IBM Support

How to use SSL with ClearCase Remote Client and ClearCase WAN Server

Question/Answer


Question

How do you configure and use SSL with the CCRC client and CCRC WAN Server?

Answer

Procedure:

  1. How IBM Rational ClearCase Remote Client (CCRC) handles and store SSL certificates for use during secure (HTTPS) connections to IBM Rational CCRC WAN Server

    The CCRC client looks for the certificate presented by the HTTPS server in the following keystores:
    • JRE maintained truststore of known SSL certificates: <JRE_ROOT_DIR>/lib/security/jssecacerts
      or
      <JRE_ROOT_DIR>/lib/security/cacerts

      where <JRE_ROOT_DIR> is the JRE install directory.
    • The per-user truststore : <USER_HOME>/.keystore, commonly used by some applications.
    • CCRC-specific truststore : <USER_HOME>/.keystore_clearcase
      Add public (that is, self-signed or internally issued) certificate authority root keys to this truststore.
    • (V9.0 and later) CMAPI-specific exception truststore:  <USER_HOME>/.keystore_clearcase_exc

      If the certificate presented to the client by the HTTPS server is found in any of these stores, it is accepted by the client without user action. The certificate can also be part of a certificate "chain". As long as some certificate in the chain is found in the truststores, the connection succeeds.

      If a CCRC user is presented with this prompt:




      This means that the client has not found a certificate and the user must take some action. If the user chooses the selection to “Install this certificate permanently”, CCRC will store the certificate to <USER_HOME>\.keystore_clearcase. In V9.0 and later releases, the certificate is treated as an exception and stored in <USER_HOME>/.keystore_clearcase_exc.

      The “jssecacerts” and 'cacerts' files are included with the JRE. They are pre-filled with certificates from "certifying authorities" (such as Verisign or Thwate). Commercially signed certificates (from vendors such as Verisign or Thwate), will be presented to the client as part of a certificate chain that ends in a certificate that is already in one the 'cacerts' file. If a commercially signed certificate is not available, CCRC administrators can create a “self-signed” certificate. This certificate will not be in the 'cacerts' files and are handled explicitly, either by manually importing it into the <USER_HOME>/.keystore or <USER_HOME>/.keystore_clearcase truststores or installing the certificate via the CCRC "Problem with Security Certificate" dialog. A certificate can be manually installed using keytool utility, which is included with the JRE. For examples of using keytool, refer to tech note http://www-01.ibm.com/support/docview.wss?uid=swg21976656 and Oracle reference documentation on keytool.
       
  2. Additional Java Runtime Environment (JRE) libraries required with large encryption keys

    In accordance with the United States of America export restrictions, the Java version in use may have limited encryption key sizes. In order to successfully communicate with a server when large key size is in use, you must replace the bundled encryption policy files with the unrestricted files published by IBM. This is called "Unrestricted JCE Policy files for SDK"

    Procedure to obtain this file:
    1. Go to the following website: http://www.ibm.com/developerworks/java/jdk/security/index.html.
    2. Click J2SE 6.0.
    3. Click IBM SDK Policy files in the “Contents” pane on the left.
      The Unrestricted JCE Policy files for the SDK website is displayed.
    4. Click Sign in and provide your IBM ID and password or register with IBM to download the files.
    5. Select Unrestricted JCE Policy files for SDK Java 5.0 SR16, Java 6 SR13, Java 7 SR4 and later versions and click Continue.
    6. View the license agreement and then click I Agree.
    7. Click Download Now.
    8. Install the files:
      1. Extract the file: unrestricted.zip into a directory of your choice in Windows.
      2. Copy the two .jar files from the extraction directory to following directories:
        • If you are using a specific JDK version,then copy in $JAVA_HOME/jre/lib/security
        • If you are using Weblogic AS, then WAS_HOME/java/jre/lib/security
    9. For the case of Weblogic AS, restart the Weblogic server for this change to take effect.
       
