Setting Public URI fails with "forbidden"
Joe Frank (26●1●2)
| asked Mar 31 '15, 8:45 a.m.
edited Apr 28 '15, 8:39 a.m. by Krzysztof Kaźmierczyk (7.5k●4●80●103)
I'm setting up a Rational Team Concert server. It has ccm, qm and rm installed with Websphere, all on the same server. It uses IHS as the web frontend also on the same server. The only port allowed into the server from outside is 443.
When I install jts and components and set the public URI as https://servername:9443/jts all the links to the projects are to port 9443, which the firewall won't allow through.
When I install jts and components with the public URI at https://servername/jts it works OK until I configure IHS for SSLClientAuth required (smart card). It still seems to work, but running a diagnostic shows that "rm/rootservices", "qm/rootservices" etc, and "rm/scr" etc are all forbidden to log in. It looks like they go through IHS to access the services and because SSLClientAuth is set to required, they don't get through for lack of a certificate. Id I set the SSLClientAuth to optional it works fine. Unfortunately I am required to ask for the Smart Card cert.
Is there a way to configure this to work?
Thanks in advance,
Joe Frank
|
Accepted answer
I found the answer to this problem, apparently there is a certificate that java uses when accessing Websphere in the \jazzTeamServer\server\jre\lib\security folder called cacerts. The server certificates had to be added to this so when the jazz application went to access the IHS server , they would have a valid certificate to present.
Thanks for all your help!
Joe
Ralph Schoon selected this answer as the correct answer
|
2 other answers
Ralph Schoon (63.5k●3●36●46)
| answered Mar 31 '15, 8:55 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER
9443 is the default port on WAS and tomcat, however this can be changed. See https://jazz.net/library/article/831 for how to do that.
Please keep in mind not to choose a machine dependent name for the server, use a fully qualified domain name that can later be moved to a different machine. Comments Thanks for the quick response! Unfortunately, the link supplied didn't answer my question. I have the Public URI configured on port 443, as the article shows. I have the WAS server running on port 9443, also as the article shows. The translation happens properly, when I log in at https://servername/jts/admin I get through. The problem comes into play when I set the IHS server to require certificates. The internal connection to "Applications and Friends" is broken. I'm getting an error message:
"Application: the discovery resource at https://servername/qm/rootservices for "qm" cannot be accessed:
The return HTTP Status was 403
The response body was
Forbidden
You don't have permission to access /qm/rootservices on this server"
This occurs for all the applications rootservices and scr connections.
It doesn't happen if IHS is set to "SSLClientAuth optional"
Thanks,
Joe Frank
Ralph Schoon
commented Mar 31 '15, 10:37 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER
You have to set up all the applications using the same public URI root (in your case with 443 as the port). If you have a topology that uses multiple application servers (potentially listning to other ports, you have to set up IHS as proxy server in front of them, covering the public URI root and forwarding to the other application servers. Usually you install IHS in front of the other WAS servers and set it up to use LTPA token so that the login on IHS works on the other application server. See this page: https://jazz.net/wiki/bin/view/Deployment/InstallProxyServers
|
Check the last post in this link.
https://www.ibm.com/developerworks/community/forums/html/topic?id=77777777-0000-0000-0000-000014435366#77777777-0000-0000-0000-000014435494 I believe you explained the problem in a too complicated way. Basically, when you enable SSLClientAuth on IBM HTTP Server, your WebSphere server (acting as a client) cannot connect to the IHS due to the lack of a certificate. If you need to find more references, search with keyword "IHS WebSphere SSLClientAuth", and don't include anything related to RTC or CLM, because it's basically an IHS and WAS configuration issue. Comments Thank you for restating the problem in a more suitable way. As explained in the link, the client I'm using has a certificate, It looks to me like the RTC server tries to access itself and goes through the IBM HTTP Server to do it. I have server certificates installed in both IHS and Websphere, where do I need to install a certificate to allow the server to access itself?
Donald Nong
commented Apr 02 '15, 5:34 a.m.
You need to make it very clear, not using the term "RTC server", as no one knows whether you are talking about IHS, WAS or something else. Since the public URI uses the port 443, which is the IHS HTTPS port in this case, all CLM requests have to go through IHS, regardless the requests are initiated from a browser or WAS. Applications such as CCM running on WAS do not magically know to use port 9443 (WAS is not necessarily listening at 9443).
|
Your answer
Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.