How do I change DCC resource from user/password to OAuth ?
I would like to change the 2 other items to use OAuth, but I cannot find clear steps to do so or what I find leads to other questions. i.e.
From DCC setup Resource Groups
- OAuth-JTS
- When you select OAuth-JTS as the authentication type, the Consumer key and Secret fields are displayed. In the Consumer key field, specify the consumer key obtained from the Jazz Team Server. And in the Secret field, specify the secret of the consumer key.
2 answers
Can you please clarify whether the application appears in the Registered Applications section or the Friends (Outbound) section in JTS?
If it's a Registered Application, I don't see any way to do it at all following the instructions, as the document says: "If the resource group is local to your Jazz Team Server where Data Collection Component is also registered, the Consumer key and Secret fields are automatically complete with the values configured when the application was registered and finalized during the Jazz Team Server setup", and of course the secret has never been exposed. Maybe you need to unregister DCC and register it again in this case?
If it's a Friend, you should be able to change the secret in the configuration - Friends (Outbound) section in JTS and consumer section in the other application.
Comments
In the DCC OAUTH key of the resource corresponds to the same application under JTS Registered Applications. I'm reluctant to re-register as I've seen it recommended to not do so.
More from the docs:
- OAuth-JTS
-
When you select OAuth-JTS as the authentication type, the Consumer key and Secret fields are displayed. In the Consumer key field, specify the consumer key obtained from the Jazz Team Server. And in the Secret field, specify the secret of the consumer key.
Tip: If the resource group is local to your Jazz Team Server where Data Collection Component is also registered, the Consumer key and Secret fields are automatically complete with the values configured when the application was registered and finalized during the Jazz Team Server setup.
I would think it's quite safe to re-register DCC but I'm not maintaining a production system so don't feel the burden. To re-do the discovery, you need to remove the existing resource group first, which is something you will be reluctant to do as well, if I understand correctly. Also, the discovery feature does not auto-fill the key/secret for you, so it's no better than what you have now. It appears that the auto-completion only happens when you "register" DCC, based on the "tip" that we both quoted.
Comments
Seems reasonable. Does the creation of the new oauth happen on the DCC or the target app ?
It must happen on each target app, so basically all these pages:
I actually tried to do this before I posted my answer, but gave it up. Basically, you cannot add a second OAuth key for the same application. It's my understanding that for registered applications, the only way to change OAuth key is to re-register them, but it does not solve the problem that we never get to know the OAuth secret. That is the reason I suggested re-registering DCC instead. Also, at first I thought the OAuth key would be between DCC and the applications, but it turned out to be more complicated. Based on my observation on the automatically created resource groups, the OAuth-JTS key refers to the key with which JTS is registered as a friend to the other applications. In other words, DCC uses JTS as a "proxy" to visit other applications. I don't have any documents to back up my theory, and it's purely based on observation.
The real problem I'm trying to solve relates to entries in DCC resource groups. What are the ramifications of dropping the 2 using id/password and recreating ( hopefully to use OAuth ) ?
You can add as many OAuth keys as you want, you do not have to specify the application. The "functional user" is the user it emulates when the OAuth key is used, which is why we pick the system-level etl_user to perform ETL jobs. Each application automatically generates one or more OAuth keys, true, but you can't get those secrets and they are bound to the functional users (ie ccm_user, dcc_user). That's just part of the apps communicating with each other.
So to clarify, you go make a new trusted OAuth key/secret in each CLM app admin panel, find the key you just created in the list on that same page, edit it to use etl_user as the functional user, then go to DCC's Resource Group Config page and replace your username/passwords with the OAuth key/secret (and change the Authentication type to OAuth - JTS). Find etl_user in your JTS user list and make sure etl_user is assigned the various data collector licenses.
So this is just the basic OAuth stuff. I wonder why they named it "OAuth-JTS". If DCC can communicate with other applications using OAuth, without the need of JTS, the authentication type should just be called "OAuth".