Question & Answer
Question
Cause
Since version 8.0.1.11, ClearCase is more strict and rejects invalid certificates (ie: expired, no CN match) coming from the associated Change Request server (Jazz-RTC, ClearQuest, JIRA): Security Bulletin: Vulnerability in IBM Rational ClearCase with SSL/TLS communications (CVE-2015-5039)
By default the RTC server uses a self-signed certificate with
CN="localhost"
, which doesn't match the real hostname of the server. Users can still connect to the RTC server through a web browser or an RTC client by accepting a security exception.
However, attempts to access the RTC server fails with the ClearCase full client.
EXAMPLE:
% cleartool lsact -find -provider JCRTC -in FP_Development@/vobs/RTCPVOB
cleartool: Error: A Change Management provider "JCRTC" failed to initialize with an error :
CURL returned status code, "60", and the following message: "SSL certificate problem: self signed certificate".
>cleartool lsact -find -provider JCRTC -in FP_Development@\RTCPVOB
cleartool: Error: A Change Management provider "JCRTC" failed to initialize with an error :
CURL returned status code, "35", and the following message: "GSKIT_object_init,gsk_secure_soc_init fails with err=414, certificate expired".
Answer
A. Microsoft Windows RTC 6.0.x server (using Liberty profile) with UNIX CC 9.0.x client
- Locate the gskit utility on a ClearCase client.
- /opt/ibm/gsk8/bin/gsk8capicmd (UNIX)
- C:\Program Files (x86)\IBM\gsk8\bin\gsk8capicmd.exe (Microsoft Windows)
For details: Managing certificates with IBM GSKit.
- Create a keystore in pkcs12 format. This keystore is needed by WAS Liberty.
gsk8capicmd -keydb -create -populate -db server.p12 -pw ibm-team -stash -type pkcs12
- Create a certificate with exact CN.
gsk8capicmd -cert -create -db server.p12 -stashed -dn "CN=server_hostname,OU=Cloud,O=IBM,C=NL" -expire 4300 -label "My self-signed certificate" -default_cert yes -type pkcs12
- Copy server.p12 and server.sth to the RTC server.
C:\Program Files\IBM\JazzTeamServer\server\liberty\servers\clm\resources\security
- Open
C:\ProgramFiles\IBM\JazzTeamServer\server\liberty\servers\clm\server.xml
- Modify the following line.
<keyStore id="defaultKeyStore" password="ibm-team" type="PKCS12" location="server.p12"/>
For details: Liberty:Keystores
- Extract the certificate for UNIX ClearCase client.
gsk8capicmd -cert -extract -db server.p12 -stashed -label "My self-signed certificate" -format ascii -target mycert.arm -type pem
- Append the certificate to client keystore.
# cat mycert.arm >> /var/adm/rational/clearcase/config/cacert.pem
For details: Configuring Secure Sockets Layer (SSL)
- Verify that the CMI connection to the RTC server works.
cleartool lsact -find -provider JCRTC -in FP_Development@/vobs/RTCPVOB
4@JCRTC : CC_RTC_VS00
B. Linux RTC 6.0.x server (using Liberty profile) with Microsoft Windows CC 9.0.x client
Related Information
Product Synonym
Rational Team Concert
Was this topic helpful?
Document Information
Modified date:
03 November 2020
UID
swg21996408