If your organization already uses IBM® Rational® Directory Server in your network infrastructure, you might want to use it with the Rational solution for Collaborative Lifecycle Management (CLM) for authentication and user management. The CLM installation does not support the directory server. To resolve this dilemma, the Rational Directory Server team implemented an extension that can be deployed over any existing Collaborative Lifecycle Management installation to use Rational Directory Server to provide directory services.
This article describes the following procedures in detail:
- Install and configure Rational Directory Server.
- Install the Rational Directory Server extension for CLM.
- Configure IBM® WebSphere® Application Server to enable Rational Directory Server.
- Set up and configure CLM.
The following applications need to be installed and configured:
- IBM Rational Directory Server 5.2.1 or later
- IBM Rational Installation Manager 1.5.2 or later
- IBM WebSphere Application Server 7.0 with Fix Pack 23 or later
- Collaborative Lifecycle Management 184.108.40.206 or later (configured to run on WebSphere Application Server)
Integrate the servers
Follow the steps in the order presented here.
Configure Rational Directory Server groups for Jazz authentication
For Jazz™ authentication, IBM® Rational Team Concert® must be configured to connect to Rational Directory Server.
Prepare the directory server
- Install Rational Directory Server, Version 5.2.1 (Tivoli variant), in corporate mode. For help, see Release notes - Rational Directory Server 5.2.1 (Tivoli) in the information center.
- Create a corporate partition in Rational Directory Server to connect to the corporate LDAP server. See the Creating partitions topic in the information center for help.
In corporate mode, Rational Directory Server can be configured to integrate with your corporate LDAP server. This enables Rational Directory Server to access the corporate LDAP's user objects and groups. They are in read-only mode, thus the data is not modified in any way. In this mode, local users and groups can also be created in Rational Directory Server. The users and groups from both the corporate LDAP server and the Rational Directory Server are available to Rational software for authentication and user management purposes.
Steps to create groups
There are certain groups that must be present in an LDAP server for Rational Team Concert to operate. These groups can be a part of Rational Directory Server or they can be made available in your organization's LDAP server. If these groups are not present in that server, follow these steps to create those groups:
- Log in to Rational Directory Server as an administrator.
- Expand the Groups node.
- Right-click RDS Groups, and select Create Groups.
- Create these five groups:
After you have created all of these groups, add users to them according to the roles and responsibilities.
- Right-click any of the five groups listed under RDS Groups group, and select Properties, as shown in Figure 1.
Figure 1. Rational Directory Server local groups
- Search for the user names that need to be added to this group (see Figures 2 and 3):
- In the Properties dialog window, select the Members tab, and click Add.
- When the "Find users and groups" dialog window opens, enter the user name to search, and click Find.
- When the user name is listed, select it, and click Assign.
- Repeat the same steps for the rest of the users in this group.
- Click OK, and close that group view.
Figure 2. Adding members to a group
Figure 3. Member added to a group
- Repeat the steps for the remaining four groups.
Install the directory server extension for Collaborative Lifecycle Management
The information below provides the basic steps for installing, updating, and uninstalling Rational Directory Server extension for Rational Collaborative Lifecycle Management. During the installation step, there are a couple of questions that need to be answered. Be sure to read the Prerequisites section before you begin.
To install Rational Directory Server extension for Collaborative Lifecycle Management for the first time, perform these tasks first:
- Verify that the server meets the minimum hardware and software requirements to install these applications.
- Install IBM Rational Installation Manager 1.5.2 or later. For installation information, see Installation Manager Considerations
- Install Collaborative Lifecycle Management 220.127.116.11 or later.
- Verify that IBM WebSphere Application Server 7.0 with Fix Pack 23 or later is installed.
- Configure Collaborative Lifecycle Management with WebSphere Application Server.
To simplify configuration of IBM WebSphere Application Server environment, ensure that the CLM installation path does not contain any space. If it is already installed in the path with spaces, replace each space with
%20 in IBM® WebSphere® Application Server and IBM® DB2® database configuration steps.
Install the Rational Directory Server extension for CLM
- Stop IBM WebSphere Application Server.
Note: IBM WebSphere Application Server admin username and password are required.
Figure 4. Stopping IBM WebSphere Application Server
- The Rational Directory Server extension for Collaborative Lifecycle Management installation package contains one .zip file. Download and extract the contents.
