It's all about the answers!

Ask a question

Security Certificates


john norris (20733843) | asked Jul 03 '09, 5:31 a.m.
having upgraded to RTC 2.0 I am having problems with security certificates.
In terms of the certs and configuration there is no difference between v1 and v2 in that the cert is set to "localhost" rather than machine-name. But whereas logging to user-name on server-name happens automatically in v1, with v2 there is a problem with cert in that it does not match the machine name - which is true - server-name is a different word to localhost. The manual has a section on this and I have used ikeyman to create a new cert with server-name but still get the same problem.
I am not that knowledgeable about security certs.
I have seen a few other posts on this. I would like to know why this is a problem in V2 and yet V1 works OK when the configuration is the same.
I can log into the repository using localhost but then I lose my work re user0name@server-name.
The workarouds are to switch off security - would prefer to avoid that at the monent - or accept the certificate for the session, which works but is clunky.
Many thanks.

8 answers



permanent link
Unknown User (1113) | answered Jul 23 '09, 7:19 a.m.
https://bugs.eclipse.org/bugs/show_bug.cgi?id=214807

permanent link
Craig Chaney (9212) | answered Jul 06 '09, 9:09 a.m.
JAZZ DEVELOPER
norricorp wrote:
having upgraded to RTC 2.0 I am having problems with security
certificates.
In terms of the certs and configuration there is no difference between
v1 and v2 in that the cert is set to "localhost" rather than
machine-name. But whereas logging to user-name on server-name happens
automatically in v1, with v2 there is a problem with cert in that it
does not match the machine name - which is true - server-name is a
different word to localhost. The manual has a section on this and I
have used ikeyman to create a new cert with server-name but still get
the same problem.
I am not that knowledgeable about security certs.

Hi,

There are two different warning messages you can get regarding an
invalid security certificate:
1 - The certificate is only valid for localhost. You can solve this one
by creating a new certificate (which you have done).
2 - The certificate is self-signed. You must obtain a real certificate
to solve this one.

Now that you have created a self-signed certificate, does the error
message displayed by the Eclipse client still complain about an
incorrect server name? If so, something must have gone wrong with your
creation/installation of your new self-signed security certificate.

But the error dialog that reads "The certificate does not appear to be
signed by a trusted certificate authority" will remain until you obtain
a real certificate.

I'm pretty sure that RTC 1.0 had the same requirements. There were a
few early milestones where the RTC client did not validate that the
server's certificate was not self-signed, but I'm pretty sure that
problem was fixed by 1.0 GA.

Thanks,
Craig Chaney
Jazz server team

I have seen a few other posts on this. I would like to know why this
is a problem in V2 and yet V1 works OK when the configuration is the
same.
I can log into the repository using localhost but then I lose my work
re user0name@server-name.
The workarouds are to switch off security - would prefer to avoid that
at the monent - or accept the certificate for the session, which works
but is clunky.
Many thanks.

permanent link
john norris (20733843) | answered Jul 07 '09, 3:08 a.m.
Craig,
yes, I now get "the certificate does not appear to be signed by a trusted certificate authority" so looks like I need a real certificate. Having said that it does give me the option to accept the certificate permanently.
It is interesting that despite an identical set of files and cert, my RTC 1.0.1 set up works fine. And I did not need to create a new certificate. I wonder if it is because I used my database from the earlier release which had the connections recorded? I would like to know why this error is appearing.
But the important thing is that by accepting the new certificate permanently I no longer get the error dialog so that OK.
Many thanks for your help. (Now to get the subversion integration working .....)
John

permanent link
Anthony Giordano (2762615) | answered Aug 21 '09, 8:33 a.m.
This only happens with upgraded installations. I have two RTC servers at
V2.0: one is upgraded and the other is a new install. This only happens with
the upgraded server.

