Configure HTTPS for ISPW and XL Release

This section describes the XL Release integration with ISPW and the configuration required to implement HTTPS.

Overview

XL Release is an end-to-end pipeline orchestration tool from XebiaLabs that allows Continuous Delivery and DevOps teams to handle automated tasks, manual tasks, complex dependencies, and release trains. ISPW is an active work environment that coordinates and controls application development and support work.

Request and Notification Flow

image2021-11-18_19-5-49.png

Configuration Requirements

Configure HTTPS request and notification flows between XL Release and ISPW as follows:

  • Use the current ISPW Eclipse plugin.
  • Use the same major Java release version.
  • Correctly configure SSL certificates and keystores.

ISPW Plugin Requirements

To integrate with ISPW on the host, the latest ISPW Eclipse plugin must be used. The plugin can be downloaded from the following GitHub location:

https://github.com/xebialabs-community/xlr-ispw-plugin/releases

Java Requirements

The same major version of Java must be used for the applicable Java integration points (CES and XL Release).

Certificate and Configuration Requirements

All configurations settings for CES can be found in the BMC Compuware Web Products Installation and Configuration Guide. The configuration settings for CMSC can be found in the Enterprise Common Components Advanced Configuration Guide.

XL Release, CES, and CMSC all must be configured for HTTPS. CES can optionally be configured to require a client certificate when XL Release or CMSC connects to it. Because multiple HTTPS connections are performed throughout this process, several SSL certificates are required:

  • When XL Release sends a request to CES, CES sends a server certificate back to XL Release. If CES is configured to require a client certificate, CES will require XL Release to send a client certificate back.
  • When CMSC sends the notification to CES, CES sends a server certificate back to CMSC. If CES is configured to require a client certificate, CES will requires CMSC to send a client certificate back.
  • When CES sends the notification to XL Release, XL Release will send a server certificate to CES, and CES will send a client certificate back to XL Release.

Keystore Configuration

Keystores must be configured for CES, CMSC, and XL Release.

CES

CES uses the following two keystores for this process:

  • The keystore specified on the CES WebServer page for HTTPS must contain one or both of the following:
    • Valid server certificate (required)
    • Trusted certificate(s) used to sign the client certificates returned by CMSC and XL Release (if CES is configured to require a client certificate).
  • The default Java keystore ($JRE_HOME$/jre/lib/security/cacerts) must contain two certificates:
    • Client certificate to return to XL Release on request
    • Trusted certificate used to sign the server certificate provided by XL Release.

CMSC

The CMSC must be configured with a keystore containing the following:

  • Trusted certificate used to sign the server certificate provided by CES.
  • Optionally, a client certificate to send to CES if required.

CMSC startup parameters, including the location of the keystore for the CMSC, are maintained in your site’s CMSC PARMLIB member, by default named CMSC00. Before starting the CMSC, modify the parameters in the CMSC00 PARMLIB member to your site’s requirements as follows:

  • If the keystore is an SAF-managed keyring, use parameter CES_SSL_KEYRING to specify the name of the key ring file.
  • If the keystore is on USS, use:
    • Parameter CES_SSL_KEYDB to specify the name of the key database to be used.
    • Parameter CES_SSL_KEYSTH to specify the name of the password stash file.

XL Release

XL Release also uses two keystores:

  • XL Release must be configured for HTTPS, and the keystore specified in that configuration must contain the following:
    • Valid server certificate
    • Trusted certificate used to sign the client certificate returned by CES.
  • The default Java keystore ($JRE_HOME$/jre/lib/security/cacerts) must contain one or two certificates:
    • Trusted certificate used to sign the server certificate returned by CES
    • Optionally, a client certificate to send to CES if required.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*