It's all about the answers!

Ask a question

How to configure liberty for certificate login

Kim Soederhamn (1.5k24348) | asked Nov 01 '23, 8:10 a.m.

 How to configure liberty on ELM to failover to certificate login? We have a server configured for Kerberos (not using JAS) and we need to be able to log in with certificates for build users etc.

Accepted answer

permanent link
Kim Soederhamn (1.5k24348) | answered Nov 01 '23, 8:16 a.m.

 How to configure ELM on Liberty for Certificate failover (for smart card, build users and other)


You need basically 3 steps: <o:p> </o:p>

1)      create a certificate and import it to elm server <o:p> </o:p>

2)      update apps to failover to certificates <o:p> </o:p>

3)      configure liberty to map certificates to users <o:p> </o:p>


Create a certificate and import it <o:p> </o:p>


In ikeyman create a new self signed certificate under signer certificates. Name the certificate after the users login id. <o:p> </o:p>

In our sample we use a user with sAMAccountName=”mynewuser” from the AD. Your AD id field could be different. <o:p> </o:p>

We are also going to reuse the existing keystore used by Liberty. <o:p> </o:p>

Run ikeyman (JazzTeamServer702\server\jre\bin\ikeyman.exe as admin <o:p> </o:p>

Create a new certificate to be used for build toolkit for instance called mynewuser.p12 <o:p> </o:p>



Create a new self signed certificate matching the sAMAccountname from the AD <o:p> </o:p>


and open the \JazzTeamServer702\server\liberty\servers\clm\resources\security\ibm-team-ssl.p12 <o:p> </o:p>




Create a new self signed certificate <o:p> </o:p>




Your keystore should look like this: <o:p> </o:p>



After this you import the certificate from this new keystore into the keystore used by your server <o:p> </o:p>

In ikeyman open the ibm-team-ssl.p12 keystore (or whatever your elm liberty server is using) look for it in JazzTeamServer702\server\liberty\servers\clm\resources\security <o:p> </o:p>

Import your new certificate from your new keystore into this keystore in order for the server to accept logins from this user. <o:p> </o:p>



Your keystore should end up looking like this: <o:p> </o:p>

Finally copy the mynewuser.p12 keystore to the server running your builduser <o:p> </o:p>


Update apps to failover to certificates <o:p> </o:p>


Stop the liberty server and update the web.xml of each of the apps using security  - (like JTS and CCM) <o:p> </o:p>

You need to update them in both JazzTeamServer702\server\liberty\servers\clm\apps and the template in JazzTeamServer702\server\liberty\clmServerTemplate\apps <o:p> </o:p>

Edit JazzTeamServer702\server\liberty\servers\clm\apps\ccm.war\WEB-INF\web.xml <o:p> </o:p>

(we are using Kerberos in our case with failover to certificate so no form) <o:p> </o:p>

<!--          <o:p> </o:p>

                 <login-config> <o:p> </o:p>

                                  <auth-method>BASIC</auth-method> <o:p> </o:p>

                                  <realm-name>Jazz</realm-name> <o:p> </o:p>

                 </login-config> <o:p> </o:p>


                 <login-config> <o:p> </o:p>

                                  <auth-method>FORM</auth-method> <o:p> </o:p>

                                  <form-login-config> <o:p> </o:p>

                                                   <form-login-page>/auth/authrequired</form-login-page> <o:p> </o:p>

                                                   <form-error-page>/auth/authfailed</form-error-page> <o:p> </o:p>

                                  </form-login-config> <o:p> </o:p>

                 </login-config>     <o:p> </o:p>

--> <o:p> </o:p>

                 <login-config> <o:p> </o:p>

                                  <auth-method>CLIENT-CERT</auth-method>         <o:p> </o:p>

                 </login-config>     <o:p> </o:p>


Configure liberty to map certificates to users <o:p> </o:p>

Update the Liberty JazzTeamServer702\server\liberty\servers\clm\conf\ldapuserregistry.xml <o:p> </o:p>

In the <ldapRegistry tag add the following 2 lines: <o:p> </o:p>

certificateMapMode="CERTIFICATE_FILTER" <o:p> </o:p>

certificateFilter="uid=${SubjectCN}" <o:p> </o:p>


Finally edit the \JazzTeamServer702\server\liberty\servers\clm\server.xml <o:p> </o:p>

Add clientAuthenticationSupported="true" to the SSL tag <o:p> </o:p>

<ssl id="defaultSSLConfig" keyStoreRef="defaultKeyStore" sslProtocol="SSL" trustDefaultCerts="true" clientAuthenticationSupported="true" <o:p> </o:p>



Start the server again. <o:p> </o:p>

Ralph Schoon selected this answer as the correct answer

Ralph Schoon commented Nov 01 '23, 8:39 a.m.

Thanks Kim 

Your answer

Register or to post your answer.

Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.