes a self-signed certificate that identifies the
server as "localhost". Change the default keystore password to improve
security.
For more information on security certificates for
Apache Tomcat, read the following: Tomcat SSL Configuration
For information
on security certificates for WebSphere Application
Server, read the following topics: