Installing a security certificate

You can replace the self-signed certificate with a certificate that belongs to your company or you can import an existing certificate from one instance of Engineering Lifecycle Management Liberty to another Engineering Lifecycle Management Liberty instance.

About this task

Note: You must at least start and stop the server one time for the server files including the server.XML file to be generated under the JazzInstallDir/server/liberty/servers/clm directory.
Note: The IBM® JRE that is included with Jazz® Team Server includes an IBM tool that is useful for managing keys on the server. The keytool program is in the JazzInstallDir/server/jre/bin/ directory.
Note: Per the documentation for IBM WebSphere® Liberty, the pre-generated certificates are not to be used in production.

Replacing a self-signed certificate with a certificate that belongs to your company

Before you begin

It is assumed that you generated the server files including the server.XML file to be under the JazzInstallDir/server/liberty/servers/clm directory.

Procedure

  • Configure IBM WebSphere Liberty security certificate:
    In the JazzInstallDir/server/liberty/servers/clm/server.xml file, IBM WebSphere Liberty is configured to read the server certificate from the JazzInstallDir/server/liberty/servers/clm/resources/security/ibm-team-ssl.p12 file. The default keystore password is set to ibm-team. This keystore includes a self-signed certificate that identifies the server as localhost.
    Note: To improve security, change the default keystore password.

    You can use the keytool program, as mentioned in the About this task section, to help you create your own self-signed certificate that identifies the host by its network name. Alternatively, you can request a certificate that is signed by a trusted certificate authority (CA). A self-signed certificate requires acceptance by the Engineering Workflow Management client or web browser.

    To use your own certificate file with IBM WebSphere Liberty, open JazzInstallDir/server/liberty/servers/clm/server.xml with a text editor and edit the entries in the following line: 
    <keyStore id="defaultKeyStore" location="ibm-team-ssl.p12" type="PKCS12" password="{xor}Nj0ycis6PjI="/>

    For more information about the keytool program, see keytool - Key and Certificate program.

    For information about creating a self-signed certificate and keystore configuration, see Enabling SSL communication in IBM WebSphere Liberty.

  • Configure a Jazz Authorization Server security certificate.

    For information about creating a self-signed certificate and keystore configuration on Jazz Authorization Server, see Enabling SSL communication for the IBM WebSphere Liberty.

Sharing an existing certificate between Engineering Lifecycle Management Liberty servers

Before you begin

It is assumed that you generated the server files including the server.XML file to be under the JazzInstallDir/server/liberty/servers/clm directory, as described in About this task section.

About this task

For IBM Engineering Lifecycle Management, the keystore ibm-team-ssl.p12 is in JazzInstallDir/server/liberty/servers/clm/resources/security. The password and type of the keystore is in the server.xml file in JazzInstallDir/server/liberty/servers/clm/ in the <keyStore id=defaultKeystore .../> section, with the password encoded. The default keystore password is set to ibm-team. The Engineering Lifecycle Management Liberty Administrator must import the keystore of the primary Engineering Lifecycle Management instance to the other desired Engineering Lifecycle Management instances.
Note: To improve security, change the default keystore password.

Procedure

  1. To import the whole keystore, copy the ibm-team-ssl.p12 from the primary Engineering Lifecycle Management server {ELM-INSTALL} to the second Engineering Lifecycle Management server {ELM2-INSTALL} at {ELMSTORE}.
  2. On the second Engineering Lifecycle Management server {ELM2-INSTALL}, verify the WebSphere Liberty server is shut down.
  3. Use the Java keytool to import the entire keystore into the Engineering Lifecycle Management server {ELM2-INSTALL} ibm-team-ssl.p12: 
    keytool -importkeystore -srckeystore {CLMSTORE}/ibm-team-ssl.p12 -destkeystore {ELM2-INSTALL}/server/liberty/servers/clm/resources/security/ibm-team-ssl.p12 -srcstoretype PKCS12 -deststoretype PKCS12 -srcstorepass ibm-team -deststorepass ibm-team
    For more information about IBM WebSphere Liberty and secure connections, see the following help topics:
    For more information about security certificates in Engineering Lifecycle Management, see the following help topics: