Sujeet Mishra. Senior Staff Software Engineer IBM. sujmishr@in.ibm.com



Similar documents
Configuring IBM HTTP Server as a Reverse Proxy Server for SAS 9.3 Web Applications Deployed on IBM WebSphere Application Server

Web servers and WebSphere Portal

Memory-to-memory session replication

Single Sign-on (SSO) technologies for the Domino Web Server

FileMaker Server 13. FileMaker Server Help

FileMaker Server 14. FileMaker Server Help

Installing and Configuring DB2 10, WebSphere Application Server v8 & Maximo Asset Management

Securing SAS Web Applications with SiteMinder

Lotus Sametime. FIPS Support for IBM Lotus Sametime 8.0. Version 8.0 SC

EMC Data Protection Search

FileMaker Server 11. FileMaker Server Help

New Single Sign-on Options for IBM Lotus Notes & Domino IBM Corporation

Resonate Central Dispatch

Introduction to Mobile Access Gateway Installation

CA Performance Center

Installing and Configuring vcenter Multi-Hypervisor Manager

Deploying EMC Documentum WDK Applications with IBM WebSEAL as a Reverse Proxy

IBM WebSphere Application Server

Configuring Single Sign-On for Documentum Applications with RSA Access Manager Product Suite. Abstract

SOA Software API Gateway Appliance 7.1.x Administration Guide

How To Enable A Websphere To Communicate With Ssl On An Ipad From Aaya One X Portal On A Pc Or Macbook Or Ipad (For Acedo) On A Network With A Password Protected (

RSA Authentication Manager 7.1 Microsoft Active Directory Integration Guide

IBM Rational DOORS Next Generation

Configuring Apache HTTP Server as a Reverse Proxy Server for SAS 9.3 Web Applications Deployed on Oracle WebLogic Server

Forward proxy server vs reverse proxy server

SSL CONFIGURATION GUIDE

CA Unified Infrastructure Management Server

Installing and Configuring Adobe LiveCycle 9.5 Connector for Microsoft SharePoint

Central Administration User Guide

ECA IIS Instructions. January 2005

Enterprise Deployment of the EMC Documentum WDK Application

Pre-Installation Instructions

Oracle Fusion Middleware. 1 Oracle Team Productivity Center Server System Requirements. 2 Installing the Oracle Team Productivity Center Server

Central Administration QuickStart Guide

Oracle9i Application Server: Options for Running Active Server Pages. An Oracle White Paper July 2001

IBM WebSphere Partner Gateway V6.2.1 Advanced and Enterprise Editions

Configuring Secure Socket Layer (SSL) for use with BPM 7.5.x

Chapter 3 WebSphere Portal Server V6: Configuration Data Transfer to DB2 Introduction

Configuring Nex-Gen Web Load Balancer

Load Balancing Microsoft Sharepoint 2010 Load Balancing Microsoft Sharepoint Deployment Guide

IBM WEBSPHERE LOAD BALANCING SUPPORT FOR EMC DOCUMENTUM WDK/WEBTOP IN A CLUSTERED ENVIRONMENT

Server Software Installation Guide

Siebel Installation Guide for UNIX. Siebel Innovation Pack 2013 Version 8.1/8.2, Rev. A April 2014

DEPLOYMENT GUIDE Version 1.1. Deploying F5 with Oracle Fusion Middleware Identity Management 11gR1

10gAS SSL / Certificate Based Authentication Configuration

FileMaker Server 12. FileMaker Server Help

Use Enterprise SSO as the Credential Server for Protected Sites

Using Symantec NetBackup with Symantec Security Information Manager 4.5

Secure Messaging Server Console... 2

Instant Chime for IBM Sametime For IBM Websphere and IBM DB2 Installation Guide

Instant Chime for IBM Sametime High Availability Server Guide

Chapter 1 - Web Server Management and Cluster Topology

Microsoft Lync Server 2010

WebSphere Business Monitor V7.0: Clustering Single cluster deployment environment pattern

