Simplify user management for Collaborative Lifecycle Management applications

Integrate Jazz Team Server with Rational Directory Server

The Rational solution for Collaborative Lifecycle Management (CLM) is becoming a key productivity tool for many organizations. There are companies that are already using other IBM Rational software, such as IBM Rational DOORS, Rational Change or Rational Synergy, or Rational Focal Point, and use Rational Directory Server to provide directory services. Some will want to integrate their new CLM setup with their existing Rational Directory Server to provide services such as authentication and user management. This article explains how to do this, step by step.


Pranab Agarwal (, Advisory Software Engineer, IBM

author photoPranab Agarwal is a senior developer with the IBM Rational Directory Server team. He has more than 13 years of experience in IT, handling varied roles and responsibilities, and has written online product documentation, IBM Technotes, and other technical material, including a previous developerWorks article, Back up Rational software user data for quick disaster recovery. Pranab has a Master in Engineering Studies degree from the University of Wollongong, in New South Wales, Australia.

Navneet R. Srivastava (, Senior Staff Software Engineer, IBM

author photoNavneet Srivastava is a senior software engineer with the IBM Rational Directory Server team and the System Verification Team. He has been in this position for more than five of his nine years in IT. His experience includes performing functional, system, performance, and automation tests, and he has been responsible for creating testing architectures for different products during these years. He has written Technotes and other technical materials and co-authored the Rational Edge article titled PureCoverage report scripts: Get the most out of your coverage data. Navneet has a Master of Engineering degree from the Birla Institute of Technology, Mesra in Ranchi, Jharkhand, India.

14 June 2013

Also available in Chinese


If your organization already uses IBM® Rational® Directory Server in your network infrastructure, you might want to use it with the Rational solution for Collaborative Lifecycle Management (CLM) for authentication and user management. The CLM installation does not support the directory server. To resolve this dilemma, the Rational Directory Server team implemented an extension that can be deployed over any existing Collaborative Lifecycle Management installation to use Rational Directory Server to provide directory services.

This article describes the following procedures in detail:

  1. Install and configure Rational Directory Server.
  2. Install the Rational Directory Server extension for CLM.
  3. Configure IBM® WebSphere® Application Server to enable Rational Directory Server.
  4. Set up and configure CLM.


The following applications need to be installed and configured:

  • IBM Rational Directory Server 5.2.1 or later
  • IBM Rational Installation Manager 1.5.2 or later
  • IBM WebSphere Application Server 7.0 with Fix Pack 23 or later
  • Collaborative Lifecycle Management or later (configured to run on WebSphere Application Server)

Integrate the servers

Follow the steps in the order presented here.

Configure Rational Directory Server groups for Jazz authentication

For Jazz™ authentication, IBM® Rational Team Concert® must be configured to connect to Rational Directory Server.

Prepare the directory server

  1. Install Rational Directory Server, Version 5.2.1 (Tivoli variant), in corporate mode. For help, see Release notes - Rational Directory Server 5.2.1 (Tivoli) in the information center.
  2. Create a corporate partition in Rational Directory Server to connect to the corporate LDAP server. See the Creating partitions topic in the information center for help.

In corporate mode, Rational Directory Server can be configured to integrate with your corporate LDAP server. This enables Rational Directory Server to access the corporate LDAP's user objects and groups. They are in read-only mode, thus the data is not modified in any way. In this mode, local users and groups can also be created in Rational Directory Server. The users and groups from both the corporate LDAP server and the Rational Directory Server are available to Rational software for authentication and user management purposes.

Steps to create groups

There are certain groups that must be present in an LDAP server for Rational Team Concert to operate. These groups can be a part of Rational Directory Server or they can be made available in your organization's LDAP server. If these groups are not present in that server, follow these steps to create those groups:

  1. Log in to Rational Directory Server as an administrator.
  2. Expand the Groups node.
  3. Right-click RDS Groups, and select Create Groups.
  4. Create these five groups:
    • JazzAdmins
    • JazzDWAdmins
    • JazzGuestsJazzProjectAdmins
    • JazzUsers

After you have created all of these groups, add users to them according to the roles and responsibilities.

