To enable server security, you must configure the IBM® Engineering Requirements
Management DOORS®
(DOORS)
database server to use secure connections.
Before you begin
If these components are not installed, install them:
- DOORS
database server
- DOORS
interoperation server
- ActiveMQ message broker
Note: You can use the ActiveMQ message
broker that is provided with IBM
Engineering Requirements Management DOORS - Web
Access
(DWA) by
running the installer. However, you are not required to configure DWA or
run the DWA
server to use the broker for server security. You can expect server security to use significantly
fewer interoperation servers than DWA.
Starting two DOORS
Interoperation servers for server security is sufficient for most system loads but
more may be required as the number of users increase.
Verify that your certificates are valid and not expired. You can use a sample set of
certificates to validate your configuration, but do not use them for production.
The DOORS
clients,interoperation server, and database server must use the correct server host
name. For example, when you use the sample certificates, the server host name must be specified as
IBMEDSERV and the clients must connect to the server by using that host name.
Note: You do not
need to use the sample certificates that are provided with DOORS.
However, if you use another certificate, you must use the -keyDB and
-certName parameters for the client,interoperation server, and
database server.
Important: You can only connect whitelisted
interoperation servers to the database server. You must create a
whitelist.dat file at the same level as the v6data directory (that
is at the top of the DOORS data directory). If the DOORS
database server is started using the -secureInteropByIP switch, the
whitelist.dat file must contain the hostname or IP address of the computers running
the interoperation servers. If the DOORS
database server is started without the -secureInteropByIP switch, the
whitelist.dat file must contain the SHA256 fingerprint of the
certificates on the computers running the interoperation servers.
About this task
Follow this procedure to enable server security for the platform where your server is
installed. When you start the
DOORS
database server and use the
-serverSecurityEnable switch, the option is
persistent, so the server security is enabled when you restart. On subsequent restarts, you can omit
that switch.
Procedure
- To start the servers on a Windows system, follow these steps:
- If you are not using DWA,
start the Active MQ broker. Otherwise, skip to the next step. To start the broker, enter
broker.start.bat, which is in the root directory of the DWA
installation.
- Start the DOORS
database server, enabling server security by entering the -serverSecurityEnable
command-line argument.
- Define the ActiveMQ broker host name and port by using the
-serverSecurityBrokerHost HOST and -serverSecurityBrokerPort
PORT parameters. If you are running the DOORS
database server in console mode, enter a command in this format:
doorsd.exe -debug -s
"C:\example\data" -p 36700 -serverhostname IBMEDSERV -secure ON -serverSecurityBrokerHost IBMEDSERV
-serverSecurityBrokerPort 61616 -serverSecurityEnable -secureInteropByIPImportant: secureInteropByIP is an optional switch that allows connection
from interoperation servers using hostname or IP address. It you don’t use this
switch, the whitelist.dat file must contain the SHA256 fingerprint
of the certificate.
where
Switch |
Parameter |
Description |
-serverdata |
"C:\example\data" |
The path to the data files
|
-portnumber |
36700 |
The port number to connect to the server
|
-serverhostname |
IBMEDSERV |
The name of the DOORS
database server
|
-secure |
ON |
A switch that must be set to on for security to be enabled.
|
-serverSecurityBrokerHost |
IBMEDSERV |
The server name or IP address of the server that is hosting the ActiveMQ
broker
|
-serverSecurityBrokerPort |
61616 (the default) |
The port number to connect with the ActiveMQ broker
|
-serverSecurityEnable |
|
The switch that enables server security
|
-secureInteropbyIP |
|
If using this switch, the whitelist.dat file must contain hostname or IP
address. Otherwise, the file must contain the SHA256 fingerprint of the
certificate.
|
The DOORS
database server installs as a Windows service. By default,
the secure mode and server security options are disabled.
- If you want to enable the service for the secure mode and server
security options, follow these steps:
- Stop the DOORS
database server service.
- Open the Properties window for the DOORS
database server service.
- Enter the correct parameters in the Start
parameters field. For example:
-serverdata "C:\example\data" -portnumber 36700
-serverhostname IBMEDSERV -secure ON -serverSecurityBrokerHost IBMEDSERV -serverSecurityBrokerPort
61616 -serverSecurityEnable -secureInteropbyIP
- Start the service: in the Properties
window, click Start. The parameters are
discarded when the window is closed.
