IBM Support

How to set up Rational Team Concert with Apache Tomcat to use your own CA certificate

Technote (FAQ)


How do you set up Apache Tomcat to use your own certificate - an unknown-CA certificate?


For security reasons, you may want to use your own Certificate Authority certificates instead of a self-signed certificate or a well-known trusted CA certificate such as from Verisign or Thawte.


To use your own Certificate Authority or to use a well-known Certificate Authority, you need to perform these steps with IBM Certificate Management - ikeyman.

Launch ikeyman.exe if using Windows or ./ikeyman with Unix. Find under c:/Program Files/IBM/JazzTeamServer/conf/jre/bin for Windows or /opt/IBM/JazzTeamServer/conf/jre/bin under Unix.

For UNIX platforms, be sure ikeyman has execute permissions to run the utility.

If you have problems launching ikeyman on a 64-bit Unix platform, review 1433415: Error running IBM Certificate Management on a 64-bit UNIX system used with IBM Rational Team Concert for System z.

  1. Create a JKS keystore file or use the existing default file called ibm-team-ssl.keystore

    a. Select Create/KeyDatebase File or Open/KeyDatabase File

    b. Select Key database type of JKS. If using the existing default file, browse to ibm-team-ssl.keystore.

    c. Select OK and type in a password and repeat the password.

    If using the existing default file, type in the password "ibm-team" and repeat.

    The file is either created or the existing Key Database file opens.

  2. Create a certificate request to the Certificate Authority

    If the CA is not a well-known trusted, then fill out the appropriate information for your company's security group.

    If the CA is well-known trusted such as Verisign or Thawte, submit to them.

    Create/New Certificate Request.

  3. Once you receive the corresponding certificate, save the text to a file and save it in a text editor with the .arm extension. It should have a Begin Certificate and End Certificate boundary.

  4. Select Receive and point to the certificate file that you just saved.

    The accompanying Certificate Request should be listed in the Key Database Content.

    If you View the certificate, you should see under Issued By CN= the Certificate Authority - such as Versign, Thawte, or your company's Certificate Authority.

  5. Some certificates are issued as a chain and require that the intermediate certificate as well as the root certificate are added. In this situation, you would change the Certificate type to Signer and select Add to add the intermediate certificate to the keystore or

    select Populate to populate the keystore with the well-known Certificate Authorities' certificates.

  6. Select KeyDatabase File/Save As to save your changes.

  7. If you are using the existing default keystore, you will need to remove/delete the old self-signed certificate, as the first certificate found is called before any newly added certificates.

  8. If you created a new keystore file, edit the Apache TomCat server.xml to indicate the new certificate and password.

    Replace the keystoreFile="ibm-team-ssl.keystore" with the name of your keystore file and keystorePass="ibm-team" with the name of your keystore password.

    If you used the existing keystore file, then you do not have to change these settings.

  9. Restart the server.

Cross Reference information
Segment Product Component Platform Version Edition
Software Development Rational Team Concert Core Components

Document information

More support for: Rational Team Concert for System z
Core Components

Software version: 2.0,,

Operating system(s): Linux

Reference #: 1442170

Modified date: 07 July 2011