To enable server security, you must configure the Rational® DOORS® database server to use secure connections.
Before you begin
Make sure that the server can start in secure mode and accept connections from clients. Here is a check list to verify secure mode configuration (this information is for guidance only):
- Make sure that the certificate key database is up to date. Make sure that there are no expired certificates. If you are using a different keystore database, the -keydb parameter can be used to specify it when you start the Rational DOORS database server and clients.
- Make sure that the server starts with the correct server host name. If you are running from the command line, set the -serverhostname parameter, otherwise it is defined by the SERVERHOSTNAME environment variable (or Registry entry). This host name must be the same host that runs the Rational DOORS database server.
- Make sure that the server is restarted with secure mode enabled. From command line, it is enabled by the -secure ON option. In Windows, if you do not specify it in the command line, it is defined by the secure registry option. This registry value is set to OFF by default. If you do not use the command-line parameters, you must set this option to ON. This key can be found in this path:
\HKEY_LOCAL_MACHINE\SOFTWARE\Telelogic\DOORS_Server\9.5\Config
If you are running on 64-bit Windows, the key is in this path:
\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Telelogic\DOORS_Server\9.5\Config
- Make sure that the clients and interoperation server start with the correct host name. It must be the same as the Rational DOORS database server host name. For example, if the Rational DOORS database server host name is IBMEDSERV, then the client must use IBMEDSERV in the command line (-data 36700@IBMEDSERV) and in the client’s environment this host name must point to the same host that the Rational DOORS database server is running. You can modify the operating system’s hosts file to point to the host for IBMEDSERV. To summarize:
- The Rational DOORS database server must start with the correct server host name (for example, IBMEDSERV), and in the server environment this host name must resolve to the server itself.
- The Rational DOORS client must connect to the server by the same server host name (for example, specifying the -data 36700@IBMEDSERV parameter in the shortcut) and again this host name in the client environment must resolve to the server’s IP address.
Starting the client
After you start the Rational DOORS database server, connect the Rational DOORS clients to the Rational DOORS database server and run as usual.
If Rational DOORS is configured to use the Rational Directory Server, existing users must be signed. To sign existing users, start a Rational DOORS client, log in as the Administrator, and run the DXL perm signTdsUsers(). You must run the DXL each time you change the Rational DOORS database server.
Setting up a password for dbadmin
After you start the Rational DOORS client, you must set up a password for dbadmin. Set it using the
-p switch, and when you run dbadmin, you must enter the password with the
-P switch and the
-l switch.
For example, set the password with a command in this format:
dbadmin.exe -d 36700@IBMEDSERV -keyDB "C:\path\to\key\db.kdb" -p NewPasswordAfter you assign the dbadmin password, specify each request with a command in this format:
dbadmin.exe -d 36700@IBMEDSERV -keyDB "C:\path\to\key\db.kdb" -P NewPassword -l
Setting up access to modules
You must make sure that sensitive data is protected by setting up the correct access rights to modules.
When server security is enabled, clients enforce usual access rights to information in the database. A user’s access to the database is the same whether the system is using server security or the classic Rational DOORS security model.
However, if a user gains unauthorized access to the database, and has read access to a module, they have full access to the contents of the module.
To guard against this possibility, make sure that modules that contain sensitive data are protected. Allow access to the module only if a user needs it. If a user does not need access to a module, do not set their access to read. Set their access to none. That way, even if a user gains unauthorized access to the database, they cannot access the module.
Changing the authentication method
You can change the server security authentication method with dbadmin. When you change the method, it is not necessary to restart the Rational DOORS database server.
For example, to set the method to user keys, enter:
dbadmin.exe -d 36700@IBMEDSERV -keyDB C:\path\to\certificate\db\client_authentication.kdb -certName DBM1 -P samplePassword -sssAuthenticationMode UserKeys
These options are valid for the -sssAuthenticationMode switch:
UserKeys
UsernamePassword
UsernamePasswordAndUserKeys