Windows user authentication and TLS certificates

Transport layer security (TLS) certificates provide secure encrypted communication between the Rational® DOORS® server and the Rational DOORS client. When users log in to Rational DOORS using Windows user authentication, TLS certificates are used.

TLS certificates and keystores

TLS certificates provide secure communication between the Rational DOORS server and the Rational DOORS client.

The client sends a certificate to the server to validate, and the server sends a certificate to the client to validate.

The validation is carried out by keystores. A client keystore validates the server certificate, and a server keystore validates the client certificate.

Certificates can be organized in a tree structure, with a root certificate at the top of the tree. All the certificates in the tree inherit the trustworthiness of the root certificate. Keystores can validate each certificate individually or if the keystore validates the root certificate, each certificate is also validated.

By default, Rational DOORS is installed with TLS certificates that are provided by IBM® GSKIT, and two keystores that are ready to use.

The keystores are in the certdb folder. The client keystore is called client_authentication.kdb, and the server keystore is called server_authentication.kdb.

The client_authentication.kdb keystore contains a certificate that the client can send to the server called IBM_CL1, and the server_authentication.kdb keystore contains a certificate called IBM_SV1 that the server can send to the client. IBM_SV1 contains the name of machine that the server is running on. By default, this is IBMEDSERV.

The client keystore also contains the root certificate of the tree that contains the server certificate, which allows the client keystore to validate the server certificate. For example, client_authentication.kdb contains the root certificate of the tree that contains IBM_SV1, and uses it to validate IBM_SV1. The server keystore contains the root certificate of the tree that contains the client certificate, and uses it to validate the client certificate.

If you start the Rational DOORS server without changing any default settings, this server keystore and certificate configuration is used by default, and all the Rational DOORS clients make secure connections with the server.

You can change the default settings, and set up your system to your own specifications. You do this by running command line switches that allow you to specify a different keystore, certificate name, or server name. For example, you can change IBM_SV1 to a different certificate name or IBMEDSERV to a different server name.

Smart card certificates

When you use smart cards, the client certificate is not on the Rational DOORS client itself. It is on the smart card, along with the distinguished name (DN), which is associated with the user. The certificate on the smart card is identified by a certificate label. The user is identified by a DN. The DN is made up of attribute=value pairs, separated by commas, for example:

CN=Ben Gray,OU=US,OU=users,DC=com,DC=ibm,DC=sales

Feedback