INTRODUCTION
- DOORS – Dynamic Object Oriented Requirement System
It is a requirements management tool that is used for capturing, tracking, analyzing, and managing user requirements.
- RDS – Rational Directory Server
It is designed to provide centralized common infrastructure services for User/Groups management for supported rational tools such as IBM Rational DOORS®, IBM Rational Focal Point™, IBM Rational System Architect.
- LDAP – Lightweight Directory Access Protocol
It is an application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network
- DOORS –RDS Integration Overview:
-
Provides following benefits by having DOORS User Management through RDS –
- Provide Centralized User Management across Rational tools so maintenance of all user details is easy
- Provides Security In terms of not having direct access to add/delete/edit users directly from DOORS, User should have access to LDAP to modify any user.
RDS can be configured in 2 Modes –
- Standalone Mode – Here User/Group details resides within RDS machine
- Corporate Mode – Here RDS fetches User/Group details from the LDAP
RDS supports following 4 LDAPs
- Active Directory Server (ADS)
- Tivoli Directory Server (TDS)
- Oracle Directory Server (ODS)
- Forest ADS
- DOORS uses RDS with Tivoli variant (Other products like synergy uses Apache version of RDS)
STEP BY STEP CONFIGURATIONS & SCENARIOS (CORPORATE MODE):
- After Installing RDS and RDA access RDA using following web URL :
http:// <IP Address of RDS machine>:8080/webrda/rda
Following screenshot shows RDA without configuring any LDAP partitions
Here there are no users listed as there is no LDAP partition is configured
- Configure RDS with LDAP partition by following below steps :
- Right click on Corporate Partition and create a new partition :
- Fill In LDAP details in below displayed dialogue :
Partition Name – Can be anything
HostName – IP of the LDAP server
Port Number – Differs depending on which LDAP we are using and whethe rusing secured port or non secured port.
1389/389 is used for non secured port
1636/636 is used for secured port
Note – Enable SSL checkbox should be checked only when you configure for secured partition
- From LDAP machine fetch the complete DN name of the user (This user can be either Administrator user or any other user on LDAP). In LDAP machine if you right click on any user and access its properties, it will have field with name Distinguish Name which provides DN value.
User Log On Attribute - This can be CN, UID or SAMAccount
Every User will have its full name and some common name and short name and that’s how the Log On attributes is configured for the partition and accordingly the User name is displayed in RDA and in DOORS.
Ex : Suppose IBM employee name is John Young, his blorepd name can be JohnY and his synergy user name can be YoungJ.
- Configure Primary Search Base :
Here partition can be either configured as Primary Search Base or Multiple Search Base.
Multiple Search Base is basically used for Meta Group Scenarios; this will be covered in details later in this document.
Basically LDAP users are under hierarchy as per organization structure.
Ex : In IBM we have department for Software’s and under which we have many groups like Rational, Websphere, Tivoli etc..
So here IBM is the root and under that there is Organization Unit (OU) called Software’s under which we either have some more OU’s or directly groups for each department.
Primary search Base is fetched from complete DN name of any user on LDAP and we should remove CN=<name> part from the complete DN.
So here RDS gets configured to the particular OU provided in search base and RDS can see only users and groups under this OU.
- Partition is configured successfully
- Now check the Users and Group list in RDA.
This displays all Users and Groups under the OU from configured LDAP.
- User Group Migration From DOORS to RDS :
- XML Migration is supported from DOORS to RDS - Export users/groups from DOORS into XML format and then use RDS Migrate feature to migrate it to RDS
- Migration is basically required to migrate the User Roles and Access Rights that are provided in DOORS for the particular user on LDAP.
- Scenario – Example to migrate one user and group from DOORS to RDS –
- Create a User and group in DOORS with the same name of User/Group present on LDAP. While creating users provide same name to User Name and System Username fields
- Provide User Roles to Users Ex: Database Manager, Project Manager etc
- Create project and module in DOORS and provide few access rights to the Users and groups created above
- From DOORS export these users using DOORS Project->Properties->Export Users Groups with Corporate mode
- From RDA access Console->Migrate option
Provide the details of file where DOORS users are migrated.
Upload the file and Finish
Migration Analysis windows shows the users listed in different category. Here in this case LDAP users already listed with this name, So DOORS users to be migrated are listed under Duplicate Users
Select all users and Merge and perform Migrate operation.
