Configuring a secure connection

To enable server security, you must configure the Rational DOORS database server to use secure connections.

Before you begin

Make sure that the server can start in secure mode and accept connections from clients. Here is a check list to verify secure mode configuration (this is for guidance only):

Starting the UNIX servers

About this task

In order to start the UNIX servers do the following:

Procedure

  1. Run configure-festival.sh, which sets the appropriate permissions on the files in the directory structure and installs the JRE.
  2. Start the broker by running broker.start.sh, which is in the root directory of the Rational DOORS Web Access installation.
  3. Start the Rational DOORS database server, enabling server security with the -serverSecurityEnable command-line argument. You must also define the broker host and port using the -serverSecurityBrokerHost BROKER_HOST and -serverSecurityBrokerPort PORT_NUMBER parameters.

    For example:

    doorsd -s $DOORSHOME/data -p 36700 -serverhostname IBMEDSERV -secure ON -serverSecurityBrokerHost BROKER_HOST -serverSecurityBrokerPort 61616 -serverSecurityEnable

    where
    Switch Parameter Description
    -s $DOORSHOME/data

    ($DOORSHOME is set according to the standard Rational DOORS installation instructions).

    The path to the data files.

    -p 36700

    The port number to connect to the server.

    -serverhostname IBMEDSERV

    The name of the Rational DOORS database server.

    -secure ON

    Must be set to on for security to be enabled.

    -serverSecurity BrokerHost BROKER_HOST

    The server name or IP address of the server hosting the broker.

    -serverSecurity BrokerPort 61616(the default).

    The port number to connect with the broker.

    -serverSecurity Enable  

    Enables server security.

    There are optional logging parameters for the server:
    Switch Description
    -L

    The log level (for example, -L 6).

    -l

    The path and file name of the log file (for example, -l /var/log/doorsd.log).

    Note: Any missing or mistyped parameters can be filled from environment variables or by registry entries if there are any.
  4. Start the interoperation server. This is in the path $DOORSHOME/bin.

    For example:

    doors9 -interop -data 36700@IBMEDSERV –brokerHost MYBROKER –brokerPort BROKERPORT

    where
    Switch Parameter Description
    -interop  

    The command to start the client as an interoperation server.

    -data 36700@IBMEDSERV

    The port number and name of the Rational DOORS database server.

    -brokerHost MYBROKER

    The name of the server hosting the broker.

    -brokerPort BROKERPORT

    The port number of the broker.

    There are optional logging parameters for the interoperation server:
    Switch Description
    -logLevel

    The log level (for example, -logLevel 6).

    -logfile

    The path and file name of the log file (for example, -logfile /var/log/interop.log).

Starting the Windows server

About this task

In order to start the Windows servers do the following:

Procedure

  1. Start the broker by running broker.start.bat, which is in the root directory of the Rational DOORS Web Access installation.
  2. Restart the Rational DOORS database server, enabling server security with the -serverSecurityEnable command-line argument. You must also define the broker host and port using the -serverSecurityBrokerHost HOST and -serverSecurityBrokerPort PORT parameters.

    If you are running the Rational DOORS database server in console mode, enter a command in this format:

    doorsd.exe -debug -s "C:\example\data" -p 36700 -serverhostname IBMEDSERV -secure ON -serverSecurityBrokerHost BROKER_HOST -serverSecurityBrokerPort 61616 -serverSecurityEnable

    where
    Switch Parameter Description
    -s "C:\example\data"

    The path to the data files.

    -p 36700

    The port number to connect to the server.

    -serverhostname IBMEDSERV

    The name of the Rational DOORS database server.

    -secure ON

    The name of the Rational DOORS database server.

    -serverSecurity BrokerHost BROKER_HOST

    The server name or IP address of the server hosting the broker.

    -serverSecurity BrokerPort 61616 (the default).

    The port number to connect with the broker.

    -serverSecurity Enable  

    Enables server security.

    You can also add optional logging parameters:
    Switch Parameter Description
    -L 6

    The log level.

    -l /var/log/doorsd.l og

    The path and file name of the log file.

    Note: Make sure to stop and disable the Rational DOORS database server service.