TIBCO Spotfire Statistics Services Installation and Administration Guide

PC-Duo Web Console Installation Guide

Customer Tips. Xerox Network Scanning HTTP/HTTPS Configuration using Microsoft IIS. for the user. Purpose. Background

TIBCO Spotfire Statistics Services Installation and Administration

Deploying the BIG-IP System v10 with Oracle Application Server 10g R2

Microsoft SharePoint 2010 Deployment with Coyote Point Equalizer

IBM WebSphere Application Server Version 7.0

DEPLOYMENT GUIDE Version 1.0. Deploying F5 with the Oracle Fusion Middleware SOA Suite 11gR1

TIBCO ActiveMatrix BusinessWorks Plug-in for TIBCO Managed File Transfer Software Installation

Sametime 9 Meetings deployment Open Mic July 23rd 2014

DEPLOYMENT GUIDE Version 1.1. Deploying F5 with Oracle Application Server 10g

Managing and Securing the Mobile Device Invasion IBM Corporation

This presentation covers virtual application shared services supplied with IBM Workload Deployer version 3.1.

IBM WebSphere Application Server Communications Enabled Applications

TIBCO Spotfire Statistics Services Installation and Administration Guide. Software Release 5.0 November 2012

Lepide Active Directory Self Service. Configuration Guide. Follow the simple steps given in this document to start working with

IBM RATIONAL PERFORMANCE TESTER

Installation and configuration guide

Installation Guide. SAP Control Center 3.3

BlackBerry Enterprise Service 10. Version: Configuration Guide

DEPLOYMENT GUIDE Version 1.0. Deploying the BIG-IP LTM with Apache Tomcat and Apache HTTP Server

Installation & Upgrade Guide

DameWare Server. Administrator Guide

Consolidated Monitoring, Analysis and Automated Remediation For Hybrid IT Infrastructures. Goliath Performance Monitor Installation Guide v11.

MadCap Software. Upgrading Guide. Pulse

2X SecureRemoteDesktop. Version 1.1

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

Symantec Backup Exec 2010 R2. Quick Installation Guide

Server Installation ZENworks Mobile Management 2.7.x August 2013

Novell Access Manager

Installing and Configuring vcloud Connector

HP Device Manager 4.7

Introduction to WebSphere Administration

DEPLOYING EMC DOCUMENTUM BUSINESS ACTIVITY MONITOR SERVER ON IBM WEBSPHERE APPLICATION SERVER CLUSTER

Getting Started Guide

Leveraging Rational Team Concert's build capabilities for Continuous Integration

Interaction Supervisor ipad Edition

Agenda. How to configure

Exploiting the Web with Tivoli Storage Manager

How To Take Advantage Of Active Directory Support In Groupwise 2014

HTTPS HTTP. ProxySG Web Server. Client. ProxySG TechBrief Reverse Proxy with SSL. 1 Technical Brief

Configure Single Sign on Between Domino and WPS

Installation and configuration guide

MultiSite Manager. Using HTTPS and SSL Certificates

TIBCO Runtime Agent Domain Utility User s Guide Software Release November 2012

Transcription:

Leveraging IBM Rational ClearCase and ClearQuest CM Server to achieve a secure, centralized, and flexible deployment model in your GDD environment Sujeet Mishra Senior Staff Software Engineer IBM sujmishr@in.ibm.com The premiere software and product delivery event. August 16-18, Bangalore

Agenda Introduction to CM Server Secure your CM Server environment Enable WAS admin security Control access by host name or address Configure SSL with IHS Use Proxy Server Centralized and Flexible deployment leveraging CM Server Backward (cross version) compatibility and flexibility in adoption Consolidate multiple sites with load balancing Use region mapping [New] ClearCase-ClearQuest integration option for increased flexible deployment 2 2

