Configuring a secure connection

To enable server security, you must configure the Rational® DOORS® database server to use secure connections.

Before you begin

Make sure that the server can start in secure mode and accept connections from clients. Here is a check list to verify secure mode configuration (this information is for guidance only):

Starting the UNIX servers

About this task

To start the UNIX servers:

Procedure

  1. Run configure-festival.sh, which sets the appropriate permissions on the files in the directory structure and installs the JRE.
  2. Start the broker by running broker.start.sh, which is in the root directory of the Rational DOORS Web Access installation.
  3. Start the Rational DOORS database server, enabling server security with the -serverSecurityEnable command-line argument. You must also define the broker host and port with the -serverSecurityBrokerHost BROKER_HOST and -serverSecurityBrokerPort PORT_NUMBER parameters. doorsd -s $DOORSHOME/data -p 36700 -serverhostname IBMEDSERV -secure ON -serverSecurityBrokerHost BROKER_HOST -serverSecurityBrokerPort 61616 -serverSecurityEnable
    where
    Switch Parameter Description
    -s $DOORSHOME/data

    ($DOORSHOME is set according to the standard Rational DOORS installation instructions).

    The path to the data files.

    -p 36700

    The port number to connect to the server.

    -serverhostname IBMEDSERV

    The name of the Rational DOORS database server.

    -secure ON

    Must be set to on for security to be enabled.

    -serverSecurity BrokerHost BROKER_HOST

    The server name or IP address of the server that is hosting the broker.

    -serverSecurity BrokerPort 61616(the default).

    The port number to connect with the broker.

    -serverSecurity Enable  

    Enables server security.

    There are optional logging parameters for the server:
    Switch Description
    -L

    The log level (for example, -L 6).

    -l

    The path and file name of the log file (for example, -l /var/log/doorsd.log).

    Note: Any missing or mistyped parameters can be filled from environment variables or, if there are any, by registry entries.
  4. Start the interoperation server. The interoperation server command is in $DOORSHOME/bin. doors9 -interop -data 36700@IBMEDSERV –brokerHost MYBROKER –brokerPort BROKERPORT
    where
    Switch Parameter Description
    -interop  

    The command to start the client as an interoperation server.

    -data 36700@IBMEDSERV

    The port number and name of the Rational DOORS database server.

    -brokerHost MYBROKER

    The name of the server that is hosting the broker.

    -brokerPort BROKERPORT

    The port number of the broker.

    There are optional logging parameters for the interoperation server:
    Switch Description
    -logLevel

    The log level (for example, -logLevel 6).

    -logfile

    The path and file name of the log file (for example, -logfile /var/log/interop.log).

Starting the Windows server

About this task

To start the Windows servers:

Procedure

  1. Start the broker by running broker.start.bat, which is in the root directory of the Rational DOORS Web Access installation.
  2. Restart the Rational DOORS database server, enabling server security with the -serverSecurityEnable command-line argument. You must also define the broker host and port with the -serverSecurityBrokerHost HOST and -serverSecurityBrokerPort PORT parameters. If you are running the Rational DOORS database server in console mode, enter a command in this format:

    doorsd.exe -debug -s "C:\example\data" -p 36700 -serverhostname IBMEDSERV -secure ON -serverSecurityBrokerHost BROKER_HOST -serverSecurityBrokerPort 61616 -serverSecurityEnable

    where
    Switch Parameter Description
    -s "C:\example\data"

    The path to the data files.

    -p 36700

    The port number to connect to the server.

    -serverhostname IBMEDSERV

    The name of the Rational DOORS database server.

    -secure ON

    The name of the Rational DOORS database server.

    -serverSecurity BrokerHost BROKER_HOST

    The server name or IP address of the server that is hosting the broker.

    -serverSecurity BrokerPort 61616 (the default).

    The port number to connect with the broker.

    -serverSecurity Enable  

    Enables server security.

    You can also add optional logging parameters:
    Switch Parameter Description
    -L 6

    The log level.

    -l /var/log/doorsd.log

    The path and file name of the log file.

    Note: Make sure that you stop and disable the Rational DOORS database server service.

    If you are running the Rational DOORS database server from Windows services, you must enable secure mode and server security options.

