When configuring Report Builder and Lifecycle Query Engine by using
Jazz® Team Server (JTS)
authentication, the JTS authentication requires the
LtpaToken2 for both Report Builder and Lifecycle Query Engine. The Jazz Team Server
sets up the LtpaToken when logging in to the Report Builder.
Before you begin
Check whether the
Jazz Team
Server has been started before or this is the first time you are starting the server.
- If you are starting the Jazz Team
server for the first time, edit the
<extract>/server/liberty/clmServerTemplate/server.xml file.
- If the server has already been started before then edit the
<extract>/server/liberty/servers/clm/server.xml file.
Procedure
Attention: For Ltpa authentication, make sure that the following requirements are met:
- All servers must use an identical user registry configuration.
- All servers must use the same RealmName.
- All servers must use the same DNS domain.
- All servers must use the same LTPA keys.
-
Enable application security by verifying that
appSecurity-2.0 feature is
present under the featureManager; if it's not there, add it.
<serverdescription="LQE Eclipse server">
<featureManager>
<!-- Add this if it doesn't exist -->
<feature>appSecurity-2.0</feature>
</featureManager>
- Search the server.xml file for an existing ltpa entry, similar to
the following:
<ltpa keysPassword="{aes}AJe" keysFileName="Path_to_ltpa.keys" />
If there is an existing configuration, make sure that all the systems share ltpa
keysPassword, and the file that is referenced in the
keysFileName tag is identical on all the systems. Verify that the key files are
same and use an MD5 or SHA hash.
If the password does not match or the key file is different, it will not be able to verify the
ltpa tokens.
- Optional: If you don't have an existing ltpa.keys file,
then complete the following steps:
- Go to <extract>/server/liberty/wlp/bin/ and use securityUtility to create ltpa.keys file
with a password of your choice:
./securityUtility.sh createLTPAKeys --password=mypassword --passwordEncoding=aes
The following output message is generated:
Created LTPA keys file: ltpa.keys
Include the following configuration to your server.xml
<ltpa keysPassword="{aes}AE7E0xPEm/uo37PDQUbJMGMrJqjOZz77N4EIIUxwMCSj" keysFileName="ltpa.keys" />
- Place the generated
ltpa.keys file relative to the
server.xml file based on the file path that is specified in the
keysFileName attribute. Make sure that all the servers share ltpa
keysPassword, and the file that is referenced in the keysFileName
are identical on all servers. Verify that the key files are the same and use an MD5 or SHA
hash.
-
Configure the domain and make sure that all the servers use the same DNS domain. If servers are
not in the same domain, edit the server.xml file to list the domains that use
the
ssoDomainNames attribute of the <webAppSecurity> element.
The out of the box server.xml file includes the following element:
<webAppSecurity ssoRequiresSSL="true"/>
Add the ssoDomainNames field to this value with your domain.
For example, set the domain name to .ibm.com to send LTPA
cookies to all hosts in ibm.com through the
browser.
<webAppSecurity ssoRequiresSSL="true" ssoDomainNames=".ibm.com" />
Using the above configuration, server A and server B will both receive the proper cookies from the
browser since they are both subdomains of
ibm.com.
| Server |
Domain |
| A |
windows10-1.fyre.ibm.com |
| B |
windows10-2.fyre.ibm.com |
Note: Clear any existing cookies before testing, as old cookies might exist on
old domain configuration.
-
Setup the server based on your selected user registry:
- Basic user registry
-
For the basic user registry, copy the
<extract>/server/liberty/servers/clm/conf/basicUserRegistry.xml file from
the JTS server to all other servers.
When a user is added to the server, they are created in the
basicUserRegistry.xml file on the JTS server, which must be synchronized on all
servers.
- LDAP user registry
-
Make sure that the following file is identical on all servers:
<extract>/server/liberty/servers/clm/conf/ldapUserRegistry.xml