IBM Support

MustGather: Smart Card issues with ELM

Troubleshooting


Problem

This document will assist you in collecting the data necessary to diagnose and resolve Smart Card authentication issues in IBM Engineering Lifecycle Management (ELM) applications. 

Symptom

  • Smart Card alias cannot be selected at the login dropdown
  • Smart Card alias can be selected but the authentication fails

Cause

This MustGather will assist you in collecting the data necessary to help you diagnose and resolve the issue. If you are unable to determine the root cause using the information collected, you should open a Case with IBM Support for further investigation providing the data collected.

Resolving The Problem

Checking pre-requirements and configuration done at the Client side

Use a Regular Web Browser to test the authentication using the Smart Card :
  • Check if users can login using a regular web browser when the smart card is inserted in the smart card reader.
  • Collect a screen shot showing the drop-down options presented for the Certificate Selection when authenticating.
Pop Up window showing a list of certificates
  • Collect the certificate used: At the Browser, click at the padlock icon to see the security information and select the option to view the certificate. At the details tab, export the certificate.
PopUp window showing the Certificate
  • Check the certificate path :
    • Go to Control Panel (icon view) > Internet Options > Content Tab > Certificates button
    • Select the certificate with a double-click to see the certificate properties.
    • Observe the expiration data.
    • At the Certification path, check the certification status, if should show the message "This certificate is OK".
Certification Status
  • Check the entry used at the certificate. The content of it will be used for the authentication, so it should match with the User ID defined on the LDAP configuration (User Property Names Mapping)
Pop up window showing the User ID used for the authentication
Smart Card used on RTC Visual Studio client
  • Collect <install-directory>/3rd Party/jre/lib/security/java.security file.
  • Verify if IBM Common Access Card (CAC) provider within Java was enabled as per documentation at  Connecting to repositories. It should contain:
security.provider.1=com.ibm.security.capi.IBMCAC
security.provider.2=com.ibm.jsse2.IBMJSSEProvider2
security.provider.3=com.ibm.crypto.provider.IBMJCE
security.provider.4=com.ibm.security.jgss.IBMJGSSProvider
security.provider.5=com.ibm.security.cert.IBMCertPath
security.provider.6=com.ibm.security.sasl.IBMSASL
security.provider.7=com.ibm.xml.crypto.IBMXMLCryptoProvider
security.provider.8=com.ibm.xml.enc.IBMXMLEncProvider
security.provider.9=org.apache.harmony.security.provider.PolicyProvider
security.provider.10=com.ibm.security.jgss.mech.spnego.IBMSPNEGO
Smart Card used on Shell Explorer
security.provider.1=com.ibm.security.capi.IBMCAC
security.provider.2=com.ibm.jsse2.IBMJSSEProvider2
security.provider.3=com.ibm.crypto.provider.IBMJCE
security.provider.4=com.ibm.security.jgss.IBMJGSSProvider
security.provider.5=com.ibm.security.cert.IBMCertPath
security.provider.6=com.ibm.security.sasl.IBMSASL
security.provider.7=com.ibm.xml.crypto.IBMXMLCryptoProvider
security.provider.8=com.ibm.xml.enc.IBMXMLEncProvider
security.provider.9=org.apache.harmony.security.provider.PolicyProvider
security.provider.10=com.ibm.security.jgss.mech.spnego.IBMSPNEGO
  • If the Rational Team Concert Shell is running on a 64-bit Windows platform, check if Visual C++ 2010 32-bit redistributable package was installed:
In Microsoft Windows Control Panel -> Add or Remove Programs search for the installation
Smart Card used on RTC Eclipse Client
security.provider.1=com.ibm.security.capi.IBMCAC
security.provider.2=com.ibm.jsse2.IBMJSSEProvider2
security.provider.3=com.ibm.crypto.provider.IBMJCE
security.provider.4=com.ibm.security.jgss.IBMJGSSProvider
security.provider.5=com.ibm.security.cert.IBMCertPath
security.provider.6=com.ibm.security.sasl.IBMSASL
security.provider.7=com.ibm.xml.crypto.IBMXMLCryptoProvider
security.provider.8=com.ibm.xml.enc.IBMXMLEncProvider
security.provider.9=org.apache.harmony.security.provider.PolicyProvider
security.provider.10=com.ibm.security.jgss.mech.spnego.IBMSPNEGO
  • Check Microsoft Visual C++ 2010 installation:
In Microsoft Windows Control Panel -> Add or Remove Programs search for the installation
NOTE: 32bit Operating Systems will only require the 32bit version of the redistributable. 64bit Operating Systems will require both the 32bit and 64bit versions of the redistributable.
Checking pre-requirements and configuration done at the Server side
 
