Jazz Security Architecture single sign-on (SSO) is an authentication
protocol based on the OpenID Connect authentication protocol. It is
an alternative method of single sign-on authentication to Kerberos/SPNEGO
SSO, IBM®
WebSphere® Application Server with
Lightweight Third-Party Authentication (LTPA) SSO, or Apache Tomcat
SSO. You can enable Jazz Security Architecture SSO authentication
for existing Rational solution for Collaborative Lifecycle Management
(CLM) deployments by using repository tools commands.
Before you begin
Important: Before you can enable single sign-on
authentication, the Jazz™ Team Server and any CLM applications
that will be enabled must be upgraded to version 6.0 or later. The
upgrade must be complete and verified.
Important: The
procedure applies to
CLM applications
that have
repotools command scripts:
Jazz™
Team Server,
Change and Configuration Management, Data Collection Component, Global
Configuration Management, Quality Management,
Rational® Engineering Lifecycle
Manager,
and Requirements Management.
To enable existing Report Builder
and Lifecycle Query Engine applications
for single sign-on, see the related links at the end of this topic.
About this task
To enable Jazz Security Architecture SSO for existing CLM deployments,
you must enable both the CLM applications
and the Jazz
Team Server where
the applications are registered. All applications do not need to be
enabled at the same time. However, the login experience is not a single
sign-on process until all applications are enabled.
While the
servers are online, you run the prepareJsaSsoMigration command
to prepare for the migration and create the data files that are needed
by the migrateToJsaSso command. Then, while the
servers are offline, you run the migrateToJsaSso command
to enable single sign-on authentication.
Procedure
- Verify that the Jazz Team Server and CLM applications are
at version 6.0 or later.
- In the Jazz
Team Server installation
directory, run the repotools-jts -prepareJsaSsoMigration command. A data file is created in the working directory. By default,
the file is named jts-ssoMigrationData.json.
The file lists the registered OAuth consumers, friend servers, and
registered applications for the Jazz
Team Server.
- Edit the data file
that you created in step 2 and
remove any friend servers or registered applications that will not
be enabled for single sign-on authentication.
- Go to the friends section
of the file.
- Delete the associated block of lines that
are delimited by braces (
{
and }
).
Important: If Report Builder and Lifecycle Query Engine entries
are included as registered applications in the friends section
of the data file, these applications must be enabled for single sign-on
authentication. Otherwise, the applications will not function correctly.
For more information, see the related links at the end of this topic.
Important: Do not modify the consumers section
of the file.
- Similarly, run the prepareJsaSsoMigration command
for each CLM application
that will be enabled for single sign-on authentication. By default, data files that are named application-ssoMigrationData.json are
created, where application is ccm, dcc, gc, qm,
or rm. Each data file lists friends of the associated
application.
- Edit each data file that you created in step 4 and
remove any friends that will not be enabled for single sign-on authentication.
- Go to the friends section of the file.
- Delete the associated block of lines that are delimited
by braces (
{
and }
).
Important: Do not modify the consumers section
of the file.
- Stop all the servers.
- Install the Jazz Authorization Server. For more
information, see Installing the Rational solution for Collaborative Lifecycle Management by using IBM Installation Manager.
- Verify that the Jazz Authorization Server is configured
correctly and running. For more information, see Deploying and starting Jazz Authorization Server.
- If a Lightweight Directory Access Protocol (LDAP) user registry was used previously, configure
the Jazz Authorization Server
with the same LDAP registry.
- If an Apache Tomcat user registry was used previously, you must migrate users to the IBM
WebSphere Liberty basic user registry. Jazz Authorization Server is based on
the IBM WebSphere Liberty server. Because Jazz Authorization Server authenticates
users, it must be configured with a user registry instead of using Apache Tomcat server or WebSphere Application
Server that CLM
applications are deployed on. For information about the Apache Tomcat to Liberty Profile
Configuration Migration Tool that is included in the WebSphere Application Server Migration Toolkit,
see the WASdev Developer Center on IBM
developerWorks.
- Enable the Jazz
Team Server for
single sign-on authentication. In the Jazz
Team Server installation
directory, run the repotools-jts -migrateToJsaSso command.
By default, the command reads the jts-ssoMigrationData.json file
in the working directory.
- Similarly, run the migrateToJsaSso command
for each CLM application
that will be enabled for single sign-on authentication.
Note: The
application commands require both their own data file and the Jazz
Team Server data
file. If the applications are deployed on different host computers
than the Jazz
Team Server,
you must copy the Jazz
Team Server data
file to the working directory on each host.
- Restart the servers.
Results
The single sign-on authentication is enabled.