Certificate requirements for integrations

Learn about the certificate requirements for integrations.

Requirements for , CMAPI, and rcleartool

The client environment needs to trust the CCRC WAN server's certificate. Each user should add the CCRC WAN server's CA root certificate to their .keystore_ClearCase file (in the user's home directory on the client machine). Alternatively, each user must verify the certificate on the first connection and save it permanently. If the user accepts a certificate exception, he should use information from the administrator to confirm that the certificate is legitimate.

To accept the CA root certificate, the user should get a copy from the server administrator from a trusted source. The administrator should supply the CA root certificate in a file in base64/PEM format or DER format. Then each user should import the certificate and mark it as trusted using the keytool command (found in the IBM JRE shipped with ClearCase®).
  • Windows: C:\Program Files\DevOps\Code\ClearCase\common\JAVA\jre\bin\keytool.exe (or JAVA5.0 for older releases)
  • UNIX/Linux: Navigate to the user's home directory:

    /opt/devops/common/java/jre/bin/keytool -storetype JKS -keystore .keystore_ClearCase -storepass rational -importcert -alias SOME-NAME-FOR-ROOT-CA -file path/to/caroot.file

    When prompted, answer yes to the question about trusting the certificate.

Requirements for the Base ClearCase®/ClearQuest® V2 integration (PERL triggers)

The scripts need to trust the SSL certificate of the CQWeb server. The integration administrator should create a file with the PEM-encoded CA root certificate, and name that in the config.pl file. The administrator should also explicitly enable hostname checking. It is normally enabled but becomes disabled when setting an alternate CA file. Add a statement like the following to the ConfigureTrigger method in config.pl:
$ENV{HTTPS_CA_FILE} = "/path/to/file.pem";$ENV{PERL_LWP_SSL_VERIFY_HOSTNAME} = 1;

Requirements for Change Management Integration (CMI) and the UCM-ClearQuest® web integration on UNIX/Linux (client or WAN server)

The clients need to trust the change management server's certificate. The ClearCase® administrator should append the PEM-encoded CA root certificate to var/adm/ClearCase/config/cacert.pem.

Requirements for Change Management Integration (CMI) and the UCM-ClearQuest® web integration on windows (client)

The clients need to trust the change management server's certificate. The user should add the PEM or DER encoded CA root certificate to the Windows account's trusted key stores (not to .keystore_ClearCase). Use the certmgr.msc tool or refer to Microsoft’s technet document https://technet.microsoft.com/en-us/library/cc754489.aspx.

Requirements for Change Management Integration (CMI) and the UCM-ClearQuest® web integration on windows CCRC WAN server

The WAN server must trust the CA in its private trusted key store. The WAN server administrator should add the PEM or DER encoded CA root certificate to the store (the file ccrc_ucmcq_key.kdb is included in the CCRC WAN server installation). Use the gsk8capicmd command-line tool to modify this keystore. For example, if ClearCase® is installed into C:\Program Files\DevOps\Code, use the command:

gsk8capicmd -cert -add -stashed -db C:\Program Files\DevOps\Code\ClearCase\config\ccrc\ccrc_ucmcq_key.kdb -file trusted-certificate-file.pem