Configuring authentication (Versions earlier than 5.0.0)

Configure OAuth2 authentication for Transformation Advisor ddddon a non-OpenShift Container Platform (non-OCP) installation by editing the security configuration script and restarting the product.

Before you begin

Ensure that an OAuth2 server is available and accessible before you begin this procedure.

Procedure

  1. Go to the installation directory and stop Transformation Advisor.
    1. Run the launch script.
      ./launch.sh
    2. Choose Stop Transformation Advisor from the menu.
  2. Create the authentication configuration.
    1. Change to the scripts directory.
      cd scripts
    2. Open the .security_config file for editing.
      vi .security_config
    3. Copy the environment variables from the .security_config_sample file, excluding all comment lines (any text that follows a # character).
    4. Replace the sample values with the actual values for your OAuth2 server.
  3. Start IBM Transformation Advisor.
    1. Run the launch script.
      ./launch.sh
    2. Choose Start Transformation Advisor from the menu.

Sample configuration for the Box.com OAuth2 server

The following example shows a complete .security_config configuration for the Box.com OAuth2 server.

TA_AUTH_ENABLE_TLS=false
TA_LOCAL_INTERNAL_SERVER_PORT=9080
TA_LOCAL_INTERNAL_UI_PORT=3000
TA_LOCAL_INTERNAL_DB_PORT=5984

TA_AUTH_UI_DISABLED=false
TA_AUTH_LIBERTY_DISABLED=false

TA_AUTH_OIDC_CLIENT_ID=lanjmi4l41orezoiz5ektitgnfvtoi4n
TA_AUTH_OIDC_CLIENT_SECRET=1N1CRuTdxlOM5c5XvH3PT3Ijv5Eeaf9r

TA_AUTH_IDENTITY_REQUEST_ENDPOINT=https://account.box.com
TA_AUTH_IDENTITY_REQUEST_ENDPOINT_PATH=/api/oauth2/authorize
TA_AUTH_IDENTITY_REQUEST_ENDPOINT_SCOPE=root_readonly
TA_AUTH_CALLBACK_STATE_PREFIX_PADDING=

TA_AUTH_TOKEN_REQUEST_ENDPOINT=https://api.box.com
TA_AUTH_TOKEN_REQUEST_ENDPOINT_PATH=/oauth2/token

TA_AUTH_TOKEN_VERIFICATION_ENDPOINT=https://api.box.com
TA_AUTH_TOKEN_VERIFICATION_ENDPOINT_PATH=/2.0/users/me

TA_AES_IV=
TA_AES_KEY=
Note: Some OAuth applications do not allow non-HTTPS callback URLs. If that is the case for your provider, the value of TA_AUTH_OIDC_CALLBACK_URI must use an HTTPS endpoint.

What to do next

Configuring MFA: To configure Multi-Factor Authentication (MFA) with your OAuth client, verify that MFA is enabled in your Identity Provider (IdP). This setting must be configured at the IdP level because OAuth depends on the provider to enforce multi-factor authentication during the login flow.