Using LDCLIENT to load new URLS into JAS
CLM version = 6.0.6.1
O/S = Windows
I have two separate environments; prod & stage, each with their own CLM and JAS servers. When I export the client configuration from JAS in my stage environment, I used the following command:
lsclient -u adminUser:adminPassword > stagejas.backup
from the cli folder under JAS
When I review the contents of the stagejas.backup file I see URLs for the registered apps that reflect the prod env instead of the stage env:
"trusted_uri_prefixes" : [ "https://127.0.0.1/ccm/", "https://production.clm.server.url/ccm/", "https://localhost/ccm/" ],
versus
"trusted_uri_prefixes" : [ "https://127.0.0.1/ccm/", "https://stage.clm.server.url/ccm/", "https://localhost/ccm/" ],
According to the document found here: https://jazz.net/wiki/bin/view/Deployment/ServerRenameAddendum
I should be able to correct the URLs in the stagejas.backup file and then load the corrected URLs back into JAS
ldclient -u adminUser:adminPassword stagejas.backup
However, when I try the command as shown, I get this error message
{
"error" : "Missing client data file! Use --help for usage instructions."
}
There is a -c option available which is described as follows:
If a client ID is specified in the file and the -c option is not specified, the corresponding client will be updated.
This is what I am trying to do, change the line for ccm which is represented by this client_id
"client_id" : "04f9c9aa839d4c8a9d3d75fe168b6fe7",
The example provided simply passes the "backup" file as an argument to the command. I also tried renaming the file as a json file but no change.
I also tried redirecting the input from the json file, "< modified_stagejas_backup.json" with the same result.
Has anyone successfully used the ldclient command to load client info into JAS 6.0.6.1?
|
Accepted answer
Hi Ryan
We have an article written on this scenario and have included the syntax for ldclient.
Command Syntax on Windows for Update (add -c if clientId does not exist on the server)
ldclient.bat -a https://<JazzAuthServerURL>/oidc/endpoint/jazzop -u UserName:Password prod02jas.json
In later version of Liberty (the one embedded with JAS 7.x) you can use the UI to update the values.
Hope this helps!
Regards
Shubjit
Ryan McBryde selected this answer as the correct answer
Comments
Ryan McBryde
commented Jan 30 '23, 11:39 a.m.
Thank you Shubjit,
2 questions:
I am currently moving off of it, but for now, I am still on 6.0.6.1. Does this work in that version?
When I try that exact syntax that you show above, I get the following error message:
ldclient -a https://<server> /oidc/endpoint/jazzop -u Userid:Password updated_230127_1821_stagejas.json
"failed_modifications" : [ {
And then, for each app, this:
"client_id" : "0143a6370dd742b287df86aff67fe8a5",
"server_response" : {
"error" : "access_denied",
"error_description" : "The user is not authenticated, or is not in the role that is required to complete this request"
What are the rules for escaping special characters in the password field?
Hi Ryan
ldclient does work with 6.0.6.1 as well. I dont think we have a way to escape special characters on these commands.
Does the clientsecret have special characters? and/or does the user password include special characters?
If yes, can you share the special characters used?
And if the ClientSecret is the one with special characters, could you try one without those special characters as a test?
Please be aware that CLM 6.0.6.1 went end of service 2021-10-31 and is no longer being remediated for security vulnerabilities. You can find details at https://www.ibm.com/support/pages/collaborative-lifecycle-management-end-support-dates-60x. I recommend that you upgrade to 7.0.2.
Ryan McBryde
commented Feb 01 '23, 8:52 a.m.
Thank you David Honey. I am encountering this problem because I am in the process of trying to upgrade from 6.0.6.1 to 7.0.2, which requires a switch off of SQL Server to Oracle, which has to be tested in a stage environment before attempting in production, which required a production copy and a server rename, and we have JAS, which complicated the server rename and now I am trying to follow the "Addendum" instructions to get JAS updated with the correct stage URLs and it keeps failing, Hence my question.
Ryan McBryde
commented Feb 01 '23, 8:59 a.m.
Shubjit, the special chars used are @ and !
I don't believe that the client secret has any special chars in it but how can I confirm that.
According to the logs, there is an error coming from LDAP, "LDAP: error code 49 - 80090308: LdapErr: DSID-0C090447" and suggests that "check that the account is enabled and not locked." I don't know how to check on an AD account being locked or not. I suspect the problem is due to this username not being correct in the clientmanager section of the AppConfig file. "<user name = "rmcbryde" />" I am not sure if that id, which is mine, requires any further qualification. Any help with the client manager config would be appreciated.
|
One other answer
Closing this question. It turned out that the account was appearing as locked to LDCLIENT even though I was able to login. Changed the password and the LDCLIENT began to work. Resolved, but not sure why. |
Your answer
Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.
Comments
Apparently this is one command where the order of the arguments matter. Putting the -u for user credentials ahead of the -h for host fails, reversing their order succeeds, except now it's complaining that access is denied so I figure that it's not reading the creds arg correctly so I am playing with quotes around the creds and escaping the special chars in the passwd. Fingers crossed