Configuring the web deployment descriptor file for client certificate authentication of OSLC calls

You can configure the Rational® ClearQuest® Web deployment descriptor file, web.xml, to enforce client certificate authentication for OSLC URL patterns.

Before you begin

Verify that all OSLC (Open Services for Lifecycle Collaboration) consumers that access the server can be configured to use client certificates when the consumers log in to the target providers.

About this task

The Rational ClearQuest Web application includes a web deployment descriptor file, web.xml. The descriptor file includes a commented section with instructions about how to include rules that enable client certificate authentication. These rules contain explicit exemptions for OSLC URL patterns that allow OSLC integrations to operate by using the standard Rational ClearQuest authentication algorithm. You can refine the list of URL exemptions in the web.xml file to configure client certificate authentication for OSLC integrations.

The configuration changes affect all OSLC integrations for the Rational ClearQuest Web server. It is not possible to selectively specify that some OSLC consumers use standard authentication while others use client certificates.

The following variables are used in path names:
WAS-home
Directory where WebSphere® Application Server is installed
cqweb_profile
Name of the Rational ClearQuest Web profile

Procedure

  1. Copy the Rational ClearQuest Web deployment descriptor file, web.xml, to a working directory and rename the file. The web.xml file is in the following directory:
    Windows
    WAS-home\profiles\cqweb_profile\installedApps\dfltCell\TeamEAR.ear\cqweb.war\WEB-INF\web.xml
    UNIX Linux
    WAS-home/profiles/cqweb_profile/installedApps/dfltCell/TeamEAR.ear/cqweb.war/WEB-INF/web.xml
    Important: Solaris If Rational ClearQuest is installed on the Solaris operating system, the default WebSphere Application Server cell directory is srvNode01Cell. Use this value in place of dfltCell, which is the default directory on Windows, UNIX, and Linux systems.

    For illustrative purposes, the steps assume that you renamed the web.xml file that you copied to a working directory to web-client-cert.xml.

  2. Edit the web-client-cert.xml file by removing the comment characters <!-- and --> that precede and follow the <security-constraint> security element section. Replace the <security-constraint> element for <web-resource-name>CQBridge</web-resource-name> with the following security rules: 
    <security-constraint>
   <web-resource-collection>
      <web-resource-name>CQBridge</web-resource-name>
         <url-pattern>/html/*</url-pattern>
         <url-pattern>oauth-request-consumer/*</url-pattern>
         <url-pattern>oauth-access-token/*</url-pattern>
         <url-pattern>oauth-request-token/*</url-pattern>
      </web-resource-collection>

      <user-data-constraint>
         <transport-guarantee>NONE</transport-guarantee>
      </user-data-constraint>
</security-constraint>
  3. Save the changes.
  4. Complete the steps in Configuring client certificate authentication for Rational ClearQuest Web, starting at step 2.
Parent topic: Configuring Rational ClearQuest Web
Previous topic: Enable Rational ClearQuest Web server administrative security
Next topic: Configuring client certificate authentication for Rational ClearQuest Web