Using HTTPS between servers in Central Server mode

After you have modified your web server, configure your system to use HTTPS between servers in Central Server mode. Central-to-remote communication is done through HTTP or HTTPS. If one server is running HTTPS, you must configure the Java installation that services the other server so that the installation can trust the certificate.

Procedure

  1. Export the certificate from the keystore file that you generated.

    keytool -export -keystore keystore_file -alias machinename -file temporary_file

    For example, keytool -export -keystore "/usr/local/rc53/rc.keystore" -alias hawk -file d:\temp\change8600.cer

    Enter keystore password:  (Type your keystore password)
    Certificate stored in file <d:\temp\change8600.cer>
  2. Access the .cer file that you created, and then copy it to the machine where your other Rational® Change server is running.
  3. Change the directory to CHANGE_HOME/jre/bin.
  4. Import the certificate into the Java trusted certificate keystore. For example:

    keytool -import -alias machinename -file the_.cer_file -keystore a_keystore_file

    Use the .cer file that you copied from your other installation. Use the Java trusted certificate file for the keystore, $CCM_HOME/jre/lib/security/cacerts. The keystore default password is changeit.

    keytool -import -alias hawk -file d:\temp\change8600.cer -keystore $CCM_HOME\jre\lib\security\cacerts
    
    Enter keystore password:  changeit
    Owner: CN=192.168.10.10, OU=Development, O=Rational, L=Irvine, ST=Ca, C=US
    Issuer: CN=192.168.10.10, OU=Development, O=Rational, L=Irvine, ST=Ca, C=US
    Serial number: 47e7e301
    Valid from: Mon Mar 24 10:21:05 PDT 2011 until: Sun Jun 22 10:21:05 PDT 2012
    Certificate fingerprints:
         MD5:  5E:B9:05:C0:6E:4D:3F:10:AE:C2:CC:D3:68:29:BC:80
         SHA1: F9:2E:FD:94:F9:6C:E6:B3:82:83:35:52:E4:3B:0B:CB:70:35:19:1A
    Trust this certificate? [no]:  y
    Certificate was added to keystore
  5. Ensure that the first and last name of the keystore that was created matches the configuration of the two Rational Change servers.

    Doing so helps avoid receiving warning messages in the event.log file. For example, if a remote server is registered to a central server using the short host name hawk instead of how the keystore was created with the IP address, the log is populated with the following warnings:

    WARN: HTTPS URL host 'hawk' does not match '190.123.10.10'

    Although the log contains warning messages, the messages do not impact how the system functions.

What to do next

Optionally, obfuscate your passwords.

Feedback