    After the server is installed, the Rational DOORS database server is registered as a Windows service. By default, secure mode and server security options are disabled. To enable these options:

    1. Stop the Rational DOORS database server service.
    2. Open the Properties dialog box for the Rational DOORS database server service.
    3. Enter the correct parameters in the Start parameters field. For example, enter:

      -s "C:\example\data" -p 36700 -serverhostname IBMEDSERV -secure ON -serverSecurityBrokerHost BROKER_HOST -serverSecurityBrokerPort 61616 -serverSecurityEnable

      For information about the parameters, see the table in 2.

    4. Start the service.
      Note: Press Start in the Properties dialog box. The parameters are discarded when the dialog box is closed.
  3. Start the Rational DOORS interoperation server. This server is the same binary as the Rational DOORS client. doors.exe -interop -data 36700@IBMEDSERV –brokerHost MYBROKER –brokerPort BROKERPORT
    where
    Switch Parameter Description
    -interop  

    The command to start the client as an interoperation server.

    -data 36700@IBMEDSERV

    The port number and name of the Rational DOORS database server.

    -brokerHost MYBROKER

    The name of the server that is hosting the broker.

    -brokerPort BROKERPORT

    The port number of the broker.

    You can also add optional logging parameters:
    Switch Parameter Description
    -logLevel 8

    The log level.

    -l "C:\Interop.log"

    The path and file name of the log file.

    Note: If the Rational DOORS database server is running as a Windows service, after you restart Windows, you must restart the broker and the interoperation server. Also, attempting to stop the Rational DOORS database server service when the broker is not running can result in Windows timing out and failing to stop the service.

Other information about starting the server

The steps in Starting the UNIX servers and Starting the Windows server are for the user name and password server authentication method. This method is the default authentication method. If you must use a different method, you must start the interoperation server and the Rational DOORS clients with a valid certificate. You do this using the -certName NAME argument.

The -serverhostname and -secure switches are for enabling secure connection. These switches are referenced in Before you begin.

The server security enable switches are server options. When server security is enabled with a command-line argument, the server remembers its value on the consequent runs (when no switch for server security is provided).

By default, server security is disabled. When you enable it, it persists (see the previous note).

To disable server security, use the -serverSecurityDisable switch.

Starting the client

After you start the Rational DOORS database server, connect the Rational DOORS clients to the Rational DOORS database server and run as usual.

If Rational DOORS is configured to use the Rational Directory Server, existing users must be signed. To sign existing users, start a Rational DOORS client, log in as the Administrator, and run the DXL perm signTdsUsers(). You must run the DXL each time you change the Rational DOORS database server.

Setting up a password for dbadmin

After you start the Rational DOORS client, you must set up a password for dbadmin. Set it using the -p switch, and when you run dbadmin, you must enter the password with the -P switch and the -l switch.

For example, set the password with a command in this format:

dbadmin.exe -d 36700@IBMEDSERV -keyDB "C:\path\to\key\db.kdb" -p NewPassword

After you assign the dbadmin password, specify each request with a command in this format:

dbadmin.exe -d 36700@IBMEDSERV -keyDB "C:\path\to\key\db.kdb" -P NewPassword -l

Setting up access to modules

You must make sure that sensitive data is protected by setting up the correct access rights to modules.

When server security is enabled, clients enforce usual access rights to information in the database. A user’s access to the database is the same whether the system is using server security or the classic Rational DOORS security model.

However, if a user gains unauthorized access to the database, and has read access to a module, they have full access to the contents of the module.

To guard against this possibility, make sure that modules that contain sensitive data are protected. Allow access to the module only if a user needs it. If a user does not need access to a module, do not set their access to read. Set their access to none. That way, even if a user gains unauthorized access to the database, they cannot access the module.

Changing the authentication method

You can change the server security authentication method with dbadmin. When you change the method, it is not necessary to restart the Rational DOORS database server.

For example, to set the method to user keys, enter:

dbadmin.exe -d 36700@IBMEDSERV -keyDB C:\path\to\certificate\db\client_authentication.kdb -certName DBM1 -P samplePassword -sssAuthenticationMode UserKeys

These options are valid for the -sssAuthenticationMode switch:

UserKeys
UsernamePassword
UsernamePasswordAndUserKeys

Feedback