  1. Right-click any of the five groups listed under RDS Groups group, and select Properties, as shown in Figure 1.
Figure 1. Rational Directory Server local groups
Creating RDS Local Groups
  1. Search for the user names that need to be added to this group (see Figures 2 and 3):
    1. In the Properties dialog window, select the Members tab, and click Add.
    2. When the "Find users and groups" dialog window opens, enter the user name to search, and click Find.
    3. When the user name is listed, select it, and click Assign.
    4. Repeat the same steps for the rest of the users in this group.
    5. Click OK, and close that group view.
Figure 2. Adding members to a group
Searching for members for RDS Groups
Figure 3. Member added to a group
Adding members to RDS Groups
  1. Repeat the steps for the remaining four groups.

Install the directory server extension for Collaborative Lifecycle Management

The information below provides the basic steps for installing, updating, and uninstalling Rational Directory Server extension for Rational Collaborative Lifecycle Management. During the installation step, there are a couple of questions that need to be answered. Be sure to read the Prerequisites section before you begin.


To install Rational Directory Server extension for Collaborative Lifecycle Management for the first time, perform these tasks first:

  1. Verify that the server meets the minimum hardware and software requirements to install these applications.
  2. Install IBM Rational Installation Manager 1.5.2 or later. For installation information, see Installation Manager Considerations
  3. Install Collaborative Lifecycle Management or later.
  4. Verify that IBM WebSphere Application Server 7.0 with Fix Pack 23 or later is installed.
  5. Configure Collaborative Lifecycle Management with WebSphere Application Server.

To simplify configuration of IBM WebSphere Application Server environment, ensure that the CLM installation path does not contain any space. If it is already installed in the path with spaces, replace each space with %20 in IBM® WebSphere® Application Server and IBM® DB2® database configuration steps.

Install the Rational Directory Server extension for CLM

  1. Stop IBM WebSphere Application Server.

    Note: IBM WebSphere Application Server admin username and password are required.
Figure 4. Stopping IBM WebSphere Application Server
Stopping IBM WebSphere Application Server
  1. The Rational Directory Server extension for Collaborative Lifecycle Management installation package contains one .zip file. Download and extract the contents.
  2. Start IBM Installation Manager. To ensure successful installation, delete the existing repository in the Preferences section of Installation Manager, and add the absolute path for the Rational Directory Server extension for Collaborative Lifecycle Management installation files. For example:
    <Path to unzipped folder >
  3. Click OK.
  4. Click Install.
  5. When the Install Packages window opens, select Rational Directory Server extension for Collaborative Lifecycle Management.
Figure 5. Installing Rational Directory Server extension
Rational Directory Server extension installer
  1. Click Next.
  2. Read and accept the license agreement, and click Next.
  3. Accept the default installation location (Jazz Team Server), and click Next.
Figure 6. Packages that can be installed
packages Available in Installation Manager
  1. Accept the selected feature to be installed, and click Next.
  2. Accept the default WebSphere Application Server and provide the installed location.
  3. Click Next.
  4. Accept the package to be installed, and click Next.
  5. Click Install to begin the installation process.
  6. When it is installed, click Finish.
Figure 7. Installation confirmation
Installation completion window
  1. Start WebSphere Application Server (requires admin username and password).
Figure 8. Start IBM WebSphere Application Server
startup console display

Configure the WebSphere Application Server LDAP stand-alone directory realm to connect to Rational Directory Server

There are several steps necessary to complete this task:

  1. Configure the stand-alone LDAP registry.
  2. Configure JVM arguments.
  3. Configure authorization security settings.
  4. Add custom properties.
  5. Stop and restart WebSphere Application Server.

Configure stand-alone LDAP registry

  1. Use a web browser to log in to the Integrated Solutions Console as WebSphere admin user. (URL example: https://<host>:9043/ibm/console)
  2. From the application server's Admin console, click Security > Global Security.
  3. Update the security settings as Table 1 shows.
Table 1. Global security settings
Security settings nameSettings value
Enable administrative security Enable
Enable application security Enable
Java 2 security Disable
User account repository and available realm definitions Stand-alone LDAP registry

Figure 9 shows the Global Security page settings.

