How to Setup Team Concert Smart Card Integration

Authors: ZeeshanChoudhry
Build basis: IBM Rational Team Concert 4.x, 5.x

This article explains how you can setup IBM Rational Team Concert for Smart Card integration.

Rational Team Concert Eclipse client settings

If the Rational Team Concert (RTC) Eclipse client was installed in the following directory

C:\Program Files\IBM\TeamConcert
then the following JRE file would have to be modified:
C:\Program Files\IBM\TeamConcert\jdk\jre\lib\security\java.security

1) Search for the following section, and make the modification below:

#
# List of providers and their preference orders (see above):
#
security.provider.1=com.ibm.security.capi.IBMCAC
security.provider.2=com.ibm.jsse2.IBMJSSEProvider2
security.provider.3=com.ibm.crypto.provider.IBMJCE
security.provider.4=com.ibm.security.jgss.IBMJGSSProvider
security.provider.5=com.ibm.security.cert.IBMCertPath
security.provider.6=com.ibm.security.sasl.IBMSASL
security.provider.7=com.ibm.xml.crypto.IBMXMLCryptoProvider
security.provider.8=com.ibm.xml.enc.IBMXMLEncProvider
security.provider.9=org.apache.harmony.security.provider.PolicyProvider
security.provider.10=com.ibm.security.jgss.mech.spnego.IBMSPNEG

Note that IBM CAC (Common Access Card) support has been enabled.

2) Search for the next section and make sure the following has been specified as to the default keystore:

#
# Default keystore type.
#
keystore.type=Windows-MY

The above sections show the correctly modified content within the java.security file to enable the support for IBM CAC and thus Smart Card Log-in ability within the Rational Team Concert Eclipse client

NOTE: If you are using IBM Rational Team Concert Eclipse client version 4.0.3, use keystore.type=JKS

For more information on why using JKS key store refer to defect Defect 268980

3) For RTC Eclipse Client 6.0.3 and newer on Windows.

You may receive the following error when selecting Smart Card.

com.ibm.team.repository.common.TeamRepositoryException: CRJAZ2384E Cannot connect to the repository at URL
"https://server/ccm", see the nested exception for more details.
<...>
Caused by: javax.net.ssl.SSLHandshakeException: Error signing certificate verify
<...>
Caused by: java.security.InvalidKeyException: No installed provider supports this key: com.ibm.security.capi.RSAPrivateKey

When in non-FIPS mode IBMCAC delegates signing operations to the MSCAPI. Windows does not support SHA224withRSA.

https://blogs.msdn.microsoft.com/alejacma/2009/01/23/sha-2-support-on-windows-xp/

Excerpt from link with Microsoft statement on not supporting SHA-224:

"Regarding SHA-224 support, SHA-224 offers less security than SHA-256 but takes the same amount of resources. Also SHA-224 is not generally used by protocols and applications. The NSA's Suite B standards also do not include it. We have no plans to add it on future versions of our CSPs."

So to fix this problem, update the java.security file to disable SHA224withRSA.

jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768, SHA224withRSA

Verify that the Microsoft Visual C++ 2010 Redistributables are installed.

In Microsoft Windows Control Panel -> Add or Remove Programs search for the installation

NOTE: 32bit Operating Systems will only require the 32bit version of the redistributable. 64bit Operating Systems will require both the 32bit and 64bit versions of the redistributable. See the following links to the redistributables:

Microsoft Visual C++ 2010 Redistributable Package (x86)

Microsoft Visual C++ 2010 Redistributable Package (x64)

Latest Supported Visual C++ Downloads

WARNING: If you fail to verify that the Microsoft Visual C++ 2010 Redistributables are installed, the RTC Eclipse Client will immediately exit without any error message or core, even when sending the debug output to a log or java console. This is a sign that the redistributables are missing, and you should immediately check to see that they are installed. As noted above, if this is a 64bit Operating System, you will need BOTH the 32bit and 64bit redistributables

Verify the IBM JRE version bundled within the RTC Eclipse Client:

In Rational Team Concert Eclipse client Help -> About Rational Team Concert -> Installation Details

Example:

java.runtime.name=Java(TM) SE Runtime Environment
java.runtime.version=pwa6460sr13fp1-20130325_01 (SR13 FP1)
java.specification.name=Java Platform API Specification
java.specification.vendor=Sun Microsystems Inc.
java.specification.version=1.6
java.util.prefs.PreferencesFactory=java.util.prefs.WindowsPreferencesFactory
java.vendor=IBM Corporation
java.vendor.url=http://www.ibm.com/
java.version=1.6.0
java.vm.info=JRE 1.6.0 IBM J9 2.4 Windows 7 amd64-64 jvmwa6460sr13-20130114_134867 (JIT enabled, AOT enabled)
J9VM - 20130114_134867
JIT  - r9_20130108_31100
GC   - 20121212_AA_CMPRSS
java.vm.name=IBM J9 VM
java.vm.specification.name=Java Virtual Machine Specification
java.vm.specification.vendor=Sun Microsystems Inc.

As seen above, the JVM vendor is IBM, the major version is 1.6 and the service release is SR13 FP1: Therefore, the above SDK will support IBM CAC. If the Service Release is below 1.6 SR12, then you will require an upgrade to the SDK bundled with the IBM Rational Team Concert Eclipse client. You can download it from Jazz.net

Rational Team Concert Server settings

Refer to link Configuring certificate authentication in Rational Team Concert 3.0 using WebSphere Application Server 7.0

Related topics: Deployment web home

Instructions to enable debugging on the Eclipse Client Smart Cards Debugging

External links:

Additional contributors: Christopher Guild

This topic: Deployment > WebHome > DeploymentIntegrating > RationalTeamConcertIntegrations > IntegratingRTCAndSmartCardSettings
History: r12 - 2017-12-20 - 20:48:35 - Main.alexvs
 
This site is powered by the TWiki collaboration platformCopyright © by IBM and non-IBM contributing authors. All material on this collaboration platform is the property of the contributing authors.
Contributions are governed by our Terms of Use. Please read the following disclaimer.
Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.