Installing a security certificate

Secure communications between the Apache Tomcat application server that hosts the adapter and the client that communicates with the adapter by replacing the provided ibm-team certificate with a certificate that belongs to your company. Use the keytool program to create your own self-signed certificate or request a certificate that is signed by a trusted certificate authority (CA).

About this task

In the HPInstallDir/server/tomcat/conf/server.xml file Apache Tomcat is configured to read the server certificate ibm-team from the HPInstallDir/server/tomcat/ibm-team-ssl.keystore file. The default keystore password is set to ibm-team. The ibm-team certificate identifies the server as localhost.

To improve security, you delete the ibm_team certificate and generate a new certificate. When you generate the new certificate, you set values that are based on your company information. These values include the fully qualified domain name of the Tomcat server that you are deploying the adapter to.

The IBM® JRE that is included with the adapter includes an IBM tool that you can use to manage keystores and certificates on the server. The keytool program is in the HPInstallDir/server/jre/bin/ directory. You can use the keytool program to replace the provided certificate on the Apache Tomcat application server.

For more information about the keytool program, see http://download.oracle.com/javase/6/docs/technotes/tools/windows/keytool.html.

Alternatively, you can request a certificate that is signed by a trusted certificate authority (CA). A self-signed certificate requires acceptance by the Rational Team Concert™ client or web browser.

Procedure

  1. Go to the directory where the keystore file is located.
    HPInstallDir/server/tomcat/

    Run the keytool commands from the HPInstallDir/server/tomcat/ directory.

  2. List the certificates in the keystore.
    PathToKeytool/keytool -list -v -keystore ibm-team-ssl.keystore -storepass ibm-team

    This command helps you check the information within a certificate or Java™ keystore. You can use this information when you diagnose security certificate errors.

  3. Delete the ibm-team certificate.
    PathToKeytool/keytool -delete -alias ibm-team -keystore ibm-team-ssl.keystore -storepass ibm-team
  4. Generate a new certificate in the keystore.
    1. Run this command
      PathToKeytool/keytool -genkey -keyalg RSA -alias ibm-team -keystore ibm-team-ssl.keystore -storepass ibm-team -validity 360 -keysize 2048
      As the certificate generation process runs, you are prompted to enter information.
    2. The keytool program prompts you for your first and last name. You must enter the fully qualified domain name of the Tomcat server that you are deploying the adapter to.
      Warning: The fully qualified host name of the server must match the name that you enter for the certificate. Otherwise, a security certificate error results when you connect. Depending on the browser that is used to connect, you might not be able to accept the certificate, and some content might be hidden.
    3. Use your company information to complete the remaining prompts. For the key password prompt, press RETURN to use the same password as the keystore password.

      These values are for information purposes only.

      After you complete the prompts, the ibm-team-ssl.keystore file is changed so that it contains a self-signed certificate that is based on your company information.
  5. If Apache Tomcat was running when you made the previous changes, restart the server, see Starting Apache Tomcat.

What to do next

Set up and deploy the adapter web application from Apache Tomcat, see Starting Apache Tomcat.

Feedback