Installing a security certificate

Edit online

You can replace the self-signed certificate with a certificate that belongs to your company or you can import an existing certificate from one instance of ELM Liberty to another ELM Liberty instance.

About this task

Note: You must at least start and stop the server one time for the server files including the server.XML file to be generated under the JazzInstallDir/server/liberty/servers/clm directory.
Note: The IBM® JRE that is included with Jazz® Team Server includes an IBM tool that is useful for managing keys on the server. The keytool program is in the JazzInstallDir/server/jre/bin/ directory.
Note: Per the documentation for Liberty, the pre-generated certificates are not to be used in production.

Replacing a self-signed certificate with a certificate that belongs to your company

Edit online

Before you begin

It is assumed that you generated the server files including the server.XML file to be under the JazzInstallDir/server/liberty/servers/clm directory, as described in About this task at the top of the page.

Procedure

  • Configure WebSphere Liberty security certificate:
    In the JazzInstallDir/server/liberty/servers/clm/server.xml file, Liberty is configured to read the server certificate from the JazzInstallDir/server/liberty/servers/clm/resources/security/ibm-team-ssl.p12 file. The default keystore password is set to ibm-team. This keystore includes a self-signed certificate that identifies the server as localhost.
    Note: To improve security, change the default keystore password.

    You can use the keytool program, as mentioned in the About this task at the top of the page, to help you create your own self-signed certificate that identifies the host by its network name. Alternatively, you can request a certificate that is signed by a trusted certificate authority (CA). A self-signed certificate requires acceptance by the Engineering Workflow Management client or web browser.

    To use your own certificate file with Liberty, open JazzInstallDir/server/liberty/servers/clm/server.xml with a text editor and edit the entries in the following line: 
    <keyStore id="defaultKeyStore" location="ibm-team-ssl.p12" type="PKCS12" password="{xor}Nj0ycis6PjI="/>

    For more information about the keytool program, see keytool - Key and Certificate program.

    For information about creating a self-signed certificate and keystore configuration, see Enabling SSL communication in Liberty.

  • Configure an IBM WebSphere® Application Server security certificate.
    For more information about creating a self-signed certificate and keystore configuration on WebSphere Application Server, see
    Note:
    • The Java virtual machine that is bundled with ELM, does not support 4096-bit security certificates. To enable the 4096-bit key support, you must use the unrestricted policy. For more information, see IBM SDK Policy files.
    • The self-signed certificates have an expiration date. If you do not replace them, they will eventually expire and might prevent you from using ELM.
  • Configure a Jazz Authorization Server security certificate.

    For information about creating a self-signed certificate and keystore configuration on Jazz Authorization Server, see Enabling SSL communication for the Liberty profile.

Sharing an existing certificate between ELM Liberty servers

Edit online

Before you begin

It is assumed that you generated the server files including the server.XML file to be under the JazzInstallDir/server/liberty/servers/clm directory, as described in About this task at the top of the page.

About this task

For IBM Engineering Lifecycle Management, the keystore ibm-team-ssl.p12 is in JazzInstallDir/server/liberty/servers/clm/resources/security. The password and type of the keystore is in the server.xml file in JazzInstallDir/server/liberty/servers/clm/ in the <keyStore id=defaultKeystore .../> section, with the password encoded. The default keystore password is set to ibm-team. The ELM Liberty Administrator must import the keystore of the primary ELM instance to the other desired ELM instances.
Note: To improve security, change the default keystore password.

Procedure

  1. To import the whole keystore, copy the ibm-team-ssl.p12 from the primary ELM server {ELM-INSTALL} to the second ELM server {ELM2-INSTALL} at {ELMSTORE}.
  2. On the second ELM server {ELM2-INSTALL}, verify the Liberty server is shut down.
  3. Use the Java keytool to import the entire keystore into the ELM server {ELM2-INSTALL} ibm-team-ssl.p12: 
    keytool -importkeystore -srckeystore {CLMSTORE}/ibm-team-ssl.p12 -destkeystore {ELM2-INSTALL}/server/liberty/servers/clm/resources/security/ibm-team-ssl.p12 -srcstoretype PKCS12 -deststoretype PKCS12 -srcstorepass ibm-team -deststorepass ibm-team
    For more information about WebSphere Liberty and secure connections, see the following help topics:
    For more information about security certificates in ELM, see the following help topics: