IBM Support

How to create SSL certificates for the ClearCase integration with Rational Team Concert

Question & Answer


Question

How do you create an SSL certificate for IBM Rational ClearCase and IBM Rational Team Concert integration?

Cause

You can integrate IBM Rational ClearCase with IBM Rational Team Concert (RTC). The integration uses CMI technology which is bundled with GSKit software on Microsoft Windows and OpenSSL on UNIX.

Since version 8.0.1.11, ClearCase is more strict and rejects invalid certificates (ie: expired, no CN match) coming from the associated Change Request server (Jazz-RTC, ClearQuest, JIRA): Security Bulletin: Vulnerability in IBM Rational ClearCase with SSL/TLS communications (CVE-2015-5039)

By default the RTC server uses a self-signed certificate with
CN="localhost", which doesn't match the real hostname of the server. Users can still connect to the RTC server through a web browser or an RTC client by accepting a security exception.


However, attempts to access the RTC server fails with the ClearCase full client.

EXAMPLE:


% cleartool lsact -find -provider JCRTC -in FP_Development@/vobs/RTCPVOB
cleartool: Error: A Change Management provider "JCRTC" failed to initialize with an error :
CURL returned status code, "60", and the following message: "SSL certificate problem: self signed certificate".

>cleartool lsact -find -provider JCRTC -in FP_Development@\RTCPVOB
cleartool: Error: A Change Management provider "JCRTC" failed to initialize with an error :
CURL returned status code, "35", and the following message: "GSKIT_object_init,gsk_secure_soc_init fails with err=414, certificate expired".

Answer

See the following two examples of how to create a valid self-signed certificate.


A. Microsoft Windows RTC 6.0.x server (using Liberty profile) with UNIX CC 9.0.x client
 

  1. Locate the gskit utility on a ClearCase client.

    • /opt/ibm/gsk8/bin/gsk8capicmd (UNIX)
    • C:\Program Files (x86)\IBM\gsk8\bin\gsk8capicmd.exe (Microsoft Windows)

    For details: Managing certificates with IBM GSKit.
     
  2. Create a keystore in pkcs12 format. This keystore is needed by WAS Liberty.
    gsk8capicmd -keydb -create -populate -db server.p12 -pw ibm-team -stash -type pkcs12

     
  3. Create a certificate with exact CN.
    gsk8capicmd -cert -create -db server.p12 -stashed -dn "CN=server_hostname,OU=Cloud,O=IBM,C=NL" -expire 4300 -label "My self-signed certificate" -default_cert yes -type pkcs12

     
  4. Copy server.p12 and server.sth to the RTC server.
    C:\Program Files\IBM\JazzTeamServer\server\liberty\servers\clm\resources\security

     
  5. Open
    C:\ProgramFiles\IBM\JazzTeamServer\server\liberty\servers\clm\server.xml
     
  6. Modify the following line.
    <keyStore id="defaultKeyStore" password="ibm-team" type="PKCS12" location="server.p12"/>


    For details: Liberty:Keystores
     
  7. Extract the certificate for UNIX ClearCase client.
    gsk8capicmd -cert -extract -db server.p12 -stashed -label "My self-signed certificate" -format ascii -target mycert.arm -type pem

     
  8. Append the certificate to client keystore.
    # cat mycert.arm >> /var/adm/rational/clearcase/config/cacert.pem

    For details: Configuring Secure Sockets Layer (SSL)
     
  9. Verify that the CMI connection to the RTC server works.
    cleartool lsact -find -provider JCRTC -in FP_Development@/vobs/RTCPVOB
    4@JCRTC : CC_RTC_VS00


     

B. Linux RTC 6.0.x server (using Liberty profile) with  Microsoft Windows CC 9.0.x client
 
1. Follow the same steps as for example A until step 7
The equivalent path on Linux is:
/opt/IBM/JazzTeamServer/server/liberty/servers/clm
2. Copy mycert.arm to mycert.cer on the Windows client
 
3. Right-click on mycert.cer, select "Install Certificate" and accept default options.
 
4. If the Windows client is a CCRC server then you need to add the certificate to this keystore:
gsk8capicmd -cert -add -stashed -db "C:\Program Files (x86)\IBM\RationalSDLC\ClearCase\config\ccrc\ccrc_ucmcq_key.kdb" -file mycert.arm
Then verify that the CMI connection works by setting a task to a webview in ClearTeam Explorer.

[{"Product":{"code":"SSUC3U","label":"IBM Engineering Workflow Management"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}},{"Product":{"code":"SSSH27","label":"Rational ClearCase"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Integrations: IBM","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"8.0.1;9.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Product Synonym

Rational Team Concert

Document Information

Modified date:
03 November 2020

UID

swg21996408

Page Feedback