Configuring client certificate support in Jazz Authorization Server

You can configure the Jazz™ Authorization Server to accept client certificates. With client certificate support, clients can log in by using an SSL certificate file.

Before you begin

As an administrator, it is assumed that you are familiar with certificate authentication and that a certificate authority's public certificate is available. For information about using certificates and how to set up a personal certificate authority, see SSL Certificates HOWTO at tldp.org.

About this task

To configure the Jazz Authorization Server to support client certificate authentication, complete the following steps on the Jazz Team Server where the Jazz Authorization Server is deployed.

Procedure

  1. Using the keystore.exe utility, generate a new keystore file and place it in the JazzAuthServer/wlp/usr/servers/jazzop directory. For example,
    JazzAuthServer\java\jre\bin>keytool.exe -importcert -v -trustcacerts -file cacert.pem -keystore ibm-team-trust.keystore -storepass myWasAdminPassword
    where
    • cacert.pem is the certificate file name. Substitute your certificate file name in place of cacert.pem.
    • ibm-team-trust.keystore is the new keystore file name.
      Tip: Consider including the word trust in the new keystore file name to indicate that it serves as the truststore.
  2. Using the JazzAuthServer/wlp/bin/securityUtility command, encrypt the new keystore password.
    Tip: To run the securityUtility command, use the following syntax:
    securityUtility encode userPassword

    where userPassword is the password to encode.

    For example,
    securityUtility encode myWasAdminPassword

    For more information, see Liberty profile: securityUtility command.

  3. Check whether the JazzAuthServer/wlp/usr/servers/jazzop directory contains the appConfig.xml file. If not, copy this file from the JazzAuthServer/wlp/usr/servers/jazzop/defaults directory to the parent directory.
    Important: Before you complete this step, ensure that the parent directory does not already contain the appConfig.xml file. Otherwise, you will overwrite any customizations.
  4. Using a text editor, open the appConfig.xml file for editing.
  5. Go to the <keyStore> element in the file. After this element, create a new<keyStore> element to contain the truststore that you created in step 1. In the line that starts password=, add the encrypted password that you created in step 2. When you are done editing, the keystore elements in the appConfig.xml file might look similar to the following code example. For illustrative purposes, the differences between the two keystore elements are displayed in bold type.
    <keyStore
        id="defaultKeyStore"
        location="ibm-team.keystore"
        type="JCEKS"
        password="{xor}Nj0ycis6Pjl="/>
    <keyStore
        id="defaultTrustStore"
        location="ibm-team-trust.keystore"
        type="JCEKS"
        password="{xor}KD4sPjsyNjE="/>
  6. Go to the <ssl> element in the file. In the line that starts trustStoreRef=, add the value of the id= line in the new <keyStore> element that you created in step 5. For example,
    <ssl id="defaultSSLConfig"
        keyStoreRef="defaultKeyStore"
        trustStoreRef="defaultTrustStore"
        serverKeyAlias="sslkey"
        clientAuthenticationSupported="true"/>
  7. Go to the <oauthProvider> element in the file. Under the line that starts autoAuthorize=, add the following new line:
    certAuthentication="true"
    For example,
    <oauthProvider id="JazzOP"
        httpsRequired="true"
        autoAuthorize="true"
        certAuthentication="true"
        customLoginURL="/jazzop/form/login"
        accessTokenLifetime="7201"
        authorizationGrantLifetime="604801">
        <autoAuthorizeClient>client01</autoAuthorizeClient>
        <databaseStore dataSourceRef="OAuthFvtDataSource" />
  8. Save and close the file.

Importing the client certificate

To import the client certificate, follow the procedure appropriate for your client.

Procedure

  • For the Engineering Workflow Management web client, import the certificate that your administrator supplied into your browser.
  • For the Engineering Workflow Management Eclipse client, complete the following steps.
    1. In the Team Artifacts view, right-click Repository Connections and click New > Repository Connection. The Create a Jazz Repository Connection dialog box opens.
    2. In the Location section, complete the URI and Name fields.
    3. In the Authentication section, complete the following fields.
      • In the Authentication Type field, select SSL Certificates.
      • In the Certificate Location field, click Browse, find the certificate file that your administrator supplied, and select it.
      • In the Password field, enter your password.
    4. Click Finish.
    5. Log out of your client and then log in.

video icon Video

Jazz.net channel
Software Education channel

learn icon Courses

IoT Academy
Skills Gateway

ask icon Community

Jazz.net
Jazz.net forums
Jazz.net library

support icon Support

IBM Support Community
Deployment wiki