- Start IBM Installation Manager. To ensure successful installation, delete the existing repository in the Preferences section of Installation Manager, and add the absolute path for the Rational Directory Server extension for Collaborative Lifecycle Management installation files. For example:
<Path to unzipped folder > \RDSI\Disk1
- Click OK.
- Click Install.
- When the Install Packages window opens, select Rational Directory Server extension for Collaborative Lifecycle Management.
Figure 5. Installing Rational Directory Server extension
- Click Next.
- Read and accept the license agreement, and click Next.
- Accept the default installation location (Jazz Team Server), and click Next.
Figure 6. Packages that can be installed
- Accept the selected feature to be installed, and click Next.
- Accept the default WebSphere Application Server and provide the installed location.
- Click Next.
- Accept the package to be installed, and click Next.
- Click Install to begin the installation process.
- When it is installed, click Finish.
Figure 7. Installation confirmation
- Start WebSphere Application Server (requires admin username and password).
Figure 8. Start IBM WebSphere Application Server
Configure the WebSphere Application Server LDAP stand-alone directory realm to connect to Rational Directory Server
There are several steps necessary to complete this task:
- Configure the stand-alone LDAP registry.
- Configure JVM arguments.
- Configure authorization security settings.
- Add custom properties.
- Stop and restart WebSphere Application Server.
Configure stand-alone LDAP registry
- Use a web browser to log in to the Integrated Solutions Console as WebSphere admin user. (URL example: https://<host>:9043/ibm/console)
- From the application server's Admin console, click Security > Global Security.
- Update the security settings as Table 1 shows.
Table 1. Global security settings
|Security settings name||Settings value|
|Enable administrative security||Enable|
|Enable application security||Enable|
|Java 2 security||Disable|
|User account repository and available realm definitions||Stand-alone LDAP registry|
Figure 9 shows the Global Security page settings.
Figure 9. Global security settings
- Click Set as current, and then click Configure.
- Supply the General Properties and other LDAP parameters shown in Table 2.
Table 2. LDAP settings
|LDAP settings name||Settings value|
|Primary administrative user name||Your user ID DN (example: |
|Server user identity||Automatically generated server identity|
|Host||Name and IP address of Rational Directory Server|
|Port||Port number on which Rational Directory Server is running (example: |
|Type of LDAP server|
|Base Distinguished Name (DN)|
|Bind Distinguished Name||DN of user the ID, for example: |
|Bind password||Password of the user above|
After you have specified the settings, the resulting screen will look similar to Figure 10.
Figure 10. General LDAP properties
- Click Apply, and save the changes.
- In the configuration section, click Test Connection.
- In the Additional Properties section, click Advanced Lightweight Directory Access Protocol (LDAP) user registry settings.
- Specify the General Properties fields given in Table 3.
Table 3. Advance LDAP settings
|Settings name||Settings values|
|User ID map|
|Group ID map|
|Group member ID map|
|Perform a nested group search|
|Kerberos filter search|
|Certificate map mode|
Figure 11 shows the Advance LDAP properties screen after all relevant changes.
Figure 11. Advance LDAP properties
- Click Apply, and save the changes.
Create a Java Authentication and Authorization Service module
- Under Authentication, expand Web and SIP security, and click General Settings.
- Under Web authentication behavior. Ensure that Authenticate only when URI is protected is selected and Use available authentication data when an unprotected URI is accessed is checked.
Figure 12. Web security
- Click Apply, and save for each of the screens to confirm each settings page.
On the last page, ensure that the current realm is set to Stand-alone LDAP registry.
- For changes to take effect, restart WebSphere Application Server from the admin console.
- After it restarts, validate the changes by logging in to the admin console as a WebSphere admin user, using a web browser (URL example: https://<host>:9043/ibm/console)
User can log in to the WebSphere Application Server admin console using only the Rational Directory Server user credentials. Make sure that the primary administrative user name is local to Rational Directory Server.
uid=tdsadmin, ou=people, dc=telelogic, dc=com
- On the Global Security page, expand Java Authentication > Authorization Services > System Logins.
- Select Web Inbound, and click New to create a new login module.
- Configure the new Rational Directory Server login module:
- Set the module class name as
- Select the Login Proxy check box.
- Click New, and add three new custom properties (see Table 4).
- Set the module class name as
Table 4. Custom properties for new login module
|Property name||Property value|
After you have completed the settings for the new RDSJAASLoginModule, the resulting display will look similar to Figure 13.
Figure 13. Custom JAAS properties
- Click Apply and then OK.
You have now created a new Rational Directory Server Java Authentication and Authorization Service (JAAS) module.