- If you are not using DWA,
start the DOORS
interoperation server. Otherwise, skip to the next step. This server is the same binary as the
DOORS
client. For example:
doors.exe -interop -data 36677@IBMEDSERV -brokerHost IBMEDSERV
-brokerPort 61616 -sssServerAttention: You must have at least one
interoperation server using the –sssServer switch which can be
then recognized as the secure interop.
where
Switch |
Parameter |
Description |
-interop |
|
The command to start the client as an interoperation server
|
-data |
36700@IBMEDSERV |
The port number and name of the DOORS
database server
|
-brokerHost |
IBMEDSERV |
The name of the server that is hosting the broker
|
-brokerPort |
61616 |
The port number of the broker
|
-sssServer |
|
The database server recognizes the interoperation server as secure.
|
Note: If the DOORS
database server is running as a Windows service, after you
restart Windows, you must restart the broker and the
interoperation server.
- If the database is configured to use IBM
Rational® Directory Server, existing
users must be signed. To sign existing users, log in to a DOORS
client as an administrator. From the edit DXL interface, enter this command:
signTdsUsers().
- To start the servers on a Linux system, follow these steps:
- If you are not using DWA,
start the broker. Otherwise, skip to the next step. To start the broker, enter
broker.start.sh, which is in the root directory of the DWA
installation.
- Start the DOORS
database server and use the -serverSecurityEnable command-line switch to enable
security.
- Define the broker host and port by using the
-serverSecurityBrokerHost HOST and
-serverSecurityBrokerPort PORT
parameters. For example: doorsd -s $DOORSHOME/data -p 36700
-serverhostname IBMEDSERV -secure ON -serverSecurityBrokerHost IBMEDSERV -serverSecurityBrokerPort
61616 -serverSecurityEnable -secureInteropByIP
Important: secureInteropByIP is an optional switch that allows connection
frominteroperation servers using hostname or IP address. It you don’t use this
switch, the whitelist.dat file must contain the SHA256 fingerprint
of the certificate.
where
Switch |
Parameter |
Description |
-serverdata |
$DOORSHOME/data |
The path to the data files
|
-portnumber |
36700 |
The port number to connect to the server
|
-serverhostname |
IBMEDSERV |
The name of the DOORS
database server
|
-secure |
ON |
A switch that must be set to on for security to be enabled
|
-serverSecurityBrokerHost |
IBMEDSERV |
The server name or IP address of the server that is hosting the ActiveMQ
broker
|
-serverSecurityBrokerPort |
61616 |
The port number to connect with the ActiveMQ broker
|
-serverSecurityEnable |
|
The switch that enables server security
|
-secureInteropbyIP |
|
If using this switch, the whitelist.dat file must contain hostname or IP
address. Otherwise, the file must contain the SHA256 fingerprint of the
certificate.
|
- If you are not using DWA,
start the interoperation server. Otherwise, skip to the next step. Theinteroperation server command is in $DOORSHOME/bin. For example:
doors -interop -data 36677@IBMEDSERV -brokerHost IBMEDSERV
-brokerPort 61616 -sssServerAttention: You must have at least one
interoperation server using the –sssServer switch which can be
then recognized as the secure interop.
where
Switch |
Parameter |
Description |
-interop |
|
The command to start the client as an interoperation server
|
-data |
36700@IBMEDSERV |
The port number and name of the DOORS
database server
|
-brokerHost |
IBMEDSERV |
The name of the server that is hosting the ActiveMQ broker
|
-brokerPort |
61616 |
The port number of the ActiveMQ broker
|
-sssServer |
|
The database server recognizes the interoperation server as secure.
|
- If the database is configured to use IBM
Rational Directory Server, existing
users must be signed. To sign existing users, log in to a DOORS
client as the administrator. From the edit DXL interface, enter this command:
signTdsUsers().
- To obtain the SHA-256 fingerprint from the certificate:
- Run the following commands from the certdb folder:
- C:\Program Files\IBM\Rational\DOORS\9.6\certdb
- gsk8capicmd_64 -cert -details -db client_authentication.kdb -stashed -label
"IBMCL1"
- gsk8capicmd_64 -cert -details -db server_authentication.kdb -stashed -label
"IBMSV1"
- In the output of those commands, look for SHA256 fingerprint:
Example:
- Copy the SHA256 fingerprint (the line of numbers) for both the client and
server certificates into the whitelist.dat file.
What to do next
When the DOORS
database server is installed, it does not have a password, so anyone can manage the server. To
control who manages your database server, you can set a password with the database server
administration tool. For more information see Setting the database server password
When you enable server security, the default authentication method is to enter your user name and
password. You can change the authentication method by using a dbadmin command-line switch,
-sssAuthenticationMode. When you change the authentication method, you do not
need to restart the DOORS
database server. For more information, see Changing the authentication method.
If you want to disable server security, use the -serverSecurityDisable and
-secure switches.
For example, enter doorsd.exe -debug -serverdata "C:\example\data" -portnumber 36700
-serverSecurityDisable.