Configuring the web deployment descriptor file for client certificate authentication of OSLC calls

You can configure the HCL Compass Web deployment descriptor file, web.xml, to enforce client certificate authentication for OSLC URL patterns.

Before you begin

Verify that all OSLC (Open Services for Lifecycle Collaboration) consumers that access the server can be configured to use client certificates when the consumers log in to the target providers.

About this task

The HCL Compass Web application includes a web deployment descriptor file, web.xml. The descriptor file includes a commented section with instructions about how to include rules that enable client certificate authentication. These rules contain explicit exemptions for OSLC URL patterns that allow OSLC integrations to operate by using the standard HCL Compass authentication algorithm. You can refine the list of URL exemptions in the web.xml file to configure client certificate authentication for OSLC integrations.

The configuration changes affect all OSLC integrations for the HCL Compass Web server. It is not possible to selectively specify that some OSLC consumers use standard authentication while others use client certificates.

The following variables are used in path names:
WAS-home
Directory where WebSphere® Application Server is installed
cqweb_profile
Name of the HCL Compass Web profile

Procedure

  1. Copy the HCL Compass Web deployment descriptor file, web.xml, to a working directory and rename the file. The web.xml file is in the following directory:
    Windows
    WAS-home\profiles\cqweb_profile\installedApps\dfltCell\TeamEAR.ear\cqweb.war\WEB-INF\web.xml
    UNIX Linux
    WAS-home/profiles/cqweb_profile/installedApps/dfltCell/TeamEAR.ear/cqweb.war/WEB-INF/web.xml
    Important: Solaris If HCL Compass is installed on the Solaris operating system, the default WebSphere Application Server cell directory is srvNode01Cell. Use this value in place of dfltCell, which is the default directory on Windows™, UNIX™, and Linux™ systems.

    For illustrative purposes, the steps assume that you renamed the web.xml file that you copied to a working directory to web-client-cert.xml.

  2. Edit the web-client-cert.xml file by removing the comment characters <!-- and --> that precede and follow the <security-constraint> security element section. Replace the <security-constraint> element for <web-resource-name>CQBridge</web-resource-name> with the following security rules:
    <security-constraint>
   <web-resource-collection>
      <web-resource-name>CQBridge</web-resource-name>
         <url-pattern>/html/*</url-pattern>
         <url-pattern>oauth-request-consumer/*</url-pattern>
         <url-pattern>oauth-access-token/*</url-pattern>
         <url-pattern>oauth-request-token/*</url-pattern>
      </web-resource-collection>

      <user-data-constraint>
         <transport-guarantee>NONE</transport-guarantee>
      </user-data-constraint>
</security-constraint>
  3. Save the changes.
  4. Complete the steps in Configuring client certificate authentication for HCL Compass Web, starting at step 2.