Configuring Rational DOORS for server security

Server security is an improvement on the current Rational® DOORS® security model. The regular Rational DOORS security model provides a secure connection (with certificates) and client side authorization/authentication. When enabled, server security replicates a set of security checks on the server.

Server security tasks are handled by interoperation servers. When server security is enabled, the server environment must have three main parts: a Rational DOORS database server, an ActiveMQ message broker, and at least one Rational DOORS interoperation server.

To enable server security, you must walk through the following methods:

Authentication methods
Configuring and running

Authentication methods

When you use server security, the server components (the Rational DOORS database server and interoperation servers) authenticate users of the client in one of three ways. You can choose which method you want to use:

Authentication method	Description
Username and password	The server verifies the username and encrypted password that is provided by the client.
User keys	The server identifies the user by checking user key mappings with its distinguished name (this information is stored inside the client's certificate). To be able to use this method, all of the Rational DOORS users must be mapped to their corresponding keys, and when they start the client, the correct certificate must be used. For example, assume that there is a standard Rational DOORS user named test42. To able to use this method, the system administrator must generate a unique certificate for this user with their information, including a distinguished name (for example: TEST42). Then, the Rational DOORS manager needs to map the test42 user to its certificate by using the distinguished name (this can be done by adding a user key like DN=TEST42). After this mapping configuration, the test42 user can start their Rational DOORS client with this certificate using -certName <label> in the Rational DOORS desktop shortcut, connect to the Rational DOORS database server, and work as usual.
Username and password and user key	The server first does the same operations for user keys and then for username and password.

Authentication method

Description

Username and password

The server verifies the username and encrypted password that is provided by the client.

User keys

The server identifies the user by checking user key mappings with its distinguished name (this information is stored inside the client's certificate). To be able to use this method, all of the Rational DOORS users must be mapped to their corresponding keys, and when they start the client, the correct certificate must be used.

For example, assume that there is a standard Rational DOORS user named test42. To able to use this method, the system administrator must generate a unique certificate for this user with their information, including a distinguished name (for example: TEST42). Then, the Rational DOORS manager needs to map the test42 user to its certificate by using the distinguished name (this can be done by adding a user key like DN=TEST42). After this mapping configuration, the test42 user can start their Rational DOORS client with this certificate using -certName <label> in the Rational DOORS desktop shortcut, connect to the Rational DOORS database server, and work as usual.

Username and password and user key

The server first does the same operations for user keys and then for username and password.

The default authentication method is username and password. You can change the authentication method using the dbadmin command. See Changing the authentication method.

Restriction:

If you are using the Rational Directory Server, you can use only the username and password method.
Two-factor authentication is not currently supported with server security.