You can configure your Rational® DOORS® Web Access server to use
Secure Sockets Layer (SSL) or Transport Layer Security (TLS), which
provide secure communications between servers and clients or browsers.
The configuration involves setting Rational DOORS Web Access to use HTTPS
and enabling the HTTPS connector in the Apache Tomcat server that
comes with the product.
Before you begin
To enable Rational DOORS Web Access to use SSL or
TLS, you need a security certificate and a keystore that contains
the server certificate. You can generate a security certificate for
testing purposes, or you can purchase one from a trusted certificate
authority.
If you purchase a certificate, install it on the Tomcat
server by following the instructions from your certificate vendor.
If problems occur when you install the certificate, contact the certificate
vendor.
If you generate a certificate for testing purposes,
you can create and manage a keystore by using the Java™ keytool utility. See Generating keystores and certificates for Rational DOORS Web Access.
In addition to that utility, you can use other resources on the Internet
to create a certificate and install it on the Tomcat server.
Before
you change the configuration, you must stop the Rational DOORS Web
Access server. See the procedures for shutting down the server in Running Rational DOORS Web Access.
Before you update your configuration
files, back them up.
Note: When you finish this procedure, you
must restart Rational DOORS and Rational DOORS Web
Access. If you are reconfiguring a production system, be sure to schedule
enough downtime.
About this task
After you have the keystore, follow this procedure to
configure the Tomcat server that comes with Rational DOORS Web
Access to use HTTPS with the keystore. Then, reconfigure Rational DOORS Web
Access to use HTTPS.
Procedure
- In the installation directory for your Rational DOORS Web
Access server, go to the server/festival/config directory
and open the festival.xml file.
- In the <f:properties> section of the
file, set the ForceHttpsForAuthenticationForOAuth property
to true.
- Save and close the file.
- In the installation directory of your Rational DOORS Web
Access server, go to the server/conf directory
and open the server.xml file.
Attention: Be careful when you change the server.xml file
because incorrect edits can lead to a complete loss of system function.
Before you edit the file, back it up. For more information about configuring
HTTPS and about other methods of configuration, see the Tomcat documentation.
- Go to the section that contains the commented-out HTTPS
connector and do the tasks that are relevant to your security needs,
as documented in the Apache Tomcat Configuration Reference for the HTTP
Connector. Change the HTTPS connector as shown in bold in this
example, as described in the list below.
<!- Delete this line from the file
<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" inSpareThreads="25"
MaxSpareThreads="75" enableLookups="false"
disableUploadTimeout="true" acceptCount="100"
scheme="https" secure="true" clientAuth="false" sslProtocol="TLS"
keystoreFile="ABSOLUTE_PATH_TO_YOUR_KEYSTORE_FILE"
keystorePass="YOUR_KEYSTORE_PASSWORD" algorithm="IbmX509"
SSLEnabled="true"
/>
--> Delete this line from the file
The following list presents important tasks; for more HTTP Connector
options, see the Apache Tomcat documentation. - Enable the HTTPS Connector by removing the first and last lines,
which contain the comment tags. By default, the HTTPS Connector element
is commented out.
- Configure the server to use HTTPS on port 8443. The default HTTPS
port for the Tomcat server and Rational DOORS Web Access is 8443. To use
a different HTTPS port, replace 8443 with the custom port in the server.xml file
and in all of the Rational DOORS Web Access configuration
files that refer to 8443 as the HTTPS port.
- Configure the HTTPS Connector to use your security certificate
by identifying the keystore location and password.
- Configure the Tomcat server to enable SSL. Optionally, you can
set the sslProtocol value to specify a TLS version
for the SSL protocol; for example, sslProtocol="TLSv1.2".
With the default value of sslProtocol="TLS",
the client and server can negotiate the highest version of TLS that
they are both capable of supporting. If you specify a version, refer
to vendor documentation to determine whether your browser supports
that version.
- Save and close the server.xml file.
- Reconfigure the Rational DOORS server to use the correct Rational DOORS Web Access HTTPS URL by running dbadmin at
a command prompt, as described in Configuring the
Rational DOORS database server.
- Restart Rational DOORS and Rational DOORS Web
Access.