Figure 9. Global security settings
global security dialog window
  1. Click Set as current, and then click Configure.
  2. Supply the General Properties and other LDAP parameters shown in Table 2.
Table 2. LDAP settings
LDAP settings nameSettings value
Primary administrative user name Your user ID DN (example: uid=tdsadmin,ou=people,dc=telelogic,dc=com)
Server user identity Automatically generated server identity
Host Name and IP address of Rational Directory Server
Port Port number on which Rational Directory Server is running (example: 1389)
Type of LDAP server Custom
Search timeout 120 seconds
Base Distinguished Name (DN) dc=telelogic, dc=com
Bind Distinguished Name DN of user the ID, for example:
uid=tdsadmin, ou=people, dc=telelogic, dc=com
Bind password Password of the user above

After you have specified the settings, the resulting screen will look similar to Figure 10.

Figure 10. General LDAP properties
IBM WebSphere Application Server LDAP properties
  1. Click Apply, and save the changes.
  2. In the configuration section, click Test Connection.
  3. In the Additional Properties section, click Advanced Lightweight Directory Access Protocol (LDAP) user registry settings.
  4. Specify the General Properties fields given in Table 3.
Table 3. Advance LDAP settings
Settings nameSettings values
User filter (&(uid=%v)(objectclass=inetOrgPerson))
Group filter (&(cn=%v) (|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)))
User ID map *:uid
Group ID map *:cn
Group member ID map ibm-allGroups:member;ibm-allGroups:uniqueMember;
Perform a nested group search Unchecked
Kerberos filter search NA
Certificate map mode EXACT_DN
Certificate filter NA

Figure 11 shows the Advance LDAP properties screen after all relevant changes.

Figure 11. Advance LDAP properties
IBM WebSphere Application Server advanced LDAP
  1. Click Apply, and save the changes.

Create a Java Authentication and Authorization Service module

  1. Under Authentication, expand Web and SIP security, and click General Settings.
  2. Under Web authentication behavior. Ensure that Authenticate only when URI is protected is selected and Use available authentication data when an unprotected URI is accessed is checked.
Figure 12. Web security
WebSphere Application Server dialog window
  1. Click Apply, and save for each of the screens to confirm each settings page.

    On the last page, ensure that the current realm is set to Stand-alone LDAP registry.
  2. For changes to take effect, restart WebSphere Application Server from the admin console.
  3. After it restarts, validate the changes by logging in to the admin console as a WebSphere admin user, using a web browser (URL example: https://<host>:9043/ibm/console)

    User can log in to the WebSphere Application Server admin console using only the Rational Directory Server user credentials. Make sure that the primary administrative user name is local to Rational Directory Server.

    uid=tdsadmin, ou=people, dc=telelogic, dc=com
  4. On the Global Security page, expand Java Authentication > Authorization Services > System Logins.
  5. Select Web Inbound, and click New to create a new login module.
  6. Configure the new Rational Directory Server login module:
    1. Set the module class name as
    2. Select the Login Proxy check box.
    3. Click New, and add three new custom properties (see Table 4).
Table 4. Custom properties for new login module
Property nameProperty value
java.naming.provider.url ldap://host address:1389 tdsadmin tdsadmin's password

After you have completed the settings for the new RDSJAASLoginModule, the resulting display will look similar to Figure 13.

Figure 13. Custom JAAS properties
WebSphere Application Server JAAS properties
  1. Click Apply and then OK.

You have now created a new Rational Directory Server Java Authentication and Authorization Service (JAAS) module.

  1. Set the order in which the login modules are called:
    1. Select Global Security > JAAS – System logins > WEB_INBOUND, and click Set order.
    2. Select
    3. Click Move Up twice to move Rational Directory Server login module to the top.

Figure 14 depicts the JAAS Web Inbound properties page after those settings.

Figure 14. JAAS Web Inbound properties
IBM WebSphere Application Server JAAS web inbound
  1. Click Apply and OK.

