Jazz Forum Welcome to the Jazz Community Forum Connect and collaborate with IBM Engineering experts and users

How to request and configure an SSL cerificate for CLM 501 running Apache Tomcat

 Hi,

Currently we are in the process of migrating the existing CLM 501 environment on to a new hardware.

In the current server we noticed that in the directory - C:\Program Files\IBM\JazzTeamServer\server\tomcat

There is a file - ibm-team-ssl.keystore  that come along with the installation

Also noticed two new files -    Look like these files are obtained from the self signed certificate authority 

abc-team-ssl.jks and abc-team-ssl.jks.qer

What we are trying to find out is -  Do we need to generate some files from Apache Tomcat and sent to Identity Management Team for getting it signed.

Note: In websphere there is way we can generate a file then sent it to the identity management team and import the signed certificate back into WAS. Following this way can get pass the browser exception error.

apache_cert




0 votes



11 answers

Permanent link
It might be helpful to refer to the online help : install a security certificateThere is ikeyman.exe (The keytool program) is located in the JazzInstallDir/server/jre/bin/ directory.

1 vote

Comments

You can confirm the certificate when opening the .jks file in the ikeyman. 


Another thread https://jazz.net/forum/questions/120873/setup-new-ssl-certificate-to-rtc-40.

 Hi - I saw this reference late and tied running the command


C:\Program Files\IBM\JazzTeamServer501\server\jre\bin>keytool.exe -genkey -alias
 tomcat_test -keyalg RSA    -- Dont see anyfile generated in bin directory.


Permanent link
First, check the Tomcat server.xml file for the property "keystoreFile" for the SSL connection realm and determine which keystore is being used by the current server. You would want to use the same keystore in the new environment if possible. You can ignore the one not being used.

As a certificate is normally bound to an FQDN, if you don't change the public URI of the CLM server (i.e. the clients use the same URL to access CLM applications), you don't need to get the certificate re-issued. Just copy the keystore (and the password stash if appropriate) over to the new environment and you are good to go.

1 vote


Permanent link
 Hi,

Let me put this in other way - How to place a certificate request / generate a   >>  cert_req.arm) file using Apache as the web server.

When we looked at the server.xml file noticed it is pointing to the KeystoreFile generated by CA.

Here in the snapshot below , the file extension .JKS and .QER  is the one currently being used.

Going through the CLM Parent documentation there is a reference to Keytool documentation

Can someone confirm the same and let me know if there is a proper syntax mentioning the correct parameters.

C:\Program Files\IBM\JazzTeamServer501\server\jre\bin>keytool.exe -help
keytool usage:
-certreq     [-v] [-protected]
             [-alias <alias>] [-sigalg <sigalg>]
             [-file <csr_file>] [-keypass <keypass>]
             [-keystore <keystore>] [-storepass <storepass>]
             [-storetype <storetype>] [-providerName <name>]
             [-providerClass <provider_class_name> [-providerArg <arg>]] ...
             [-providerPath <pathlist>]

keystore

0 votes

Comments

Here we are starting from the scratch as we are moving to a new hardware. 


On the existing from where I have posted the snapshot - the keys were requested and configured years back 

It's quite likely your current certificate was generated by the method detailed in this article.
http://www.ibm.com/developerworks/rational/library/create-server-side-certificates-collaborative-lifecycle-management/
Note that it uses iKeyMan, not keytool. If you want to use keytool, you can follow these steps instead.
http://docs.oracle.com/cd/E19798-01/821-1841/gjrgy/index.html

2 votes


Permanent link
 Thanks for clarifying - now that I plan to use the same tool - iKeyMan to generate.

  1. Now that I have generated the  clm_staging_keys.jks file - 
  2. Hope this file can be sent to our CA to get it signed. 
  3. Once we receive the signed certificate back.
  4. Will be copying the signed certificate back to the tomcat directory.
  5. In the next step - update the Tomcat - Server.xml file with the new Keyfile name and password.
  6. Restart the tomcat services.
Other question we have is - Currently we use distributed topology (separate server for JTS / CCM / QM and RM)  and is it required to repeat the same activity on each server.



clm_keys


0 votes


Permanent link
 Following the URL - http://www.ibm.com/developerworks/rational/library/create-server-side-certificates-collaborative-lifecycle-management/  using iKeyMan.exe could generate the certreq.arm file

The file was sent to Identity Management team to get it signed.
In return have received four files back with extension *.cer   

Now the question is :-   Should we import these four files into Apache Tomcat. OR

How to import the .Cert files into Apache Tomcat. Dont see any document relevant to this.