What is CM Server? CM Server stands for Configuration Management Server and/or Change Management Server. It is a unified (single technology stack) application server for both ClearCase and ClearQuest. First released in ClearCase and ClearQuest version 7.1. Design Goals of CM Server Drive down TCO (Total Cost of Ownership) Support WAN clients (CCRC, CQ Web, Full Text Search ) Lower client installation and client administration costs Standardize configuration and administration of servers Leverage performance, security & scalability of WebSphere Application Server. Lift limitations of previous CCRC Server and CQ Web Server. Support a new, unified client-side Java API for custom integrations. Support the new ClearQuest OSLC interface for building loosely-coupled and robust integrations. 3 3

CM Server Architecture Component view Browser HTTP(s) CQ Web/CQ OSLC WAS Eclipse Platform User-written Apps CCRC Plug-in CM API User-written Java program CM API HTTP(s) HTTP(s ) HTTP(s) ccrpc.exe process RPC RPC ClearCase Business Logic (major) Traditional ClearCase Servers ClearCase Business Logic (minor) CM Server Java RPC cqrpc.exe process CQ Core SQL/ODBC RDBMS Server web tier app tier data tier SQL/ODBC (LAN-only) RPC (LAN-only ) HTTP clients servers VOB RDBMS 4 4

Agenda Introduction to CM Server Secure your CM Server environment Enable WAS admin security Control access by host name or address Configure SSL with IHS Use Proxy Server Centralized and Flexible deployment leveraging CM Server Backward (cross version) compatibility and flexibility in adoption Consolidate multiple sites with load balancing Use region mapping [New] ClearCase-ClearQuest integration option for increased flexible deployment 5 5

Secure your CM Server environment * Enable WAS administrative security CM Server is a Websphere Application Server (WAS) Hosted J2EE application. Administrative security protects the CM Server from unauthorized access to the WAS administrative functions e.g. WAS administrative console. Modifications to WAS configuration. Stopping the WAS instance. Administrative security not enabled by default When a WAS profile created, the administrative security is disabled by default. Security could be enabled by default in the future based on customer feedback. It is very important to enable WAS administrative security. 6 6

Secure your CM Server environment * Enable WAS administrative security Enable WAS administrative security Login to WAS admin console via http://cmserver:12060/ibm/console Follow Security > Secure administration, applications, and infrastructure. Use the Security Configuration wizard to configure security In step 1 of the wizard, select a security level. Ensure that Java 2 security is disabled. In step 2, select a user repository. Choose one of federated or LDAP repositories. For more information, see the WebSphere Application Server v6.1 Information Center. In step 3, enter the administrative user name and password. The user name must be different from the user name that is running WebSphere Application Server. In step 4, confirm your selections and click Finish. Click Apply. 7 7

Secure your CM Server environment * Enable WAS administrative security Recommended Optional DO NOT Enable 8 8

Secure your CM Server environment * Enable WAS administrative security Enable ClearQuest Web for CM Server administrative security. Edit the file CqServerConn.properties. The location of the file is: On UNIX system and Linux: On Windows: <drive>:\install_dir\common\cm\profiles\cmprofile\installedapps\nodename\rationalclearquestweb.ear\cqwebmodule.war\web-inf\classes\cqserverconn.properties install_dir/common/cm/profiles/cmprofile/installedapps/nodename/rationalclearquestweb.ear/cqwebmodule.war/web-inf/classes/cqserverconn.properties Add the administrative user name and password to the following lines TEAM_SERVER_ADMIN_AUTHENTICATION_KEY= TEAM_SERVER_ADMIN_AUTHENTICATION_VALUE= Restart CM Server for the administrative security changes to take effect. 9 9

Secure your CM Server environment * Enable WAS administrative security After administrative security is enabled The administrative user name and password must be provided when: Log into the WAS administrative console http://server:12060/ibm/console Log into the CM Server administration utility (technote # 1377925 ) http://server/teamadminweb 10 10

