Unable to force an SSL connection to the Change Management Server (CM Server)
After following the Information Center help topic "Forcing an SSL connection with CM Server", port 12080 still functions. This tech note describes two ways to disable port 12080 for CM Server.
Port 12080 still functions after enabling application security in CM Server.
Resolving the problem
Note: If using CM Server and ClearCase Remote Client version 7.1 and SSL does not work, see Unable to connect via SSL in ClearCase Remote Client version 7.1.
There are two options for disabling port 12080.
Option 1 is preferred if load balancing is not enabled.
This option can still be used if load balancing is enabled. Note, however, that traffic between the load balancer host and the CM Server cluster will not be secure. This might not be a problem in some environments because users will perceive the connection to be secure.
To disable port 12080 using Option 1:
- Log in to the CM Server administrative console. The console is typically located at the following URL: https://<CM server hostname>:12043/ibm/console
- Click Servers -> Application Servers -> server1 -> Ports -> WC_defaulthost
- Change the value of the Host field from * to the name of the CM Server host. If load balancing is used, change the value of the Host field from * to the name of the load balancer host.
- Click Apply.
- Save the configuration and restart CM Server.
Option 2 is more secure but more difficult to configure. With this option, all traffic between end users, the load balancer hosts, and the CM Server cluster is secured by SSL encryption.
The following steps assume that load balancing is configured. Load balancing is discussed in the technote titled, Change Management (CM) Server load balancing with IBM HTTP Server for CCRC - new in 220.127.116.11.
To disable port 12080 using Option 2:
- Enable administrative and application security for CM Server if it is not already enabled. See the ClearCase Information Center for details.
- For each CM Server, update the default SSL certificate with ikeyman. The default SSL file key.p12 resides in the following directory:
- On the Unix system and Linux: /opt/IBM/RationalSDLC/common/CM/profiles/cmprofile/config/cells/dfltCell/nodes/dfltNode
- On Windows:
7.1.0.x: C:\Program Files\IBM\RationalSDLC\common\CM\profiles\cmprofile\config\cells\<machine>CMProfileNode01Cell\nodes\<machine>CMProfileNode01
7.1.1: C:\Program Files\IBM\RationalSDLC\common\CM\profiles\cmprofile\config\cells\dfltCell\nodes\dfltNode
- Open ikeyman.
- On the Unix system and Linux: /opt/IBM/RationalSDLC/common/IHS/bin/ikeyman
- On Windows: C:\Program Files\IBM\RationalSDLC\common\IHS\bin\ikeyman.bat
- Action type: Export Key
- Key file type: PKCS12
- File Name: <hostname>.p12
- On the Unix system and Linux: /opt/IBM/RationalSDLC/common/eWAS/profiles/plugin-cfg.xml
- On Windows: C:\Program Files\IBM\RationalSDLC\common\eWAS\profiles\plugin-cfg.xml
- Replace the following line:
- Note the additional Property lines. Verify that the path to the key file is the same as is defined in common/IHS/conf/ssl.conf.
- For the system designated as the the IHS (IBM HTTP Server) load balancer: Follow the steps to configure an IHS load balancer in addition to making the substitution for the Transport line just mentioned.
<Transport Hostname="localhost" Port="12080" Protocol="http"/>
with these lines:
<Transport Hostname="localhost" Port="12443" Protocol="https">
<Property Name="keyring" value="/opt/IBM/RationalSDLC/common/IHS/key.kdb"/>
<Property Name="stashfile" value="/opt/IBM/RationalSDLC/common/IHS/key.sth"/>
- Using ikeyman, open or create the following file:
- On the Unix system and Linux: /opt/IBM/RationalSDLC/common/IHS/key.kdb
- On Windows:
- If you are creating the key, ensure that you stash the password to a file.
- Select Servers->Application servers->server1: Expand Web Container Settings
- Click Web container transport chains.
- Click WCInboundDefault.
- Deselect Enabled and save settings.
Observe the following behaviors with either option:
- In a browser window, http://<CM server hostname>/TeamWeb/services/Team should redirect to https://<CM server hostname>/TeamWeb/services/Team. In the CCRC eclipse client, only the SSL URL should function.
- http://<CM server hostname>:12060/ibm/console should redirect to https://<CM server hostname>:12043/ibm/console
- http://<CM server hostname>:12080/TeamWeb/services/Team should fail.
- https://<CM server hostname>:12043/ibm/console should function.
- https://<CM server hostname>:12443/TeamWeb/services/Team should function.
Review the log file /opt/IBM/RationalSDLC/common/IHS/logs/http_plugin.log for errors. Set TRACE on in the file /opt/IBM/RationalSDLC/common/IHS/conf/httpd.conf to get finer details.
More support for:
Software version: 7.1, 18.104.22.168, 22.214.171.124, 7.1.1
Operating system(s): AIX, HP-UX, Linux, Solaris, Windows
Reference #: 1405908
Modified date: 13 November 2009