Configuring Security Options for Special Commands

Security options for the ksc_export_XXX commands can be configured and used with PPM Web services.

Specifying Username and Password for PPM Special Commands

To specify the username, password, and Axis framework used to communicate with the PPM Server for the ksc_export_XXX commands, complete the following steps:

  1. On the PPM Server, open the <PPM_InstallPath>/conf/webservices.conf file for edit.

  2. In the remoteServer tag and specify the following values:

    <remoteServer baseURL="http://<Hostname>:<Port>/<Path>"
    username="<Username>"
    password="<Password>"
    encUsername="ppmservice"
    axisVersion="<AxisVersion>"
    />

    where

    <Hostname>

    represents the host name of the PPM Server.

    <Port>

    represents the port number for Web access.

    <Path>

    represents the path where PPM special commands are accessed (via the Web).

    <Username>

    represents the username for the PPM Server administrative account.

    <Password>

    represents the password for the PPM Server administrative account.

    PPM supports the WS-Security UsernameToken profile. The UsernameToken profile (as specified by WS-Security) sends the username and password through SOAP headers.

    The password has three format options:

    • Clear-text password. Sends the password to the Web service application and the application is responsible for performing the authentication.

    • Encrypted password. It is the encrypted format of clear-text password, supported since PPM 9.42.

      To use encrypted password for the administrative account:

      1. Run the command sh ./kEncrypt.sh <String_to_Encrypt> in the <PPM_Home>/bin directory.

        It generates an encrypted string that starts and ends with the characters #!#.

      2. Copy the whole string including the #!# marks for the password value.

      3. Save the webservices.conf file and run the command kUpdateHtml.sh script in the <PPM_Home>/bin directory to update the configuration.
    • Digest password. Asks the Web service application for user password and then validates the returned "digest."

    <AxisVersion>

    represents the Axis framework version.

    Valid values are:

    • AXIS1

    • AXIS2

    The default value is AXIS2 and is used for version 7.1, 7.5, and 8.00 Web services. Specify AXIS1 for version 6.0 and 7.0 Web services.

    For example:

    <remoteServer baseURL="http://localhost:8080/itg/
    ppmservices/DemandService"
    username="admin"
    password="admin"
    encUsername="ppmservice"
    axisVersion="AXIS2"
    />
  3. (Optional) Repeat Step 2 if you want to enable special commands for additional application modules or remote systems.

  4. Save and close the webservices.conf file.

Configuring HTTPS Authentication

The PPMksc_export_XXX special commands support HTTPS through JSSE. The standard trust store retrieval path for JSSE is followed for HTTPS connections.

To enable HTTPS on the PPM Server, see the Installation and Administration Guide.

To send ksc_export_XXX special command requests in SSL mode, complete the following steps:

  1. On the PPM Server, open the <PPM_InstallPath>/server.conf file for edit.

  2. Add (or modify) the following three parameters:

    com.kintana.core.server.WEB_SERVICES_SSL_KEYSTORE=<Keystore>

    com.kintana.core.server.WEB_SERVICES_SSL_KEYSTORE_PASSWORD=<Password>

    com.kintana.core.server.WEB_SERVICES_SSL_TRUSTSTORE=<Truststore>

    where

    <Keystore>

    represents the keystore file.

    <Password>

    represents the password.

    <Truststore>

    represents the trust store.

    If no separate trust store is specified, the WEB_SERVICES_SSL_KEYSTORE can be used as a trust store.

  3. Save and close the server.conf file.

Creating the Keystore Using Keytool

There are several methods for creating a keystore, using keytool is only one of them.

If PPM is used to call Web services on a remote server using HTTPS, import the certificate that was used to sign the remote server’s SSL certificate into the JRE’s trusted keystore.

This is required if the certification authority (CA) is not one of the known certificate authorities that ship with the Java Runtime Environment (such as Verisign).

If you use another certification authority, such as an authority internal to your organization:

Import the certificate into the keystore, using the following command:

keytool -import -trustcacerts -alias systemca
-file <CA_certificate>
-keystore <JRE_home>/lib/security/jssecacerts
-storepass <password>

where

<CA_certificate> represents the name of the file containing the certificate (from the certification authority) used to sign the remote server’s SSL certificate
<JRE_home> represents the location of the Java Runtime Environment installation used for the local PPM instance
<password> represents the password used for the trusted certificate keystore

Note: When using HTTPS, the base URL specified in the webservices.conf and server.conf files should use the https:// prefix instead of http://.