In a default installation, it is possible for any Rhapsody IDE user to accept a connection to a Rhapsody engine that uses a self-signed certificate, provided the certificate is otherwise valid and the other authentication criteria are met. However, in some cases this may not be desirable.
It is possible to set a flag in the registry to prevent the Rhapsody IDE from connecting to a Rhapsody engine that uses a self-signed certificate unless engine has been pre-approved by an administrator. This is done by creating a DWORD value called AllowUserSelfSignedCertificates with a value of zero in one of the following registry keys:
HKEY_LOCAL_MACHINE\Software\Rhapsody\Rhapsody IDE 6\Engines(32-bit).HKEY_LOCAL_MACHINE\Software\Wow6432Node\Rhapsody\Rhapsody IDE 6\Engines(64-bit).
The connection details for 32-bit and 64-bit computers are stored in different locations. The relevant architecture here is the computer the Rhapsody IDE is running on, not the architecture the Rhapsody engine is running on.
If this registry value is set, then the Rhapsody IDE does not allow the user to connect to a Rhapsody engine using a self-signed certificate unless the connection details (including the certificate thumbprint) for that engine can be found in the registry already under HKEY_LOCAL_MACHINE. Connection details for engines using self-signed certificates stored under HKEY_CURRENT_USER are ignored when this flag is set.
If this option is enabled, one of the following two modes of operation is in use:
- Rhapsody engines use self-signed certificates, and the connection details for these engines are manually added by the system administrator as required. It is likely that the registry values for these connection details are pushed out via domain policy.
- Rhapsody engines use certificates issued by a trusted root certificate which is trusted by computers running the Rhapsody IDE. Often this root certificate is for an internal organization certificate authority, and the certificate is pushed out via domain policy.