    If you are running the Rational DOORS database server from Windows services:

    After the server has been installed, the Rational DOORS database server is registered as a Windows service. By default, secure mode and server security options are disabled. To enable these:

    1. Stop the Rational DOORS database server service.
    2. Open the Properties dialog box for the Rational DOORS database server service.
    3. Enter the correct parameters in the Start parameters field. For example, enter:

      -s "C:\example\data" -p 36700 -serverhostname IBMEDSERV -secure ON -serverSecurityBrokerHost BROKER_HOST -serverSecurityBrokerPort 61616 -serverSecurityEnable

      For information about the parameters, see the table above.

    4. Start the service.
      Note: Use the Start button in the Properties dialog box. The parameters are discarded when the dialog box is closed.
  3. Start the Rational DOORS interoperation server. This server is the same binary as the Rational DOORS client.

    For example:

    doors.exe -interop -data 36700@IBMEDSERV –brokerHost MYBROKER –brokerPort BROKERPORT

    where
    Switch Parameter Description
    -interop  

    The command to start the client as an interoperation server.

    -data 36700@IBMEDSERV

    The port number and name of the Rational DOORS database server.

    -brokerHost MYBROKER

    The name of the server hosting the broker.

    -brokerPort BROKERPORT

    The port number of the broker.

    You can also add optional logging parameters:
    Switch Parameter Description
    -logLevel 8

    The log level.

    -l "C:\Interop.log"

    The path and file name of the log file.

    Note: If the Rational DOORS database server is running as a Windows service, after you restart Windows, you must restart the broker and the interoperation server(s). Also, attempting to stop the Rational DOORS database server service when the broker is not running can result in Windows timing out and failing to stop the service.

Other information about starting the server

The steps in “Starting the UNIX server” and “Starting the Windows server” are for the Username and password server authentication method. This is the default authentication method. If you must use a different method, you must start the interoperation server and the Rational DOORS clients with a valid certificate. You do this using the -certName NAME argument.

The -serverhostname and -secure switches are for enabling secure connection. This is references in "Before you begin" section.

The server security enable switches are server options. Once server security is enabled with a command-line argument, the server remembers its value on the consequent runs (when no switch for server security is provided).

By default, server security is disabled. Once you enable it, it persists (see the previous note).

To disable server security, use the -serverSecurityDisable switch.

Starting the client

After you start the Rational DOORS database server, connect the Rational DOORS clients to the Rational DOORS database server and run as usual.

If Rational DOORS is configured to use the Rational Directory Server, existing users need to be signed. To do this, start a Rational DOORS client, log in as the Administrator, and run the DXL perm signTdsUsers(). You need to run the DXL once each time you change the Rational DOORS database server.

Setting up a password for dbadmin

After you start the Rational DOORS client, you must set up a password for dbadmin. Set it using the -p switch, and when you run dbadmin, you need to enter the password with the -P switch and the -l switch.

For example, set the password using a command in this format:

dbadmin.exe -d 36700@IBMEDSERV -keyDB "C:\path\to\key\db.kdb" -p NewPassword

After you assign the dbadmin password, specify each request using a command in this format:

dbadmin.exe -d 36700@IBMEDSERV -keyDB "C:\path\to\key\db.kdb" -P NewPassword -l

Setting up access to modules

You must make sure that sensitive data is protected by setting up the correct access rights to modules.

When server security is enabled, clients enforce usual access rights to information in the database. A user’s access to the database is the same whether the system is using server security or the classic Rational DOORS security model.

However, if the client is compromised, for example if a user gains unauthorized access to the database, as long as the user has Read access to a module they will have Full access to the contents of the module.

To guard against this possibility, make sure that modules that contain sensitive data are protected. Only allow access to the module if a user needs it. If a user does not need to access a module, do not set their access to Read. Set their access to None. That way, even if a user gains unauthorized access to the database, they will not be able to access the module.

Changing the authentication method

You can change the server security authentication method using dbadmin. When you change the method, you do not need to restart the Rational DOORS database server.

For example, to set the method to user keys, enter:

dbadmin.exe -d 36700@IBMEDSERV -keyDB C:\path\to\certificate\db\client_authentication.kdb -certName DBM1 -P samplePassword -sssAuthenticationMode UserKeys

These are the valid options for the -sssAuthenticationMode switch:

UserKeys
UsernamePassword
UsernamePasswordAndUserKeys

Feedback