IBM Support

IBM Rational ClearQuest Web content does not display in my OSLC dialog

Fix Readme


Abstract

Why don’t I see IBM Rational ClearQuest Web content in my OSLC dialog?

Content

You may be using an Open Services Lifecycle Collaboration (OSLC) client that is not compatible with some security settings in IBM Rational ClearQuest Web. Thick clients like IBM Rational DOORS and Rational Systems Architect (RSA) do not send the information required by ClearQuest Web OSLC security validation routines; therefore, ClearQuest Web blocks processing of the request.

Example: Clients such as the Rational DOORS and RSA thick clients may encounter this problem.

Note: By default, ClearQuest Web permits displaying HTML content only on hosts that have been configured as authorized OAuth consumers or on hosts where there are linked OSLC projects.

Note: Even after using this workaround, web content may still be blocked by Mozilla Firefox version 23 and higher or Mozilla Firefox ESR version 24 and higher. For more information on mixed active content blocking, please refer to the Mozilla documentation:
https://blog.mozilla.org/security/2013/05/16/mixed-content-blocking-in-firefox-aurora/
https://blog.mozilla.org/tanvi/2013/04/10/mixed-content-blocking-enabled-in-firefox-23/

Workaround: If you have an environment using these thick clients, you must disable Cross Frame Scripting (XFS) security in ClearQuest Web by applying the following steps:

1. Navigate to the location of the ClearQuest Web deployment descriptor file (web.xml)

2. Copy the file web.xml to web.xml.updated

3. In web.xml.updated, change the value of the parameter that needs changing


    ClearQuest 8.0.0.2 & 7.1.2.6:

      - xfs.validation.enabled

      Acceptable values: true or false

      Default value: true

      Note: This is parameter controls the overall XFS security engine. Disabling the XFS security engine will instruct ClearQuest Web not to perform any security validation. Therefore, xfs.validation.oslc.enabled or xfs.authorized.hosts parameters are not needed if this parameter is disabled.

    ClearQuest 8.0.0.3 & 7.1.2.7

      - xfs.validation.oslc.enabled

      Acceptable values: true or false

      Default value: false

      Note: Setting this value to "true" will instruct the XFS security engine to check OSLC delegated UI requests: i.e. creation dialog, selection dialog, and record preview dialog. Desktop applications acting as OSLC consumers of ClearQuest Web will display NO content with this setting enabled since they are not capable of sending the "Referer" request header. Until those applications are modified to send a valid "Referer" header value, ClearQuest administrators should disable this security check. Setting this parameter to "false" will not validate OSLC delegated UI requests.

      - xfs.authorized.hosts

      Acceptable values: a comma-separated list of host names (DNS must resolve these hostnames)

      Default value: empty

      Note: ClearQuest administrators can add additional hosts to the ClearQuest Web system allowing them to serve ClearQuest Web HTML content inside iframes. Because hosts that are already configured as OSLC consumers or OSLC linked projects are authorized automatically, you do not have to add them. An example scenario is an intranet site that has a project dashboard hosting several ClearQuest Web queries in iframes, the target ClearQuest Web machine must add the intranet site host name as an authorized host to be able to display the results of those queries in iframes.

4. Save your change

5. From a command prompt, run the following command to start the wsadmin utility:


    On Microsoft Windows:

      ClearQuest 7.1.x

      %RATIONAL_COMMON%\cm\profiles\cmprofile\bin\wsadmin

      ClearQuest 8.0.x

      CQWEB_PROFILE_PATH\bin\wsadmin


    On the UNIX system and Linux:


      ClearQuest 7.1.x

      $RATIONAL_COMMON/cm/profiles/cmprofile/bin/wsadmin.sh

      ClearQuest 8.0.x

      CQWEB_PROFILE_PATH/bin/wsadmin.sh

6. From the wsadmin prompt, run the following commands:



    wsadmin> $AdminApp update TeamEAR file {-operation update -contents web.xml.updated -contenturi cqweb.war/WEB-INF/web.xml}

    wsadmin> $AdminConfig save

    wsadmin> exit


7. Restart the WebSphere Application Server to activate the change.


    On Microsoft Windows:

      Stop and restart the Windows service associated with the ClearQuest

      Web profile.

      Start > Control Panel > Administrative Tools > Services.


    On the UNIX system and Linux:


      ClearQuest 7.1.x

      $RATIONAL_COMMON/cm/profiles/cmprofile/bin/stopServer.sh server1

      ClearQuest 8.0.x

      CQWEB_PROFILE_PATH/bin/stopServer.sh server

For more information on this security issue please refer to the below link.

Cross Frame Scripting Security Vulnerability

https://www.owasp.org/index.php/Cross_Frame_Scripting.

[{"Product":{"code":"SSSH5A","label":"Rational ClearQuest"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Web Server (7.1)","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"7.1.2.6;7.1.2.7;7.1.2.8;7.1.2.9;8.0.0.2;8.0.0.3;8.0.0.4;8.0.0.5;8.0.0.6;8.0.0.7;8.0.1","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
16 June 2018

UID

swg21587046

Page Feedback