The client sends a certificate to the server to validate, and the server sends a certificate to the client to validate. The validation is carried out by keystores. A client keystore validates the server certificate, and a server keystore validates the client certificate.
Certificates can be organized in a tree structure, with a root certificate at the top of the tree. All of the certificates in the tree inherit the trustworthiness of the root certificate. Keystores can validate each certificate individually. If the keystore validates the root certificate, each certificate is also validated.
By default, Rational DOORS is installed with TLS certificates that are provided by IBM® GSKIT, and two keystores that are ready to use.
The keystores are in the certdb folder. The client keystore is client_authentication.kdb, and the server keystore is server_authentication.kdb.
The client_authentication.kdb keystore contains a certificate that the client can send to the server called IBM_CL1, and the server_authentication.kdb keystore contains a certificate called IBM_SV1 that the server can send to the client. The IBM_SV1 certificate contains the name of the computer that the server is running on. By default, the name is IBMEDSERV.
The client keystore also contains the root certificate of the tree that contains the server certificate, which the client keystore uses to validate the server certificate. For example, the client_authentication.kdb keystore contains the root certificate of the tree that contains the IBM_SV1 certificate, and uses the root certificate to validate IBM_SV1. The server keystore contains the root certificate of the tree that contains the client certificate, and uses it to validate the client certificate.
You can change the default settings and set up your system to your specifications. To specify your own settings, run command-line switches to specify a different keystore, certificate name, or server name. For example, you can change IBM_SV1 to a different certificate name or change IBMEDSERV to a different server name.
CN=Ben Gray,OU=US,OU=users,DC=com,DC=ibm,DC=sales
CN=Ben Gray,OU=US,OU=users,DC=com,DC=ibm,DC=sales
Before you enable card authentication for a server, you must set up smart card users. You set up a user by associating the user with a distinguished name.
You must associate a distinguished name (DN) with the administrator user to allow the administrator user to access the database.