Rhapsody Server Authentication

When the Rhapsody IDE connects to a Rhapsody engine, the IDE needs to verify the Rhapsody engine's identity before it performs the login process. This is important to ensure that the Rhapsody IDE connection is to the expected Rhapsody engine, rather than another computer or process masquerading as a Rhapsody engine. The Rhapsody server authentication process is performed prior to transmitting the username and password to the engine, and involves examining the SSL certificate presented by the Rhapsody engine when the SSL connection is established.

By default, a Rhapsody engine generates a new self-signed certificate during startup if none exists, but this can be changed to use a user-defined certificate instead.

The Rhapsody server authentication process trusts a connection if, and only if, all the following are true:

• The SSL certificate presented by the Rhapsody engine is valid (for example, not expired, has a valid signature, and not revoked).
• The presented certificate or its ultimate issuer are trusted by the Rhapsody IDE machine, meaning that either the certificate has been explicitly accepted previously by the user, or is issued by a certificate authority trusted by the Rhapsody IDE machine.
• The hostname used to connect to the Rhapsody engine matches one of the hostnames in the presented SSL certificate. This rule is not enforced when connecting to an engine on the IDE machine (using a hostname of localhost or 127.0.0.1) and can be selectively turned off on an engine by engine basis.

If the Rhapsody IDE determines that it can trust the Rhapsody engine, then the login process continues without further user interaction. If it is not able to trust the connection, however, a certificate error or warning form is displayed to the user. These scenarios are described in the following sections:

• Untrusted Self-signed Certificate Warning
• New Rhapsody Engine Certificate Warning
• Old Rhapsody Engine Certificate Warning
• Invalid SSL Certificate Error
• Certificate Mismatch Error
• Hostname Mismatch Error
• Untrusted Self-signed Certificate Error

Where possible the Rhapsody IDE attempts to store some minimal information about trusted Rhapsody engines that it has connected to so it can correctly detect and report subsequent changes to the SSL certificate. This information is stored using a combination of the Windows ® registry and Windows ® certificate store. Refer to Administrative Control of Rhapsody Server Authentication for details.