Enabling ELM applications for Jazz Security Architecture single sign-on

Jazz Security Architecture single sign-on (SSO) is an authentication protocol based on the OpenID Connect authentication protocol. It is an alternative method of single sign-on authentication to Kerberos/SPNEGO SSO, IBM® WebSphere® Application Server with Lightweight Third-Party Authentication (LTPA) SSO. You can enable Jazz Security Architecture SSO authentication for existing IBM Engineering Lifecycle Management deployments by using repository tools commands.

Before you begin

Important: Before you can enable single sign-on authentication, the Jazz™ Team Server and any ELM applications that will be enabled must be upgraded to version 6.0 or later. The upgrade must be complete and verified.
Important: The procedure applies to ELM applications that have repotools command scripts: Jazz Team Server, Change and Configuration Management, Data Collection Component, Global Configuration Management, Quality Management, Engineering Insights, and Requirements Management.

To enable existing Report Builder and Lifecycle Query Engine applications for single sign-on, see the related links at the end of this topic.

About this task

To enable Jazz Security Architecture SSO for existing ELM deployments, you must enable both the ELM applications and the Jazz Team Server where the applications are registered. All applications do not need to be enabled at the same time. However, the login experience is not a single sign-on process until all applications are enabled.

While the servers are online, you run the prepareJsaSsoMigration command to prepare for the migration and create the data files that are needed by the migrateToJsaSso command. Then, while the servers are offline, you run the migrateToJsaSso command to enable single sign-on authentication.

Procedure

  1. Verify that the Jazz Team Server and other applications are at version 6.0 or later.
  2. In the Jazz Team Server installation directory, run the repotools-jts -prepareJsaSsoMigration command. A data file is created in the working directory. By default, the file is named jts-ssoMigrationData.json. The file lists the registered OAuth consumers, friend servers, and registered applications for the Jazz Team Server.
  3. Edit the data file that you created in step 2 and remove any friend servers or registered applications that will not be enabled for single sign-on authentication.
    1. Go to the friends section of the file.
    2. Delete the associated block of lines that are delimited by braces ({ and }).
    Important: If Report Builder and Lifecycle Query Engine entries are included as registered applications in the friends section of the data file, these applications must be enabled for single sign-on authentication. Otherwise, the applications will not function correctly. For more information, see the related links at the end of this topic.
    Important: Do not modify the consumers section of the file.
  4. Similarly, run the prepareJsaSsoMigration command for each ELM application that will be enabled for single sign-on authentication. By default, data files that are named application-ssoMigrationData.json are created, where application is ccm, dcc, gc, qm, or rm. Each data file lists friends of the associated application.
  5. Edit each data file that you created in step 4 and remove any friends that will not be enabled for single sign-on authentication.
    1. Go to the friends section of the file.
    2. Delete the associated block of lines that are delimited by braces ({ and }).
    Important: Do not modify the consumers section of the file.
  6. Stop all the servers.
  7. Install the Jazz Authorization Server. For more information, see Installing the IBM Engineering Lifecycle Management by using IBM Installation Manager.
  8. Verify that the Jazz Authorization Server is configured correctly and running. For more information, see Deploying and starting Jazz Authorization Server.
    • If a Lightweight Directory Access Protocol (LDAP) user registry was used previously, configure the Jazz Authorization Server with the same LDAP registry.
    • If an Apache Tomcat user registry was used previously, you must migrate users to the IBM WebSphere Liberty basic user registry. Jazz Authorization Server is based on the IBM WebSphere Liberty server. Because Jazz Authorization Server authenticates users, it must be configured with a user registry instead of using Apache Tomcat server or WebSphere Application Server that ELM applications are deployed on. For information about the Apache Tomcat to Liberty Profile Configuration Migration Tool that is included in the WebSphere Application Server Migration Toolkit, see the WASdev Developer Center.
  9. Enable the Jazz Team Server for single sign-on authentication. In the Jazz Team Server installation directory, run the repotools-jts -migrateToJsaSso command. By default, the command reads the jts-ssoMigrationData.json file in the working directory.
  10. Similarly, run the migrateToJsaSso command for each ELM application that will be enabled for single sign-on authentication.
    Note: The application commands require both their own data file and the Jazz Team Server data file. If the applications are deployed on different host computers than the Jazz Team Server, you must copy the Jazz Team Server data file to the working directory on each host.
  11. Restart the servers.

Results

The single sign-on authentication is enabled.


video icon Video

Jazz.net channel
Software Education channel

learn icon Courses

IoT Academy
Skills Gateway

ask icon Community

Jazz.net
Jazz.net forums
Jazz.net library

support icon Support

IBM Support Community
Deployment wiki