- Set the order in which the login modules are called:
- Select Global Security > JAAS – System logins > WEB_INBOUND, and click Set order.
- Click Move Up twice to move Rational Directory Server login module to the top.
Figure 14 depicts the JAAS Web Inbound properties page after those settings.
Figure 14. JAAS Web Inbound properties
- Click Apply and OK.
You should now see the login modules in this order:
Configure Java Virtual Machine custom properties
Create a system property (similar to defining JAAZ_HOME when configuring Collaborative Lifecycle Management).
- To set these properties, in the WebSphere Application Server Integrated Solutions Console, select Servers > Server Types > WebSphere application servers > Server 1.
- Under Server Infrastructure, click Java and Process Management > Process Definition > Java Virtual Machine > Additional Properties > Custom Properties.
- Click New, and enter the information for these fields:
Figure 15 illustrates the result of these changes.
Figure 15. JVM custom properties
- To map user groups to specific applications, click Applications > Application Types > WebSphere enterprise applications.
- In the Enterprise Applications list, select jazz_war application, and click Stop.
- When it stops, click jazz_war application, and open it for editing
- In the Detail properties section, click Security role to user/group mapping.
- Select a specific group, such as JazzAdmins (or one of your choice), and click Map groups.
- Enter a search string to return your group names from Rational Directory Server, and then click Search to run the query.
- Select a group from the LDAP response returned, and move it to the selected column.
- Click OK.
- Repeat Steps 8 through 10 for the rest of the groups: JazzProjectAdmins, JazzDWAdmins, JazzUsers, and JazzGuests.
Do not enable the All Authenticated option.
- Save the changes and restart the jazz_war application.
- Log out of admin console and close the browser.
- For changes to take effect, restart WebSphere Application Server.
Set up and configure Collaborative Lifecycle Management
After you have configured WebSphere Application Server, configure the Jazz Team Server. For help, see Running the Jazz Team Server Setup wizard.
On the setup page, following these steps:
- Log in as Rational Directory Server admin user (for example:
- Select LDAP as the user registry provider, and set the LDAP properties that correspond to the Rational Directory Server. See Table 5.
Table 5. LDAP properties for Rational Directory Server
|LDAP properties name||LDAP properties value|
|LDAP Registry Location|
|Password||Password for tdsadmin user|
|Base user DN|
|User property names mapping|
|Base group DN|
|Group member property|
The properties not mentioned in Table 5 need to retain the default values.
- Click Test Connection, and move to the next step to complete the setup.
- Restart the Jazz Team Server.
- Log in to Jazz Team Server (https://hostname:9443/jts/admin, for example) using tdsadmin user credentials.
- Import tdsadmin and other users by following these steps:
- Click the Users tab.
- When the Users page opens, click Import Users (top-right corner).
- In the Import Users dialog window that opens, search for the users that need to be imported.
You can use wildcard characters, such as asterisks (*), to search for users.
- Select the users returned, and click Select.
- Click OK to import the selected users. The selected users will be displayed under the list of Active Users.
- Configuration is finished, so log out of the admin area.
- For more information, see the Rational Directory Server product overview. For help, check the information center for help.
- Learn more about the Rational solution for Collaborative Lifecycle Management (CLM):
- Explore the Rational software area on developerWorks for technical resources, best practices, and information about Rational collaborative and integrated solutions for software and systems delivery.
- Stay current with developerWorks technical events and webcasts focused on a variety of IBM products and IT industry topics.
- Attend a free developerWorks Live! briefing to get up-to-speed quickly on IBM products and tools, as well as IT industry trends.
- Watch developerWorks on-demand demos, ranging from product installation and setup demos for beginners to advanced functionality for experienced developers.
Get products and technologies
- Download a free trial version of Rational software.
- Evaluate IBM software in the way that suits you best: Download it for a trial, try it online, use it in a cloud environment.
- Check the Rational software forums to ask questions and participate in discussions.
- Ask and answer questions and increase your expertise when you get involved in the Rational forums, cafés, and wikis.
- Join the Rational community to share your Rational software expertise and get connected with your peers.
- Rate or review Rational software. It's quick and easy.
Dig deeper into Rational software on developerWorks
Get samples, articles, product docs, and community resources to help build, deploy, and manage your cloud apps.
Keep up with the best and latest technical info to help you tackle your development challenges.
Software development in the cloud. Register today to create a project.
Evaluate IBM software and solutions, and transform challenges into opportunities.