It's all about the answers!

Ask a question

Attempts to enable JAS SSO on an existing deployment fail with a permission error


Karen Steele (1.2k4139148) | asked Mar 03 '21, 11:09 a.m.
I have full permissions to the entire server and all directories on the server so this should work. 

When running repotools-jts -prepareJsaSsoMigration the procedure starts - then failes with CRJAZ2902E The Login attempt to the following server failed because of insufficient permissions : https://localhost:9443/jts
CRJAZ2883I The application has not been prepared to migrate to Jazz Security Architecture single signon.

Any ideas ?

CLM 6.0.6.1 ifix105 - distributed topology each application as its own server

Comments
Ralph Schoon commented Mar 04 '21, 3:15 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER

I am concerned. The usage of localhost in the URI makes absolutely no sense, especially if the systems are on separate servers. I am pretty sure, that any trial to set SSO up without fully qualified domain names and correct SSL certificates is doomed to fail. I have seen, when playing with the API, that logins against an incorrect URI fail, even if the physical system is the same with the other URI. 


Karen Steele commented Mar 04 '21, 6:19 a.m.

That is my concern too Ralph, because each server has it own fully qualified name - jts for example is https://clm-dev-jts.mycompany:9443/jts  its not localhost


Ralph Schoon commented Mar 04 '21, 7:20 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER

Are you using the FQN's when running the repotools then? 


Karen Steele commented Mar 04 '21, 7:37 a.m. | edited Mar 04 '21, 7:42 a.m.

I believe so ... the host file has a definition for the servers FQN and the name is also DNS'd - there is no reference to local host at all... JTS is using is public URI the FQN so the profiles that the prepareJasSsoMigration would be looking at should surely contain the FQN as well .. I will check however


Ralph Schoon commented Mar 04 '21, 7:49 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER

The important part is to use the FQN when passing the repository URI to the repotools command. The host file is only needed for this, if you do not have a domaincontroller DNS or want to hide the real servers in an isolated test environment. 


Karen Steele commented Mar 04 '21, 7:54 a.m.
so are you saying Ralph that I need to pass the FQN are part of the repotools ?
e.g. repotools-jts.bat -prepareJasSsoMigration ..and somewhere within that put the FQN ?   our documentation makes no reference to include the fqn ;0)

Thanks for your assistance

Ralph Schoon commented Mar 04 '21, 8:06 a.m. | edited Mar 04 '21, 8:07 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER

If you run repotools without parameters it prints its help. Redirect into a readme file. In most of the case I have used repotools, I had to pass the URI of the server. 

 
-prepareJsaSsoMigration requires the URI

run repotools-jts >repotools_help.txt and open the repotools_help.txt in a text editor. Search for the command you want.


Karen Steele commented Mar 04 '21, 8:13 a.m.

Thanks Ralph .. I'll try that out and let you know  ;0)

showing 5 of 8 show 3 more comments

Accepted answer


permanent link
Karen Steele (1.2k4139148) | answered Mar 04 '21, 8:27 a.m.
Thanks Ralph .. that sorted it out ... thanks again for your input

repotools-jts.bat -prepareJsaSsoMigration repositoryURL=https://myserver:port/jts adminUserId=jazzadmin adminPassword=X

(our documentation for this only says to put the first bit and it didn't complain aside from returning the permission error ;0)
Ralph Schoon selected this answer as the correct answer

Comments
Ralph Schoon commented Mar 04 '21, 8:48 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER

Not sure where your documentation comes from. If in doubt run repotools to get the help. 


Karen Steele commented Mar 04 '21, 9:01 a.m.

off our IBM Knowledge Center is where I go to for all documentation.


1
Ralph Schoon commented Mar 04 '21, 9:05 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER

Sigh, mind creating a defect for documentation? 


Karen Steele commented Mar 04 '21, 9:10 a.m.

Will do ...

Your answer


Register or to post your answer.


Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.