  3. SP800-131 security standard compliance in CCRC (client)

    IBM Rational ClearCase Remote Client versions 8.0.0.9 and newer include support for TLSv1.2 (default setting). CCRC can communicate with a server enforcing TLSv1.2, and is tolerant of SSL communication with a server not enforcing TLSv1.2.

    Support for TLSv1.2 is included in IBM JRE 6 SR12 or newer, or Oracle JRE 7. CCRC and CMAPI do not yet support Oracle JRE 7.

    Disable SP800-131 compliance
    In special cases where a customer must disable SP800-131 compliance, the CCRC user may set a CCRC specific property, introduced in CCRC version 8.0.0.10.

    Add -vmargs -Dcom.ibm.rational.clearcase.transport.client.protocol=TLS in the application *.ini file or on the startup command line.

    Note: SP800-131 compliance cannot be disabled if JRE property com.ibm.jsse2.sp800-131=strict (this setting may be required by other plugins or application e.g. IBM Rational Team Concert sharing the same Eclipse instance with CCRC).

    Enforce SP800-131 compliance
    Plugins or applications, such as IBM Rational Team Concert, sharing an Eclipse instance with CCRC may enforce SP800-131 compliance, by setting -vmargs -Dcom.ibm.jsse2.sp800-131=strict. In this case, the CCRC specific property -vmargs -Dcom.ibm.rational.clearcase.transport.client.protocol must be set to TLSv1.2. With these property settings, CCRC will not accept a SSL handshake with a server which does not communicate using TLSv1.2.
     
  4. SP800-131 security standard compliance in CCRC WAN Server

    SP800-131 compliance must be configured in WAS.
     
  5. SSL communication between CCRC WAN Server and ClearQuest Web

    For access to ClearQuest enabled UCM projects in CCRC, the CCRC WAN Server can be configured to communicate with ClearQuest Web server using SSL (URL specified in cq-db-mapfile.conf). The CCRC WAN Server does not handle SSL exceptions. Special certificate management is not required. Verification of validity of the certificates by system administrator is required to ensure successfully communication with CQWeb Server. This can be done by accessing the URL for ClearQuest Web from a browser running on the server machine running the CCRC WAN Server.

    (Windows only)
    If you experience login failures with ClearQuest in CCRC using CCRC WAN Server versions 8.0.0.5 - 8.0.0.9, contact IBM Rational support for a fix.

Document information

More support for: Rational ClearCase

Component: ClearCase Remote Client

Software version: 8.0, 8.0.0.1, 8.0.0.2, 8.0.0.3, 8.0.0.4, 8.0.0.5, 8.0.0.6, 8.0.0.7, 8.0.0.8, 8.0.0.9, 8.0.0.10, 8.0.0.11, 8.0.0.12, 8.0.0.13, 8.0.0.14, 8.0.0.15, 8.0.0.16, 8.0.0.17, 8.0.0.18, 8.0.0.20, 8.0.1, 8.0.1.1, 8.0.1.2, 8.0.1.3, 8.0.1.4, 8.0.1.5, 8.0.1.6, 8.0.1.7, 8.0.1.8, 8.0.1.9, 8.0.1.10, 8.0.1.11, 8.0.1.12, 8.0.1.13, 8.0.1.14, 8.0.1.15, 8.0.1.16, 8.0.1.17, 8.0.1.18, 8.0.1.19, 8.0.1.20, 8.0.1.21, 9.0, 9.0.0.1, 9.0.0.2, 9.0.0.3, 9.0.0.4, 9.0.0.5, 9.0.0.6, 9.0.1, 9.0.1.1, 9.0.1.2, 9.0.1.3, 9.0.1.4, 9.0.1.5, 9.0.1.6, 9.0.1.7

Operating system(s): AIX, HP-UX, Linux, Solaris, Windows

Reference #: 1666060

Modified date: 20 June 2019