Jazz Forum Welcome to the Jazz Community Forum Connect and collaborate with IBM Engineering experts and users

Attempts to enable JAS SSO on an existing deployment fail with a permission error

Questions
Tags
Users
Badges
Karen Steele
(1.2k5141151) Mar 03 '21, 11:09 a.m.
I have full permissions to the entire server and all directories on the server so this should work. 

When running repotools-jts -prepareJsaSsoMigration the procedure starts - then failes with CRJAZ2902E The Login attempt to the following server failed because of insufficient permissions : https://localhost:9443/jts
CRJAZ2883I The application has not been prepared to migrate to Jazz Security Architecture single signon.

Any ideas ?

CLM 6.0.6.1 ifix105 - distributed topology each application as its own server

0 votes

Comments
Ralph Schoon
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER Mar 04 '21, 3:15 a.m.

I am concerned. The usage of localhost in the URI makes absolutely no sense, especially if the systems are on separate servers. I am pretty sure, that any trial to set SSO up without fully qualified domain names and correct SSL certificates is doomed to fail. I have seen, when playing with the API, that logins against an incorrect URI fail, even if the physical system is the same with the other URI. 

Karen Steele
Mar 04 '21, 6:19 a.m.

That is my concern too Ralph, because each server has it own fully qualified name - jts for example is https://clm-dev-jts.mycompany:9443/jts  its not localhost

Ralph Schoon
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER Mar 04 '21, 7:20 a.m.

Are you using the FQN's when running the repotools then? 

Karen Steele
Mar 04 '21, 7:42 a.m.

I believe so ... the host file has a definition for the servers FQN and the name is also DNS'd - there is no reference to local host at all... JTS is using is public URI the FQN so the profiles that the prepareJasSsoMigration would be looking at should surely contain the FQN as well .. I will check however

Ralph Schoon
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER Mar 04 '21, 7:49 a.m.

The important part is to use the FQN when passing the repository URI to the repotools command. The host file is only needed for this, if you do not have a domaincontroller DNS or want to hide the real servers in an isolated test environment. 

Karen Steele
Mar 04 '21, 7:54 a.m.
so are you saying Ralph that I need to pass the FQN are part of the repotools ?
e.g. repotools-jts.bat -prepareJasSsoMigration ..and somewhere within that put the FQN ?   our documentation makes no reference to include the fqn ;0)

Thanks for your assistance

Ralph Schoon
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER Mar 04 '21, 8:07 a.m.

If you run repotools without parameters it prints its help. Redirect into a readme file. In most of the case I have used repotools, I had to pass the URI of the server. 

 
-prepareJsaSsoMigration requires the URI

run repotools-jts >repotools_help.txt and open the repotools_help.txt in a text editor. Search for the command you want.

Karen Steele
Mar 04 '21, 8:13 a.m.

Thanks Ralph .. I'll try that out and let you know  ;0)

showing 5 of 8 show 3 more comments
1 answer
656 views
0 votes

Accepted answer

Permanent link
Karen Steele
(1.2k5141151) Mar 04 '21, 8:27 a.m.
Thanks Ralph .. that sorted it out ... thanks again for your input

repotools-jts.bat -prepareJsaSsoMigration repositoryURL=https://myserver:port/jts adminUserId=jazzadmin adminPassword=X

(our documentation for this only says to put the first bit and it didn't complain aside from returning the permission error ;0)
Ralph Schoon selected this answer as the correct answer

0 votes

Comments
Ralph Schoon
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER Mar 04 '21, 8:48 a.m.

Not sure where your documentation comes from. If in doubt run repotools to get the help. 

Karen Steele
Mar 04 '21, 9:01 a.m.

off our IBM Knowledge Center is where I go to for all documentation.

Ralph Schoon
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER Mar 04 '21, 9:05 a.m.

Sigh, mind creating a defect for documentation? 

1 vote

Karen Steele
Mar 04 '21, 9:10 a.m.

Will do ...

Your answer

Register or log in to post your answer.

Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.

Ask a question
Guidelines
FAQ
Search context
Follow this question

By Email: 

Once you sign in you will be able to subscribe for any updates here.

By RSS:

Answers
Answers and Comments
Question details
× 7,496
× 1,326
× 1

Question asked: Mar 03 '21, 11:09 a.m.

Question was seen: 656 times

Last updated: Mar 04 '21, 9:10 a.m.

Confirmation Cancel Confirm