Enabling CLM applications for Jazz Security Architecture single sign-on

You can use the prepareJsaSsoMigration and migrateToJsaSso repository tools commands to enable existing Rational® solution for Collaborative Lifecycle Management (CLM) installations for Jazz Security Architecture single sign-on (SSO) authentication.

Before you begin

Important: Before the prepareJsaSsoMigration and migrateToJsaSso repository tools commands are used, the Jazz™ Team Server and any CLM applications that will be enabled for Jazz Security Architecture SSO must be upgraded to version 6.0. The upgrade must be complete and verified.
Important: The prepareJsaSsoMigration and migrateToJsaSso commands are supported only by CLM applications that have repotools command scripts: Jazz Team Server, Change and Configuration Management, Data Collection Component, Global Configuration Management, Quality Management, Rational Engineering Lifecycle Manager, and Requirements Management.

To enable existing Report Builder and Lifecycle Query Engine applications for single sign-on, see the related links.

About this task

To enable Jazz Security Architecture SSO for existing CLM deployments, you must enable both the CLM applications and the Jazz Team Server where the applications are registered. All applications do not need to be enabled at the same time. However, the login experience is not single sign-on until all applications are enabled.

While the servers are online, run the prepareJsaSsoMigration command to prepare for the migration and create the data files that are needed by the migrateToJsaSso command. Then, while the servers are offline, run the migrateToJsaSso command to enable single sign-on.

Procedure

  1. If the Jazz Team Server and CLM applications are not at version 6.0, upgrade and verify that the upgrade was successful.
  2. In the Jazz Team Server installation directory, run the repotools-jts -prepareJsaSsoMigration command. A data file is created in the working directory. By default, the file is named jts-ssoMigrationData.json. The file lists the registered OAuth consumers, friend servers, and registered applications for the Jazz Team Server.
  3. Edit the data file that you created in step 2 and remove any friend servers or registered applications that will not be enabled for single sign-on.
    1. Go to the friends section of the file.
    2. Delete the associated block of lines that are delimited by curly braces ("{" and "}").
    Important: If Report Builder and Lifecycle Query Engine entries are included as registered applications in the friends section of the data file, these applications must be enabled for single sign-on. Otherwise, the applications will not function correctly. For more information, see the related links.
    Important: Do not modify the consumers section of the file.
  4. Similarly, run the prepareJsaSsoMigration command for each CLM application that will be enabled for single sign-on. By default, data files that are named application-ssoMigrationData.json are created, where application is ccm, dcc, gc, qm, or rm. Each data file lists friends of the associated application.
  5. Edit each data file that you created in step 4 and remove any friends that will not be enabled for single sign-on.
    1. Go to the friends section of the file.
    2. Delete the associated block of lines that are delimited by curly braces ("{" and "}").
    Important: Do not modify the consumers section of the file.
  6. Shut down all the servers.
  7. Install the Jazz Authorization Server. For more information, see Installing the Rational solution for Collaborative Lifecycle Management by using IBM Installation Manager.
  8. Verify that the Jazz Authorization Server is configured correctly and running. For more information, see Deploying and starting Jazz Authorization Server.
    • If a Lightweight Directory Access Protocol (LDAP) user registry was used previously, configure the Jazz Authorization Server with the same LDAP registry.
    • If an Apache Tomcat user registry was used previously, you must migrate users to the IBM WebSphere Liberty basic user registry. Jazz Authorization Server is based on the IBM WebSphere Liberty server. Because Jazz Authorization Server authenticates users, it must be configured with a user registry instead of using Apache Tomcat server or IBM® WebSphere® Application Server that CLM applications are deployed on. For information about the Apache Tomcat to Liberty Profile Configuration Migration Tool that is included in the WebSphere Application Server Migration Toolkit, see the WASdev Developer Center on IBM developerWorks.
  9. Enable the Jazz Team Server for single sign-on. In the Jazz Team Server installation directory, run the repotools-jts -migrateToJsaSso command. By default, the command reads the jts-ssoMigrationData.json file in the working directory.
  10. Similarly, run the migrateToJsaSso command for each CLM application that will be enabled for single sign-on.
    Note: The application commands require both their own data file and the Jazz Team Server data file. If the applications are deployed on different host computers than the Jazz Team Server, you must copy the Jazz Team Server data file to the working directory on each host.
  11. Restart the servers.

Results

The new single sign-on behavior is enabled.


video icon Watch videos

CLM playlist
Jazz.net channel
User Education channel

learn icon Learn more

CLM learning circle
Agile learning circle
Learning circles

ask icon Ask questions

Jazz.net forum
developerWorks forums

support icon Get support

Support Portal
Deployment wiki
Support blog