"norricorp" <john> wrote in
message news:h2kjhs$nic$1@localhost.localdomain...
having upgraded to RTC 2.0 I am having problems with security
certificates.
In terms of the certs and configuration there is no difference between
v1 and v2 in that the cert is set to "localhost" rather than
machine-name. But whereas logging to user-name on server-name happens
automatically in v1, with v2 there is a problem with cert in that it
does not match the machine name - which is true - server-name is a
different word to localhost. The manual has a section on this and I
have used ikeyman to create a new cert with server-name but still get
the same problem.
I am not that knowledgeable about security certs.
I have seen a few other posts on this. I would like to know why this
is a problem in V2 and yet V1 works OK when the configuration is the
same.
I can log into the repository using localhost but then I lose my work
re user0name@server-name.
The workarouds are to switch off security - would prefer to avoid that
at the monent - or accept the certificate for the session, which works
but is clunky.
Many thanks.

permanent link
Ahmet Kadir Seydim (11) | answered Nov 13 '09, 1:27 p.m.
We have the same issue. When I tried to login using RTC client I got the same message (Accept this certificate permanently). Once the client choose that choice, it's gone.

First, I create a new keystore file and add our company's Root and Intermediate CA Certificates. And after that I could successfully install the SSL certificate that was issued for RTC server.

When I browse Jazz site via IE, there is no problem with the server certificate. All certificate chain seems valid, everything is ok. But using RTC client and tried to login I got that message.

Any information would be helpful to get rid of this message without choosing permanent acception.

We are using RTC 2.0.0.1

Regards,
Seydim

permanent link
Milan Krivic (9809171139) | answered Nov 20 '09, 4:18 p.m.
We have the same issue. When I tried to login using RTC client I got the same message (Accept this certificate permanently). Once the client choose that choice, it's gone.

First, I create a new keystore file and add our company's Root and Intermediate CA Certificates. And after that I could successfully install the SSL certificate that was issued for RTC server.

When I browse Jazz site via IE, there is no problem with the server certificate. All certificate chain seems valid, everything is ok. But using RTC client and tried to login I got that message.

Any information would be helpful to get rid of this message without choosing permanent acception.

We are using RTC 2.0.0.1

Regards,
Seydim



Hi Seydim,

I have also the same problems. Actually, I migrated Jazz Team Server from Tomcat to WAS 7.0. While I was using tomcat, I created self-signed security certificate with keytool command inside of jazz server\jre\bin folder, after that I got message about accepting the certificate permanently, and I haven't got that message any more when starting RTC eclipse workspace.
Now, I get that message always when starting RTC client on WAS, and don't know yet how to solve it!
If you need help about setting the certificate for Tomcat, I can help you!

Regards,

milan

permanent link
Christophe Elek (2.9k13021) | answered Nov 23 '09, 6:51 a.m.
JAZZ DEVELOPER
milan.krivic@apis-it-dot-hr.no-spam.invalid (milan.krivic) wrote in
news:he71bh$12j$1@localhost.localdomain:

Now, I get that message always when starting RTC client on WAS, and
don't know yet how to solve it!

Which message ?
is it that the server does not match the certificate and/or is this that
the certificate is not trusted ?

Which certificate is presented to you ?
What is the name ?

If you setup WAS, you need to enter the certificate in the WAS keystore.
Did you configure it ? IF so, can you do a keytool -list to see the
certificates ?

--
Christophe Elek
Jazz L3
IBM Software Group - Rational

permanent link
William Fu (4611) | answered Mar 08 '11, 3:29 a.m.
Hi, I'm getting same problem and I'm using RTC 3.0 already.
I believe the message is the certificate is not trusted.
My main problem is that I'm doing a development on a Web application hosted by WAS using SSL.
The login code to RTC will not work because it keep saying that it cannot communicate with my Jazz server because the certificate is not trusted (even though I have the personal signed certificate)...
Now, "permanently accept the certificate through browser" as mentioned above works for trying to access the Jazz web...however, I cannot "permanently accept" the certificate through the Jazz SDK...
and Yes, I have already added the self-signed certificate into my WAS's keystores...so currently running out of options.

Any help is appreciated. Thanks.

milan.krivic@apis-it-dot-*.no-spam.invalid (milan.krivic) wrote in
news:he71bh$12j$1@localhost.localdomain:

Now, I get that message always when starting RTC client on WAS, and
don't know yet how to solve it!

Which message ?
is it that the server does not match the certificate and/or is this that
the certificate is not trusted ?

Which certificate is presented to you ?
What is the name ?

If you setup WAS, you need to enter the certificate in the WAS keystore.
Did you configure it ? IF so, can you do a keytool -list to see the
certificates ?

--
Christophe Elek
Jazz L3
IBM Software Group - Rational

Your answer


Register or to post your answer.