Secure your CM Server environment * Enable WAS administrative security After administrative security is enabled (contd.) Stop the CM server. (Windows Only) If stopserver script is used, the user and password arguments must be provided as command line arguments: $install_dir\common\ewas\bin stopserver.bat -user <admin-user-name> -password <admin-password> (Unix and Linux): The cmserver_shutdown and cmserver_restart scripts also accept the -user and - password arguments. /opt/ibm/rationalsdlc/common/cm/bin/cmserver_shutdown/restart Update the WAS Service on Windows CM Server runs as a Windows service. Update the service with additional arguments for the administrative user name and password used when stopping/starting the CM Server. Run the following commands in a command prompt window, substituting <admin-user-name> and <admin-password> with the administrative user name and password, respectively. Step 1: cd $install_dir\common\ewas\bin Step 2: WASService.exe -add "cmprofile" -servername server1 -profilepath $install_dir\common\cm\profiles\cmprofile" -stopargs "-user <admin-user-name> -password <admin-password>" - encodeparams 11 11

Secure your CM Server environment * Enable WAS administrative security Security Considerations for Unix and Linux Passing the administrative user name and password to the stopserver.sh script exposes the user name and password to anyone who issues the ps -ef command. To avoid specifying the -user and -password options for commands, configure the settings as properties: cd /opt/rational/common/cm/profiles/cmprofile/properties Edit the file soap.client.props and change the values of the following properties: com.ibm.soap.securityenabled=true com.ibm.soap.loginuserid=<admin-user-name> com.ibm.soap.loginpassword=<password> Encode the property value com.ibm.soap.loginpassword by running the following script: opt/rational/common/ewas/bin/propfilepasswordencoder.sh soap.client.props com.ibm.soap.loginpassword Verify that the password is encoded and then remove the file soap.client.props.bak. Check permissions on sensitive WAS files e.g properties and executables. Permissions should limit access to WebSphere administrators. 12 12

Secure your CM Server environment * Enable WAS administrative security Upgrading CM Server Administrative security must be temporarily disabled prior to upgrading the CM Server. Disabling and Administrative Security Start the WebSphere Application Server administrative console by entering the following URL in your browser window: http://localhost:12060/ibm/console Log in by using the administrative user name and password. Click Security > Secure administration, applications, and infrastructure. Clear Enable administrative security. Click Apply to save your changes Restart CM Server to effect the changes. Additional Resources Refer to technote #1386762 for additional information on managing WAS administrative security. 13 13

Secure your CM Server environment * Control Access by host name or address Access to the CM Server can be controlled via an access list including the name or address of the host to be included or excluded. This can be done by configuring the Websphere Application Server web container transport chain. Login to http://server:12060/ibm/console Follow Server Application Servers server1 Access the Configuration tab. In the Container Settings section, expand Web Container Settings. Click on Web container transport chains Click on WCInboundDefault Add the host name or address to the exclude or include list. Click Apply and restart CM Server Technote #1397016 discusses steps to secure the WAS profile used by ClearQuest Full-Text Search service. These steps can be applied to other WAS profiles, such as CM Server cmprofile with variation in ports used. 14 14

Secure your CM Server environment * Configure SSL access using IBM HTTP Server (IHS) It is highly recommended to configure CM Server to use the Secure Socket Layer (SSL) protocol for secure communication with ClearCase Remote Client (CCRC) and ClearQuest Web. The current version (7.1.x) of CM Server does not support Open SSL. A previously created Open SSL certificate must be converted to IBM SSL certificate for use with the CM Server. See the InfoCenter contents on steps to convert Open SSL to IBM SSL. 15 15

Secure your CM Server environment * Configure SSL access using IBM HTTP Server (IHS) Steps to configure SSL using IHS Uncomment the line Include conf/ssl.conf in the file %RATIONAL_COMMON%\IHS\conf\httpd.conf. Create %RATIONAL_COMMON%\IHS\key.kbd and %RATIONAL_COMMON%\IHS\key.sth using the IHS Key Management utility. Refer to Creating HTTP server keys. Create the IBM SSL certificate. Refer to Creating a self-signed certificate for the HTTP server. Redirect non-ssl requests as SSL requests. Refer to Forcing an SSL connection with CM Server. 16

