To enable server security, you must configure the Rational® DOORS® database server to use secure connections.
Before you begin
Make sure that the server can start in secure mode and accept
connections from clients. Here is a check list to verify secure mode
configuration (this information is for guidance only):
- Make sure that the certificate key database is up to date. Make
sure that there are no expired certificates. If you are using a different
keystore database, the -keydb parameter can be
used to specify it when you start the Rational DOORS database
server and clients.
- Make sure that the server starts with the correct server host
name. If you are running from the command line, set the -serverhostname parameter,
otherwise it is defined by the SERVERHOSTNAME environment
variable (or Registry entry). This host name must be the same host
that runs the Rational DOORS database server.
- Make sure that the server is restarted with secure mode enabled.
From command line, it is enabled by the -secure ON option.
In Windows, if you do not
specify it in the command line, it is defined by the secure registry
option. This registry value is set to OFF by
default. If you do not use the command-line parameters, you must set
this option to ON. This key can be found in this
path:
\HKEY_LOCAL_MACHINE\SOFTWARE\Telelogic\DOORS_Server\9.5\Config
If
you are running on 64-bit Windows,
the key is in this path:
\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Telelogic\DOORS_Server\9.5\Config
- Make sure that the clients and interoperation server start with
the correct host name. It must be the same as the Rational DOORS database
server host name. For example, if the Rational DOORS database
server host name is IBMEDSERV, then the client must
use IBMEDSERV in the command line (-data
36700@IBMEDSERV) and in the client’s environment this host
name must point to the same host that the Rational DOORS database
server is running. You can modify the operating system’s hosts file
to point to the host for IBMEDSERV. To summarize:
- The Rational DOORS database server must start
with the correct server host name (for example, IBMEDSERV),
and in the server environment this host name must resolve to the server
itself.
- The Rational DOORS client must connect to the
server by the same server host name (for example, specifying the -data
36700@IBMEDSERV parameter in the shortcut) and again this
host name in the client environment must resolve to the server’s IP
address.
Starting the client
After you start the Rational DOORS database server, connect
the Rational DOORS clients to the Rational DOORS database
server and run as usual.
If Rational DOORS is configured to use the Rational Directory Server,
existing users must be signed. To sign existing users, start a Rational DOORS client, log in as the Administrator,
and run the DXL perm signTdsUsers(). You must run
the DXL each time you change the Rational DOORS database server.
Setting up a password for dbadmin
After you start the Rational DOORS client, you must set up
a password for dbadmin. Set it using the
-p switch,
and when you run dbadmin, you must enter the password with the
-P switch
and the
-l switch.
For example, set the password
with a command in this format:
dbadmin.exe -d 36700@IBMEDSERV
-keyDB "C:\path\to\key\db.kdb" -p NewPasswordAfter you
assign the dbadmin password, specify each request with a command in
this format:
dbadmin.exe -d 36700@IBMEDSERV -keyDB "C:\path\to\key\db.kdb"
-P NewPassword -l
Setting up access to modules
You must make sure that sensitive data is protected by setting
up the correct access rights to modules.
When server security is
enabled, clients enforce usual access rights to information in the
database. A user’s access to the database is the same whether the
system is using server security or the classic Rational DOORS security
model.
However, if a user gains unauthorized access to the database,
and has read access to a module, they have full access to the contents
of the module.
To guard against this possibility, make sure
that modules that contain sensitive data are protected. Allow access
to the module only if a user needs it. If a user does not need access
to a module, do not set their access to read. Set their access to
none. That way, even if a user gains unauthorized access to the database,
they cannot access the module.
Changing the authentication method
You can change the server security authentication method
with dbadmin. When you change the method, it is not necessary to restart
the Rational DOORS database server.
For example, to set
the method to user keys, enter:
dbadmin.exe -d 36700@IBMEDSERV
-keyDB C:\path\to\certificate\db\client_authentication.kdb -certName
DBM1 -P samplePassword -sssAuthenticationMode UserKeys
These
options are valid for the -sssAuthenticationMode switch:
UserKeys
UsernamePassword
UsernamePasswordAndUserKeys