You should now see the login modules in this order:


Configure Java Virtual Machine custom properties

Create a system property (similar to defining JAAZ_HOME when configuring Collaborative Lifecycle Management).

  1. To set these properties, in the WebSphere Application Server Integrated Solutions Console, select Servers > Server Types > WebSphere application servers > Server 1.
  2. Under Server Infrastructure, click Java and Process Management > Process Definition > Java Virtual Machine > Additional Properties > Custom Properties.
  3. Click New, and enter the information for these fields:



Figure 15 illustrates the result of these changes.

Figure 15. JVM custom properties
IBM WebSphere Application Server JVM properties
  1. To map user groups to specific applications, click Applications > Application Types > WebSphere enterprise applications.
  2. In the Enterprise Applications list, select jazz_war application, and click Stop.
  3. When it stops, click jazz_war application, and open it for editing
  4. In the Detail properties section, click Security role to user/group mapping.
  5. Select a specific group, such as JazzAdmins (or one of your choice), and click Map groups.
  6. Enter a search string to return your group names from Rational Directory Server, and then click Search to run the query.
  7. Select a group from the LDAP response returned, and move it to the selected column.
  8. Click OK.
  9. Repeat Steps 8 through 10 for the rest of the groups: JazzProjectAdmins, JazzDWAdmins, JazzUsers, and JazzGuests.

Do not enable the All Authenticated option.

  1. Save the changes and restart the jazz_war application.
  2. Log out of admin console and close the browser.
  3. For changes to take effect, restart WebSphere Application Server.

Set up and configure Collaborative Lifecycle Management

After you have configured WebSphere Application Server, configure the Jazz Team Server. For help, see Running the Jazz Team Server Setup wizard.

On the setup page, following these steps:

  1. Log in as Rational Directory Server admin user (for example: tdsadmin).
  2. Select LDAP as the user registry provider, and set the LDAP properties that correspond to the Rational Directory Server. See Table 5.
Table 5. LDAP properties for Rational Directory Server
LDAP properties nameLDAP properties value
LDAP Registry Location ldap://<Host Name>:<Port number of IBM Rational Directory Server>
User name uid=tdsadmin, ou=people, dc=telelogic, dc=com
Password Password for tdsadmin user
Base user DN ou=people, dc=telelogic, dc=com
User property names mapping userid=uid, name=cn, emailAddress=mail
Base group DN ou=Groups, dc=telelogic, dc=com
Group member property uniquemember

The properties not mentioned in Table 5 need to retain the default values.

  1. Click Test Connection, and move to the next step to complete the setup.
  2. Restart the Jazz Team Server.

Next steps

  1. Log in to Jazz Team Server (https://hostname:9443/jts/admin, for example) using tdsadmin user credentials.
  2. Import tdsadmin and other users by following these steps:
    1. Click the Users tab.
    2. When the Users page opens, click Import Users (top-right corner).
    3. In the Import Users dialog window that opens, search for the users that need to be imported.

      You can use wildcard characters, such as asterisks (*), to search for users.
    4. Select the users returned, and click Select.
    5. Click OK to import the selected users. The selected users will be displayed under the list of Active Users.
  3. Configuration is finished, so log out of the admin area.



Get products and technologies



developerWorks: Sign in

Required fields are indicated with an asterisk (*).

Need an IBM ID?
Forgot your IBM ID?

Forgot your password?
Change your password

By clicking Submit, you agree to the developerWorks terms of use.


The first time you sign into developerWorks, a profile is created for you. Information in your profile (your name, country/region, and company name) is displayed to the public and will accompany any content you post, unless you opt to hide your company name. You may update your IBM account at any time.

All information submitted is secure.

Choose your display name

The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerWorks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

Required fields are indicated with an asterisk (*).

(Must be between 3 – 31 characters.)

By clicking Submit, you agree to the developerWorks terms of use.


All information submitted is secure.

Dig deeper into Rational software on developerWorks

Zone=Rational, DevOps
ArticleTitle=Simplify user management for Collaborative Lifecycle Management applications