Attempts to enable JAS SSO on an existing deployment fail with a permission error
I have full permissions to the entire server and all directories on the server so this should work.
When running repotools-jts -prepareJsaSsoMigration the procedure starts - then failes with CRJAZ2902E The Login attempt to the following server failed because of insufficient permissions : https://localhost:9443/jts
CRJAZ2883I The application has not been prepared to migrate to Jazz Security Architecture single signon.
Any ideas ?
CLM 6.0.6.1 ifix105 - distributed topology each application as its own server
showing 5 of 8
show 3 more comments
|
Accepted answer
Thanks Ralph .. that sorted it out ... thanks again for your input
repotools-jts.bat -prepareJsaSsoMigration repositoryURL=https://myserver:port/jts adminUserId=jazzadmin adminPassword=X
(our documentation for this only says to put the first bit and it didn't complain aside from returning the permission error ;0)
Ralph Schoon selected this answer as the correct answer
Comments Not sure where your documentation comes from. If in doubt run repotools to get the help.
Karen Steele
commented Mar 04 '21, 9:01 a.m.
off our IBM Knowledge Center is where I go to for all documentation.
1
Sigh, mind creating a defect for documentation?
Karen Steele
commented Mar 04 '21, 9:10 a.m.
Will do ...
|
Your answer
Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.
Comments
I am concerned. The usage of localhost in the URI makes absolutely no sense, especially if the systems are on separate servers. I am pretty sure, that any trial to set SSO up without fully qualified domain names and correct SSL certificates is doomed to fail. I have seen, when playing with the API, that logins against an incorrect URI fail, even if the physical system is the same with the other URI.
That is my concern too Ralph, because each server has it own fully qualified name - jts for example is https://clm-dev-jts.mycompany:9443/jts its not localhost
Are you using the FQN's when running the repotools then?
I believe so ... the host file has a definition for the servers FQN and the name is also DNS'd - there is no reference to local host at all... JTS is using is public URI the FQN so the profiles that the prepareJasSsoMigration would be looking at should surely contain the FQN as well .. I will check however
The important part is to use the FQN when passing the repository URI to the repotools command. The host file is only needed for this, if you do not have a domaincontroller DNS or want to hide the real servers in an isolated test environment.
If you run repotools without parameters it prints its help. Redirect into a readme file. In most of the case I have used repotools, I had to pass the URI of the server.
Thanks Ralph .. I'll try that out and let you know ;0)