Jazz Forum Welcome to the Jazz Community Forum Connect and collaborate with IBM Engineering experts and users

[closed] CLM 6.0.3 installation with SSL mutual authentication between applications as well as DBS

Questions
Tags
Users
Badges
vowner owner
(25834) closed
Mar 01 '18, 4:43 a.m.

 Hi Team,



We have a setup of clm 6.0.3 instance with bundled libert profile.

In our setup, we are using linux servers and the setup as below.

in first linux server- JTS, CCM.

Second Linux server-  RM, IHS, LDAp.

Please help us with step by step guide for these 2 scenarios implemented and tested in our test environment first and there after prod. Now we have done the CLM installation and Urls are accessible over IHS by self signed certificate

Here the customer requirement is to establish the ssl mutual authentication betwen

1) each applications.  (example:- each applications are on separate servers, eg: jts and rm. This shhould only communicate through SSL Mutual authentication)

2) Each applications to its DBs are should be ssl enabled ( We are using oracle DB)

0 votes

Comments
vowner owner
Feb 20 '18, 2:06 a.m.

Immediate responses are highly appreciated......

2 answers
2,088 views
0 votes

The question has been closed for the following reason: "Duplicate Question" by rschoon Mar 01 '18, 4:43 a.m.

2 answers

Permanent link
Ralph Schoon
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER (63.9k33648) Feb 20 '18, 2:53 a.m.

You can find the instructions here: https://www.ibm.com/support/knowledgecenter/SSYMRC_6.0.3/com.ibm.jazz.install.doc/topics/c_install_overview.html follow the planning and the interactive installation guide.
This covers SSL as well as all applications are by default set up to use SSL.

The connection to the DB is done using JDBC and an oracle driver that accepts a connection string. What to use is documented in the link above.

0 votes

Comments
vowner owner
Feb 20 '18, 7:09 a.m.

I already went through the given link and its not explaining our requirement.


here we need two things to be enabled or confirmed by customers.
1) Since we are using different servers foreach applications. ( ex: jts in one server and rm is another server), These applications should be enabled with ssl mutual authentication for comunication.

    How to achieve this and help us with step by step guide.



2) Each applications to DBS (Oracle) should be through SSL authentication. 


How to achieve this and help us with step by step guide.

Ralph Schoon
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER Feb 20 '18, 7:37 a.m.

I am not a network expert, but as far as I can tell, SSL is a network communication encryption layer and requires to install the Keystores and signed keys to work. How to configure is mentioned in the help. It might be difficult and different environments might require adjustments so it might be a good idea to talk to your local experts.

As the documentation describes, you have to provide the certificates for each server. If in doubt, talk to your network experts.

Authentication/Authorization(?) is done with LDAP; OIDC/JAS; OAuth and basically uses SSL and the aforementioned SSL and the keys to establish trusted relationships and encrypt the communication. Here is an architecture description: https://jazz.net/library/article/75 . This is for sure oversimplified, but the best I can do here.

I can not say anything about Oracle. I would suggest you talk to your Oracle experts. Here is a link that might help: https://jazz.net/forum/questions/214634/how-can-i-use-a-secure-oracle-port-for-my-clm-repositories

Permanent link
vowner owner
(25834) edited
Feb 27 '18, 1:18 a.m.

 Thanks Ralph for the answer provided.


So we came up with some approach here and please advise us its looks good here.

in our clm 6.0.3 setup plan, our applications (JTS,CCM,QM,RM,DNG,DM,DCC,LQE, JRS,RELM) need to be hosted in 9 different linux servers with bundled liberty profile.And also we have one IHS server in front of them.



So as per the installation process, we have installed these applications in 9 linux servers and installed IHS server.

In IHS Server
_

We created a kdb file and created a csr and raised the certificate request to CA.

Here we would need some more clarification on the below queries.

1) Once we got the Certificate from the CA, can we add the certificate to the IHS server kdb file (in personal certificate)

2) As per the installation guide, the next step will be making the ssl handshake with IHS and Liberty profiles. so we need to import the keystore of each liberty profiles (9 liberty profile here) to IHS keystore .

  ***But  Here the customer needs mutual ssl authentication between all the application servers (eg: 1 application to all other 8 applications, for all  and IHS also should be in mutual authentication.)along with IHS ( Means, IHS<->JTS<->CCM<->QM<->RM<->DNG<->DM<->DCC<->LQE<-> JRS<->RELM)

So we are planning to raise and get a Certificate from CA for each server using the liberty default key store and for IHS also by using the IHS kdb file. once we get the certificates for all 9 servers, and IHS, 

a) first we will import the IHS SSL certificate to all 9 applications default keystore using ikeyman. (But in personal or Signer?)
b) from each applications, created certificates from CA, will import to all other applications keystore file ( is it in personal certificate or signer certificate?)
c) once all the applications key store are imported with other applications certificates. we will copy the updated keystore from each applications  servers to IHS server and will Import to  IHS kdb file for ssl authentication.


is this approach is correct or guide as for any changes need to be done ?

0 votes

Comments
Ralph Schoon
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER Feb 27 '18, 9:52 a.m.

Certificates are usually for one host only. I don't think I can help beyond pointing to the help as I did and the deployment Wiki: https://jazz.net/deployment-wiki-home.jsp

To deploy these solutions, you need to get some network skills. The network stuff is getting increasingly more important due to security issues.

Ask a question
Guidelines
FAQ
Search context
Follow this question

By Email: 

Once you sign in you will be able to subscribe for any updates here.

By RSS:

Answers
Answers and Comments
Question details
× 7,492
× 2,355

Question asked: Feb 20 '18, 1:57 a.m.

Question was seen: 2,088 times

Last updated: Mar 01 '18, 4:43 a.m.

Confirmation Cancel Confirm