Securing WebSphere Application Server

Secure communications between the WebSphere® Application Server used by CLM and the JIRA server before you add CLM OpenSocial gadgets to the JIRA dashboard.

About this task

You must secure the WebSphere Application Server before you use any CLM OpenSocial gadgets that you plan to add to the JIRA dashboard. For more information about WebSphere Application Server communications, see Securing communications.

Procedure

For a single CLM application server topology, extract the signer part of a personal certificate from the keystore and store it to a file. The file can then be used to add the signer to the JIRA keystore. Skip to the next section, for a distributed CLM application server topology.

  1. From the admin console, click Security > SSL certificate and key management. The SSL certificate and key management page opens.
  2. Under Related Items, click Key stores and certificates.

    Key stores and certificates

  3. On the Key stores and certificates page, select the name NodeDefaultKeyStore. The General Properties page opens for the NodeDefaultKeyStore.
  4. Under Additional Properties, click Personal certificates.

    General properties for default node keystore

  5. On the Personal certificates page, select the check box next to default.
  6. Click Extract.
  7. On the Extract certificate page, type a unique name with the extension .pem to identify the keystore.

    For example, clm_keystores.pem

    Certificate file name

  8. Click OK. The signer portion of the personal certificate is stored in the file that is provided.
  9. Verify the file content. Change to the WASInstallDir\AppServer\profiles\profilename\etc directory. Open the file.

    Contents of the keystore

    Skip to the next section about importing the certificate.

For a distributed CLM application server topology, extract the certificate from the keystore and store it to a file. The file can then be used to add the signer to the JIRA keystore.

  1. From the admin console, click Servers > Server Types > Web servers. The Web servers page opens.
  2. Under Name, click the IBM® HTTP server that you want to work with.
  3. Under Additional Properties, click Configuration file.
  4. On the Configuration file page, find and note the Keyfile attribute.

    For example, /opt/IBM/HTTPServer/ihsserverkey.kdb

  5. Log in to your IBM HTTP Server.
  6. Find the keystore file ihsserverkey.kdb in the /opt/IBM/HTTPServer directory.
  7. Extract the keystore with the gskcapicmd.

    For more information about this command, see IBM Global Security Kit.

    1. Change to the location of the keystore /opt/IBM/HTTPServer
    2. Type this command:
      bin/gskcapimd –cert –extract –db ihsserverkey.kdb –pw ec11ipse –label "ihsserver"d –format binary –target ihs.crt
      A certificate file is created, which you import into the keystore file on the JIRA server.

Import the certificate file into the JIRA keystore.

  1. Copy the keystore file that you created from WebSphere Application Server to a temporary location on your JIRA server.
  2. Back up the cacerts file, which contains the keystore for JIRA. Change the directory to JIRAInstallDir\jre\security to locate the cacerts file.
  3. Open a command window and change to the JIRAInstallDir\jre\bin directory.
  4. Type this command:
    keytool –import –file TempFileLocation\NameofCertificateFile –alias clm_keys –keystore JIRAInstallDir\jre\lib\security\cacerts
  5. When prompted for a password, type changeit
  6. When prompted for Trust this certificate, type Yes. A message displays indicating that the certificate was added to the keystore.
  7. Restart the JIRA server.

Configure OAuth to complete the authentication between JIRA and the Change and Configuration Management server. You register the JIRA server as a consumer by using the JIRA consumer key and public key for the JIRA server.

  1. Log in to your JIRA server with administrative privileges.
  2. Open the OAuth Administration page. For example, http://YourJIRAhostname/plugins/servlet/oauth/view-consumer-info
  3. Find the consumer key and the public key for the JIRA server.
  4. Point your browser to one of the following URLs by using the default context root value:
    1. https://fully qualified hostname:port/jts/admin

      Log in to the Rational® Requirements Composer server by using an account that has administrator privileges.

    2. https://fully qualified hostname:port/ccm/admin

      Log in to the Rational Team Concert™ server by using an account that has administrator privileges.

    3. https://fully qualified hostname:port/qm/admin

      Log in to the Rational Quality Management server by using an account that has administrator privileges.

  5. On the Server Administration page:
    • For jts/admin, click the Server tab.
    • For ccm/admin, click the Application tab.
    • For qm/admin, click the Application tab.
  6. Click Consumers(Inbound).
  7. For the Consumer Key, click Click here to pick up the consumer key instead. Copy the Consumer Key from the OAuth Administration page and paste it into the Consumer Key field on the Consumers(Inbound) page.
  8. In the Consumer Name field, enter a name that you want to use to identify the consumer.
  9. For the Consumer Public Key, click Click here to use a shared secret instead. Copy the Consumer Public Key from the OAuth Administration page and paste it into the Consumer Public Key field on the Consumers(Inbound) page.

    Register consumer

  10. Click Register. The consumer key is registered and the authorized key is added to the list of OAuth consumers.

Results

Communications is secured between the WebSphere Application Server used by CLM and the JIRA server. When you add the CLM OpenSocial gadgets to the JIRA dashboard, data can display in the gadget.

What to do next

Add CLM OpenSocial gadgets to the JIRA dashboard, see Adding to the JIRA dashboard.

Feedback