Jazz Security Architecture single sign-on (SSO) is an authentication protocol based on
the OpenID Connect authentication protocol. It is an alternative method of single sign-on
authentication to Kerberos/SPNEGO SSO, IBM
WebSphere® Application Server with
Lightweight Third-Party Authentication (LTPA) SSO. You can enable Jazz Security Architecture SSO
authentication for existing IBM
Engineering Lifecycle Management
deployments by using repository tools commands.
Before you begin
Important: Before you can enable single sign-on authentication, the Jazz®
Team Server and any
ELM
applications that will be enabled must be upgraded to version 6.0 or later. The upgrade must be
complete and verified.
Important: The procedure applies to
ELM
applications that have
repotools command scripts:
Jazz
Team Server, Change and
Configuration Management, Data Collection Component, Global Configuration Management, Quality
Management,
Engineering Insights, and
Requirements Management.
To enable existing Report
Builder and
Lifecycle Query Engine
applications for single sign-on, see the related links at the end of this topic.
About this task
To enable Jazz Security Architecture SSO for existing ELM
deployments, you must enable both the ELM
applications and the Jazz
Team Server where the
applications are registered. All applications do not need to be enabled at the same time. However,
the login experience is not a single sign-on process until all applications are enabled.
While the
servers are online, you run the prepareJsaSsoMigration command
to prepare for the migration and create the data files that are needed
by the migrateToJsaSso command. Then, while the
servers are offline, you run the migrateToJsaSso command
to enable single sign-on authentication.
Procedure
-
Verify that the Jazz
Team Server and other
applications are at version 6.0 or later.
- In the Jazz Team Server installation
directory, run the repotools-jts -prepareJsaSsoMigration command. For information
about how to use the command and the parameters that must be passed, see Repository tools command to prepare an ELM application for Jazz Security Architecture single sign-on.
Note: You must pass values for the repositoryURL
, adminUserId
, and
adminPassword
attributes in the prepareJsaSsoMigration repotool
command for the command to run successfully.
A data file is created in the working directory. By default, the file is named
jts-ssoMigrationData.json. The file lists the registered OAuth consumers,
friend servers, and registered applications for the Jazz Team Server.
- Edit the data file
that you created in step 2 and
remove any friend servers or registered applications that will not
be enabled for single sign-on authentication.
- Go to the
friends
section
of the file.
- Delete the associated block of lines that
are delimited by braces (
{
and }
).
Important: If Report
Builder and
Lifecycle Query Engine
entries are included as registered applications in the friends
section of the data
file, these applications must be enabled for single sign-on authentication. Otherwise, the
applications will not function correctly. For more information, see the related links at the end of
this topic.
Important: Do not modify the consumers
section
of the file.
-
Similarly, run the prepareJsaSsoMigration command for each ELM
application that will be enabled for single sign-on authentication.
By default, data files that are named
application-ssoMigrationData.json are created, where
application is ccm,
dcc, gc, qm, or
rm. Each data file lists friends of the associated application.
- Edit each data file that you created in step 4 and
remove any friends that will not be enabled for single sign-on authentication.
- Go to the
friends
section of the file.
- Delete the associated block of lines that are delimited
by braces (
{
and }
).
Important: Do not modify the consumers
section
of the file.
- Stop all the servers.
-
Install the Jazz Authorization Server. For more
information, see Installing the IBM Engineering Lifecycle Management by using IBM Installation Manager.
-
Verify that the Jazz Authorization Server is configured
correctly and running. For more information, see Deploying and starting Jazz Authorization Server.
- If a Lightweight Directory Access Protocol (LDAP) user registry was used previously, configure
the Jazz Authorization Server
with the same LDAP registry.
- If an Apache Tomcat user registry was used previously, you must migrate users to the IBM
WebSphere Liberty basic user registry. Jazz Authorization Server is based on
the IBM WebSphere Liberty server. Because Jazz Authorization Server authenticates
users, it must be configured with a user registry instead of using Apache Tomcat server or WebSphere Application
Server that
ELM
applications are deployed on. For information about the Apache Tomcat to Liberty Profile
Configuration Migration Tool that is included in the WebSphere Application
Server Migration
Toolkit, see the WASdev Developer Center.
- Enable the Jazz
Team Server for
single sign-on authentication. In the Jazz
Team Server installation
directory, run the repotools-jts -migrateToJsaSso command.
By default, the command reads the jts-ssoMigrationData.json file
in the working directory.
-
Similarly, run the migrateToJsaSso command for each ELM
application that will be enabled for single sign-on authentication.
Note: The application commands require both their own data file and the Jazz
Team Server data file.
If the applications are deployed on different host computers than the Jazz
Team Server, you must
copy the Jazz
Team Server data file
to the working directory on each host.
- Restart the servers.
Results
The single sign-on authentication is enabled.