Enabling CLM applications for Jazz Security Architecture single sign-on

Jazz Security Architecture single sign-on (SSO) is an authentication protocol based on the OpenID Connect authentication protocol. It is an alternative method of single sign-on authentication to Kerberos/SPNEGO SSO, IBM® WebSphere® Application Server with Lightweight Third-Party Authentication (LTPA) SSO, or Apache Tomcat SSO. You can enable Jazz Security Architecture SSO authentication for existing Rational solution for Collaborative Lifecycle Management (CLM) deployments by using repository tools commands.

Before you begin

Important: Before you can enable single sign-on authentication, the Jazz™ Team Server and any CLM applications that will be enabled must be upgraded to version 6.0 or later. The upgrade must be complete and verified.
Important: The procedure applies to CLM applications that have repotools command scripts: Jazz® Team Server, Change and Configuration Management, Data Collection Component, Global Configuration Management, Quality Management, Rational Engineering Lifecycle Manager, and Requirements Management.

To enable existing Report Builder and Lifecycle Query Engine applications for single sign-on, see the related links at the end of this topic.

About this task

To enable Jazz Security Architecture SSO for existing CLM deployments, you must enable both the CLM applications and the Jazz Team Server where the applications are registered. All applications do not need to be enabled at the same time. However, the login experience is not a single sign-on process until all applications are enabled.

While the servers are online, you run the prepareJsaSsoMigration command to prepare for the migration and create the data files that are needed by the migrateToJsaSso command. Then, while the servers are offline, you run the migrateToJsaSso command to enable single sign-on authentication.

Procedure

  1. Verify that the Jazz Team Server and CLM applications are at version 6.0 or later.
  2. In the installation directory, run the repotools-jts -prepareJsaSsoMigration command. For information about how to use the command and the parameters that must be passed, see Repository tools command to prepare a CLM application for Jazz Security Architecture single sign-on.
    Note: You must pass values for the repositoryURL, adminUserId, and adminPassword attributes in the prepareJsaSsoMigration repotool command for the command to run successfully.
    A data file is created in the working directory. By default, the file is named jts-ssoMigrationData.json. The file lists the registered OAuth consumers, friend servers, and registered applications for the .
  3. Edit the data file that you created in step 2 and remove any friend servers or registered applications that will not be enabled for single sign-on authentication.
    1. Go to the friends section of the file.
    2. Delete the associated block of lines that are delimited by braces ({ and }).
    Important: If Report Builder and Lifecycle Query Engine entries are included as registered applications in the friends section of the data file, these applications must be enabled for single sign-on authentication. Otherwise, the applications will not function correctly. For more information, see the related links at the end of this topic.
    Important: Do not modify the consumers section of the file.
  4. Similarly, run the prepareJsaSsoMigration command for each CLM application that will be enabled for single sign-on authentication.
    By default, data files that are named application-ssoMigrationData.json are created, where application is ccm, dcc, gc, qm, or rm. Each data file lists friends of the associated application.
  5. Edit each data file that you created in step 4 and remove any friends that will not be enabled for single sign-on authentication.
    1. Go to the friends section of the file.
    2. Delete the associated block of lines that are delimited by braces ({ and }).
    Important: Do not modify the consumers section of the file.
  6. Stop all the servers.
  7. Install the Jazz Authorization Server. For more information, see Installing the Rational solution for Collaborative Lifecycle Management by using IBM Installation Manager.
  8. Verify that the Jazz Authorization Server is configured correctly and running. For more information, see Deploying and starting Jazz Authorization Server.
    • If a Lightweight Directory Access Protocol (LDAP) user registry was used previously, configure the Jazz Authorization Server with the same LDAP registry.
    • If an Apache Tomcat user registry was used previously, you must migrate users to the IBM WebSphere Liberty basic user registry. Jazz Authorization Server is based on the IBM WebSphere Liberty server. Because Jazz Authorization Server authenticates users, it must be configured with a user registry instead of using Apache Tomcat server or WebSphere Application Server that CLM applications are deployed on. For information about the Apache Tomcat to Liberty Profile Configuration Migration Tool that is included in the WebSphere Application Server Migration Toolkit, see the WASdev Developer Center.
  9. Enable the Jazz Team Server for single sign-on authentication. In the Jazz Team Server installation directory, run the repotools-jts -migrateToJsaSso command. By default, the command reads the jts-ssoMigrationData.json file in the working directory.
  10. Similarly, run the migrateToJsaSso command for each CLM application that will be enabled for single sign-on authentication.
    Note: The application commands require both their own data file and the Jazz Team Server data file. If the applications are deployed on different host computers than the Jazz Team Server, you must copy the Jazz Team Server data file to the working directory on each host.
  11. Restart the servers.

Results

The single sign-on authentication is enabled.