Secure your CM Server environment * Use Proxy Servers in CCRC/CM Server environment Reverse proxy User connects / authenticates using URL to proxy server. Forward proxy CCRC user specifies proxy information in CCRC preferences page. CCRC user connects using CM Server URL 17 17

Agenda Introduction to CM Server Secure your CM Server environment Enable WAS admin security Control access by host name or address Configure SSL with IHS Use Proxy Server Centralized and Flexible deployment leveraging CM Server Backward (cross version) compatibility and flexibility in adoption Consolidate multiple sites with load balancing Use region mapping [New] ClearCase-ClearQuest integration option for increased flexible deployment 18 18

Centralized Flexible deployment using CM Server * Backward compatibility and flexibility in adoption ClearCase v7.1.x CM Server is compatible with v7.0.x VOB servers Once v7.0.x CCRC server is upgraded to v7.1 CM Server, CCRC client connecting to this CM Server must be upgraded to v7.1 version. V7.0.x CCRC server and v7.1.x CCRC Server (CM server) can access the same v7.0.x VOB servers. ClearQuest v7.1 CM Server supports Feature Level 5, 6 and 7 CQ databases CQ Full-Text Search support requires ClearQuest Feature Level 7. However, this is not required for MultiSite ed CQ DB. 19

Centralized Flexible deployment using CM Server * Backward compatibility and flexibility in adoption CCRC 7.1.x connects to CM Server 7.1.x CM Server 7.1.x connects to CC 7.0 and 7.1 VOBs and CQ DBs FL 5, 6 & 7 CCRC 7.1.x Browser (ClearQuest) CM Server 7.1.x Benefits: Extends existing 7.0.x deployment. Migrate as needed 7.1.x ClearCase 7.0 7.1 ClearCase Servers (View, VOB...) 7.0 7.1 DB ClearQuest 7.0 7.1 7.0.x CCRC 7.0.x CCRC Server 7.0.x CQ Clients connect to CQ DBs v7.0 requires FL 5 v7.0.1 requires FL 5 or 6 v7.1 requires FL 5, 6 or 7 20 20

Centralized Flexible deployment using CM Server * Consolidating multiple sites with load balancing CM server load balancing options provided with 7.1.x Using IBM HTTP Server Out of the Box option Provides random / round robin load distribution Configuration technote for CCRC: #1377474 Configuration technote for CQWeb: #1377478 Using WebSphere Edge Component (see InfoCenter for details) Edge Component Load Balancer True Load Balancing Monitors load on CM Server and distributes accordingly Administration Console to monitor load Both options provide backup/failover capability. 21 21

22 22 Centralized and Flexible deployment leveraging CM Server * Consolidating multiple sites with load balancing Machine B IHS Machine A (Load Balan cer) IHS WAS (CQWeb + CM Server) CQRPC Browser Machine C DBMS IHS WAS (CQWeb + CM Server) CQRPC IHS will use a round-robin or random based load balancing approach in this configuration. If CQWeb/CM Server on Machine B is down, or if Machine B is down, ClearQuest web users logged to Machine B will be offloaded to Machine C. For users that only have read sessions on Machine B, they won t notice anything. If a user has a write session on Machine B and is in the middle of modifying a record, only noncommitted data in that active session would impacted.