Note: In the current PROD we see the files which is mentioned in server.xml file have .JKS extension.

self_signed

0 votes

Comments

You need to understand what is a key, a certificate, and a key store. The files that you listed are certificates, and you need to import them into the key store. Follow the steps in the following document (see section: Receiving a CA-signed certificate).
http://www-01.ibm.com/software/webservers/httpservers/doc/v1312/ibm/9atikeyu.htm


Permanent link
 Hi, 

Using ikeyman tool I could generate .JKS file as shown below.  Can someone guide from here.

ikeyman

0 votes


Permanent link
 Dear Team,

Here is what I have followed by referring to the article : Section Receiving a CA-signed certificate
 http://www-01.ibm.com/software/webservers/httpservers/doc/v1312/ibm/9atikeyu.htm

ssl_import1

Following this way we have opened the keys.jks DB file from the C:\ drive.

ssl_import2
Here as seen above we have received four certificates signed by CA --  *.CER file - Tried receiving the one that has hostname,

ssl_import3

Could see the name - clmstaging which was provided at the time of creating a new certificate request.

ssl_import4
Now verifying the key.jks file size -- have increased to 4 kb

ssl_import5

When tried to receive the remaining set of .CER file following the same way. It is throwing the below error.

ssl_import6

Not sure what is wrong here.

With what has worked we have updated the server.xml file to point to the key.jks file . When tries loading the JTS page it still ask for browser exception.

ssl_import2

0 votes

Comments

The error is expected as the other certificates are "CA's certificates", not personal certificates. You should follow the instructions in the section "Storing a CA's certificate" in the same document to add them to the key store.

1 vote

 Hi Don,


The same I have referenced earlier but unable to trace the 

Select Signer Certificates in the Key Database content frame, then click the Add button.

In the below screen

ikeyman


Click on the downward arrow next to "Personal Certificates" and you should see something like this.

1 vote


Permanent link
 Testing around this - I have noticed another issue - now we have recieved signed certificates only for our JTS server.

We also have CCM, QM and RM server running separately.  

After importing the signer certificates on JTS Server . When tested using browser and it pass without any issues.

https://jtsservername:9443/jts/admin

Where as when tried loading the CCM URL - https://ccmservername:9443/ccm/web it is asking for browser exception same for RM and QM.

Question I have is :- Do we need to request separate signed certificate for each application (CCM,QM and RM)  and import it using iKeyman tool.

Currently I tried copying the same *.jks file we have on JTS server over to the QM, CCM and RM server.


0 votes

Comments

You have to follow the same steps for all the Tomcat servers.

1 vote


Permanent link

We have requested the new certificates for our RM server and when tested it gives the below error in the  firefox web browser.

The JKS file name is mentioned as -  rm_staging_cert.jks  not sure if this make any difference.

srvr_encryption

0 votes

Comments

 If going with the default option in server.xml file  it works by accepting the browser exception. 



Carefully compare the problematic environment against the working one (JTS), to find out what may have been configured incorrectly.


Permanent link
 One more clarification I am looking for is - Since we use distributed topology ( different server for JTS, CCM, QM and RM)

Why do we need separate signed certificates for each server apart from JTS server.

For example when we try to access https://<rmserver>:9443/rm/web 

An additional window (JTS Server) will pop up asking for authentication. The authentication happens via JTS server.  (Snapshot is attached  below) 

ssl_auth


My thinking  is  why don't we import the signed certificate on JTS server then copy it across to other servers (CCM, RM and QM) updating the respective server.xml file

End Goal is - When the end-user navigate to the application URL it should pass the browser exception.

I did receive separate signed certificate for our RM server and when tested it throw the above cypher overlap error.

Any suggestions would be of great help.

0 votes

1–15 items
page 1of 1 pagesof 2 pages

Your answer

Register or log in to post your answer.

Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.

Search context
Follow this question

By Email: 

Once you sign in you will be able to subscribe for any updates here.

By RSS:

Answers
Answers and Comments
Question details
× 7,501
× 6,128

Question asked: Jul 02 '15, 5:11 a.m.

Question was seen: 9,444 times

Last updated: Sep 22 '15, 12:38 a.m.

Confirmation Cancel Confirm