- From third part software JExplorer check the User ID created for Users before and after migration :
Before Migration :
After Migration :
Note -
After Migration RDS creates one more ID for that user which will have information on User Role and set of 1 and 0 digits representing access rights which is tied to the Database ID in DOORS. For different DOORS DB different ID gets created, that means same user can get migrated for different DOORS DB. SO the ID generated helps to maintain the access rights and roles of the user with specific DOORS DBs.
- Similarly perform Group Migration also
- After Group Migration is done you can see specific Node is created under Database in RDA . This node is specific the particular DBID of DOORS.
- Change DOORS to RDS Mode
From DOORS Project Properties ->Change
Select Rational Directory server
Provide server Host as IP of RDS server
Provide Server Port as 1389 for Non secured and 1636 for secured connection(Check the check box)
Perform Test Connection and relaunch the client
- DOORS is launched in RDS Mode
- DOORS User cannot create any more users from DOORS now
- DOORS User and Group lists all users and groups present in the LDAP OU (Organization Unit)configured for RDS
- Users/groups which are migrated retains its Role and access rights provided by DOORS
- Login with one of the LDAP user to DOORS (this user should be migrated) – User logged in successfully and displays proper role and access rights affective on project
- System User Capability in DOORS-RDS Integration –
System User Functionality in DOORS is used when user want DOORS to take the user details of NT /Windows machine user instead of user providing the user details.
When DOORS is configured with RDS we can still use this capability and you can enable system log in from RDS. User NT name provided on LDAP will be the Machine log on name while log in to DOORS.
From RDS enable System log in from following window:
Restart DOORS server and you can see 2 txt file are created under data folder of DOORS.
Now Log in to your windows machine using user name provided as system log in name and Launch DOORS
DOORS is launched and login dialogue displays prefilled Username and it’s greyed out.
RDS provides 2 types of names for system login, It can be either NT logon name or Windows logon name which can be checked from User properties in RDA.
- Two Factor Authentication (TFA):
TFA feature of RDS provides extra security by having one more check of authentication where. This will be supported with the help of third party software “Radius”. TFA can be enabled/disabled for any user.
When TFA is enabled Administrator user of DOORS asks for one more authentication in which user need to provide the LDAP user details for which TFA is enabled in RDS, So Administrator should know the credentials of even this TFA user.
For the non admin DOORS user which is enabled for TFA, During DOORS login it asks user credentials and then goes through verification of Radius user credentials and then allows to launch DOORS.
TFA can be used along with System log in feature also enabled.
How to enable TFA? :
- From RDS enable TFA from Database Node –
b. Provide Radius details from Security Configuration as in screenshot below :
Here Host IP is IP of Radius Machine
Port Numbe is 1812
Shared Key is : WinRadius
- Launch Third party software “Radius” and create User “Test”
- In RDS User properties -> Security tab provide the Radius User details :
e. From DOORS launch as Administrator User -
After providing Administrator credentials, It will prompt with one more authentication popup to enter RDS user details which is enabled for TFA, Followed by one more popup to provide details of Radius User.
This is how Two Factor Authentication takes place with multiple authorizations providing more security.
- Meta Group Configurations :
RDS is configured for meta group when it is required to use small set of users from LDAP instead of fetching the whole set from the complete domain.
Ex : ibm.com domain which has all user details where as a group withing it that is in.ibm.com contains details about only Employees in India so It make sense to point to only in.ibm.com instead of fetching all the users.
How to Configure for Meta group?
- From RDS Corporate Partition, Configure as below :
Only Search base will change here –
Here Users_India and Groups_India are the Groups created in LDAP under in.ibm.com domain which contains only the required set of Users/Groups.
- Now RDS displays only Users that are under User_India Group and displays only groups that are under Groupd_India Group on LDAP
- Now DOORS displays only Users that are under User_India Group and displays only groups that are under Groupd_India Group on LDAP
- Any attempt to login to DOORS with user who is present in LDAP but not part of Users_India group will fail to login
Reference Links :
http://pic.dhe.ibm.com/infocenter/doorshlp/v9/index.jsp
http://pic.dhe.ibm.com/infocenter/doorshlp/v9/index.jsp