IBM Support

Validate hostnames cerificate authentication chains in ClearQuest HTTPS clients

Fix Readme


Abstract

IBM Rational ClearQuest was vulnerable to attacks on its SSL/TLS communications due to improper validation of server certificates. Starting with version 8.0.1.16 and 9.0.1.4, ClearQuest can now prevent these attacks by verifying a certificate’s hostname and certificate chain. By default, this version of ClearQuest will strictly check certificates. ClearQuest EmailRelay will not work with an HTTPS URL for ClearQuest unless it uses a JRE with a keystore that trusts the ClearQuest HTTPS certificate. Likewise, ClearQuest Web will not trust an external OSLC provider with an HTTPS URL (such as Jazz), if the WebSphere environment hasn’t been configured to trust that certificate.

Content

ClearQuest Web will not connect to Jazz applications using Hyper Text Transfer Protocol Secure (HTTPS) unless the IBM Jazz HTTPS certificate or its signer is trusted.

Since ClearQuest EmailRelay typically resides in ClearQuest Web, trusted signers and certificates will go in the WebSphere Application Server (WAS) profiles default trust store, just like trusted signers and certificates for Simple Mail Transfer Protocol (SMTP). For more information see Importing a keystore certificate into WebSphere for use with the EmailRelay service and Secure communications using Secure Sockets Layer (SSL) in the IBM Knowledge Center.

For ClearQuest EmailRelay, new options have been added to the email relay configuration command:
            [-sslprotocols <comma separate list of SSL protocols to support, e.g. TLSv1,TLSv1.1,TLSv1.2>]    

            [-sslverifyhost <yes | no> (default is yes) ]
            [-ssltrustselfsigned <yes | no> (default is no) ]
            [-ssltrustany <yes | no> (default is no) ]          

For ClearQuest Web, this can be configured in the cqrest.properties file which lives in the WAS profile. There are already technotes that describe how to modify this file. These are the options available:

# For SSL configuration of outgoing http connections
# comma separate list of allowed protocols. Default is
# "TLSv1,TLSv1.1,TLSv1.2"
com.ibm.rational.cm.web.component.https.protocols=TLSv1,TLSv1.1,TLSv1.2
com.ibm.rational.cm.web.component.https.trust_selfsigned=false
com.ibm.rational.cm.web.component.https.verify_hostnames=true
com.ibm.rational.cm.web.component.https.trust_any=false

For more details, see the Configuring the Rational ClearQuest Web properties files topic in the IBM Knowledge Center.
Note, there is a difference between verifying certificate chains and checking hostnames. You can have a valid certificate chain, for example, signed by a valid CA, but have an invalid hostname. This situation can happen if someone stole the certificate and tried to use it on a different host.
To be fully secure you need to verify the hostname and the certificate chain.

 

 

 

Document information

More support for: Rational ClearQuest

Component: ClearQuest Web

Software version: 9.0.1.4

Operating system(s): Windows

Reference #: 0719815

Modified date: 09 August 2018