The information below should be gathered in addition to the normal information and log gathering done by the Data Collector tool.
CLM deployed on WebSphere Application Server
  • In WebSphere Integrated Solutions Console, get screen shots showing the configuration done at the Websphere console as per Configuring certificate authentication in Engineering Workflow Management:
    • Click Security > SSL certificate and key management.
      Under Related Items, click SSL configurations.
      Click the node configure. The default node is NodeDefaultSSLSettings.
      Under Additional Properties, click Quality of protection (Qop) settings and take a screen shot.
    • Click SSL certificate and key management and, under Related Items, click Key stores and certificates.
      Click NodeDefaultTrustStores and, under Additional Properties, click Signer certificates. Take a screen shot showing the signer certificate added.
    • If you use the Standalone LDAP registry, click Security > Global security.
      From the list of Available realm definitions, select Standalone LDAP registry and click Configure.
      Under Additional Properties, click Advanced Lightweight Directory Access Protocol (LDAP) user registry settings.
      From the list of Certificate map mode, select CERTIFICATE_FILTER. Take a screen shot showing the certificate filter defined.
    • If you use the Federated repositories registry, click Security > Global security.
      From the list of Available realm definitions, select Federated repository, and click Configure.
      Click each link in the Repository Identifier column and take a screen shot showing the certificate mapping mode and the certificate filter defined.
    • If you use the Federated repository, check if you are not using a mix of local and LDAP-based realms. This is not currently supported.
  • Collect the file web.xml from jts, ccm applications deployed on Websphere.
    The default path for the jts.war is:
    <WAS_Installation_Directory>/AppServer/profiles/AppSrv01/installedApps/nodeName/jts_war.ear/jts.war/WEB_INF/web.xml
    For ccm.war is:
    <WAS_Installation_Directory>/AppServer/profiles/AppSrv01/installedApps/nodeName/ccm_war.ear/ccm.war/WEB_INF/web.xml
     
CLM deployed on Liberty
  • Collect the server.xml file that is located at <JAZZ_HOME>\server\liberty\servers\clm
  • From the server.xml, search for the tag <keyStore> and get the location of the keyStore.
    The default keyStore is located at  <JAZZ_HOME>\server\liberty\servers\clm\resources\security.
    The default keyStore file used in Liberty is ibm-team-ssl.keystore and password is “ibm-team”.
    Collect the keyStore file/password or open the file with ikeyman and take screen shots of its contents.
  • Collect ldapUserRegistry.xml that is located at <JAZZ_HOME>\server\liberty\servers\clm\conf
  • Collect web.xml files from jts.war and ccm.war files:
    • Navigate to the directory where you installed CLM. The default path for the application .war files is: <JAZZ_HOME>/server/liberty/servers/clm/apps
    • If this is a new installation and the Liberty server has not been started, the servers/clm directory has not been created. In this case, navigate to <JAZZ_HOME>/server/liberty/clmServerTemplate/apps
    • Navigate to the .war/WEB-INF directory and collect the web.xml file

    Reference: Configuring certificate authentication for Rational solution for Collaborative Lifecycle Management on Liberty Profile
CLM using Jazz Authorization Server (JAS)
  • Collect the server.xml file that is located at <JAZZ_HOME>\server\liberty\servers\clm
  • Collect the appConfig.xml file that is located at <JAS_HOME>\wlp\usr\servers\jazzop
  • From the appConfig.xml, search for the tag keystore and get the location of the keyStore.
    The default keyStore is located at JazzAuthServer/wlp/usr/servers/jazzop.
    The default keyStore file used in Liberty is ibm-team-ssl.
    keystore and password is “ibm-team”.
    Collect the keyStore file/password or open the file with ikeyman and take screen shots of its contents.
  • Collect ldapUserRegistry.xml that is located at [JAZZ_HOME]\server\liberty\servers\clm\conf

    Reference: Configuring certificate authentication for CLM deployed with Jazz Authorization Server and Configuring client certificate support in Jazz Authorization Server

Document Location

Worldwide

[{"Business Unit":{"code":"BU055","label":"Cognitive Applications"},"Product":{"code":"SSUC3U","label":"IBM Engineering Workflow Management"},"Component":"Authentication;SmartCard","Platform":[{"code":"PF033","label":"Windows"}],"Version":"","Edition":"","Line of Business":{"code":"LOB02","label":"AI Applications"}}]

Product Synonym

Rational Team Concert

Document Information

Modified date:
11 July 2019

UID

ibm10885236