Centralized and Flexible deployment leveraging CM Server * Consolidating multiple sites with load balancing Machine B IHS WAS (CM Server) CCRC Machine A (Load Balan cer) IHS Machine C CCRPC IHS WebView Storage WAS (CM Server) CCRPC VOBs VOBs VOBs IHS will use a round-robin load balancing approach with session affinity in this configuration. If both CM Servers are active, a new CCRC session will connect to the next available CM Server. If one of the servers is unavailable, CCRC users will be directed to the available CM Server. Both servers can access the same views located at a central storage location specified with CM Server MBEANs ccrcviewstorage (UNC path name to storage location) ccrcuseviewhostpathforglobalpath (set to TRUE) 23

Centralized and Flexible deployment leveraging CM Server * Use region mapping Customize/configure VOB access based on user identity A user region map allows mapping of OS users and groups to ClearCase regions. A user region map can be used to restrict or allow a user or a group access to a set of VOBs grouped by region. A user region map is a flat file located on the CM Server. The pathname of this file is specified as a value for the MBEAN attribute ccrcuserregionmapfile. 24 24

Centralized and Flexible deployment leveraging CM Server * Use region mapping (an example) ClearCase example CM Server configured with region1 and region2. Either of them can be the default region. region1 contains vob1_1 and vob1_2. region2 contains vob2_1 and vob2_2. Sample region mapping file region1 = {CMBUQE\userA } region2 = {CMBUQE\userB } * Note: There must be a space before the final } usera has access to vob1_1 and vob1_2 only. userb has access to vob2_1 and vob2_2 only. 25 25

Centralized and Flexible deployment leveraging CM Server * Use region mapping (an example) ClearCase/ClearQuest integration Deployment configuration CQ Web can be used to access multiple CC regions from a single CM Server. Previous versions (v6.x and v7.0.x) allowed access only to the default CC region for the CQ Web Server. Relevant use cases View UCM Changeset Change Headline Scenario User A works in CC region A User B works in CC region B Both users access CQ Web via http://sharedserver1/cqweb User A views changeset in CQ Record A which is bound to UCM Activity in region A User B views changeset in CQ Record B which is bound to UCM Activity in region B 26 26

Centralized and Flexible deployment leveraging CM Server * New CC-CQ integration option for more flexible deployment Enable LAN ClearCase to communicate with WAN ClearQuest for UCM In 7.1.1 release, only ClearCase thick clients provide this support Ex. Cleartool, Project Explorer, ClearCase Explorer, etc. It has no impact to UCM use cases through CCRC or CQWeb Plan to extend to CCRC and CQWeb Uses OSLC CQ REST API Installed with 7.1.1 CQ Web WAN-friendly calls over HTTP(s) Advantages Removes need to deploy CQ thick clients Removes dependency on CQ Multisite New functionality is available on platforms not supported by ClearQuest Solaris X86, Linux 390, Linux PPC, HP IA64 See technote #1398642 for detailed information. 27 27

Centralized and Flexible deployment leveraging CM Server * New CC-CQ integration option for more flexible deployment CC Native Clients http OSLC CQ Web/ CM Server http COM/RPC CQIntSvr Process CQ Core CC Native Client VOB Replica VOB Replica CQ DB 28

Summary It is highly recommended to enable WAS administrative security for the 7.1.x CM Server (for CCRC and for ClearQuest Web). It is highly recommended to configure IBM Secure Socket Layer (SSL) protocol for secure communication with ClearCase Remote Client (CCRC) and ClearQuest Web. Additional security can be implemented using proxy servers. CM Server provides many features, options and benefits that can be leveraged to achieve a flexible, centralized deployment model for enterprise and global environments. 29 29

30 30

www.ibm/software/rational Copyright IBM Corporation 2010. All rights reserved. The information contained i n these materials is provided for i nfor mati onal purposes onl y, and is pr ovided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. N othi ng contained in these materials is intended to, nor shall have the effect of, creating any warranties or representati ons from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governi ng the use of IBM software. References i n these materials to IBM products, programs, or services do not impl y that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM s sole discretion based on mar ket opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, R ational, the Rati onal logo, T elelogic, the Telelogic logo, and other IBM products and ser vices are trademar ks of the International Busi ness Machines Corporation, i n the U nited States, other countries or both. Other company, pr oduct, or ser vice names may be trademarks or ser vice marks of others. 31 31

Backup slides: Forward Proxy and Reverse Proxy Reverse Proxy Forward Proxy 32