How to configure Rational Team Concert, Jazz Authentication Server and Squid cache server to work together

This page describes a usage or software configuration that may not be supported by IBM.

This document, can be used as an unofficial guide if one wishes to configure Rational Team Concert (RTC), Jazz Authorization Server (JAS) and Squid cache server to work together such that the squid proxy acts as a web accelerator.

Additional Terms

  1. OIDC – Open ID Connect
  2. JTS – Jazz Team Server
  3. JSA – Jazz Security Architecture

Prelude

This document assumes that:

  1. The user has configured and put to use the:
    1. OIDC enabled CCM Server
    2. Jazz Authorization Server (JAS)
    3. Squid Server
  2. The Administrator credentials of JAS is [Username / Password]: ADMIN / ADMIN

Regarding points [1.1] and [1.2] mentioned above, the OIDC enabled CCM server uses Jazz Authorization Server for authentication.

The operating system can be either Windows (Server Class) or GNU/Linux (Enterprise Class).

Please visit the following hyper-link for more information on the following topics.

Deploying Jazz Authorization Server

http://www.ibm.com/support/knowledgecenter/SSYMRC_6.0.2/com.ibm.jazz.install.doc/topics/c_jsasso_jas_deploy_start.html

Managing Users on Jazz Authorization Server

http://www.ibm.com/support/knowledgecenter/en/SS2L6K_6.0.1/com.ibm.jazz.install.doc/topics/t_jsasso_jas_user_mgmt.html?view=kc

Enabling OIDC on CCM Server

https://jazz.net/wiki/bin/view/Main/JsaSsoAdoption
https://jazz.net/help-dev/clm/topic/com.ibm.jazz.install.doc/topics/c_jazz_single_sign_on.html#c_jazz_single_sign_on__jsasso-auth-sec

Setting and configuring Squid

https://jazz.net/library/article/325

Example Squid Configuration

Contents of <SQUID_HOME>/etc/squid.conf

cache_replacement_policy heap GDSF
memory_replacement_policy heap GDSF
cache_dir aufs /var/cache/squid 10240 256 256
cache_mem 1024 MB
cache_store_log none
cache_peer isoval-win7-133.rtc.iot.ibm parent 9443 0 no-query originserver name=httpsAccel ssl login=PASSTHRU sslflags=DONT_VERIFY_PEER
cache_peer_access httpsAccel allow all
cachemgr_passwd disable all
coredump_dir /var/cache/squid

http_access allow all
https_port 443 cert=/etc/ssl/server.pem accel key=/etc/ssl/privkey.pem vhost
refresh_pattern .              0       20%     4320

maximum_object_size 5120 MB
maximum_object_size_in_memory 16 MB
buffered_logs on

visible_hostname isoval-win2k8-140.rtc.iot.ibm
access_log /var/log/squid/access.log squid

dns_nameservers ldap145.rtc.iot.ibm
hosts_file /etc/hosts

 

Update client registration information in jazz authorization server

Every application running on Jazz Team Server is registered as a client in Jazz Authorization Server. This happens during application deployment stage in jts/setup.

One can view the client registration information by accessing the following URL on Jazz Authorization Server machine – https://localhost:9643/oidc/endpoint/jazzop/registration

For Jazz Authorization Server to accept squid URI used to access the respective Jazz application, it is required to add them in the client registration entries.

Following are the steps to update the client registration information on JAS machine

FETCH THE CLIENT REGISTRATION DETAILS INTO A FLAT FILE

$ cd <JAS_HOME>/cli

$ lsclient –u ADMIN:ADMIN > ~/file.json

Update the contents of the file.json

The file ~/file.json should contain array of JSON objects for each application running on Jazz Team Server.

For example, there should be four JSON objects in the ~file.json for a Jazz Team Server running the applications – ccm/admin, ccm/web, jts/admin and jts/web.

Suitably, update the ‘redirect_uris’ and ‘trusted_uri_prefixes’ keys in each JSON object such that they contain Squid URIs used to access the respective application. The keys and squid URIs are highlighted in red in the image below:



With the updated file ‘~/file.json’, modify the client registration information using the following commands

# ldclient ADMIN:ADMIN ~/file.json
(where ADMIN:ADMIN is user credentials and ~file.json is path to updated json file)

Reference: https://w3-connections.ibm.com/wikis/home?lang=en-us#!/wiki/W90ca708d8d15_46d1_b0b9_31a4b4c82d4f/page/Evaluating%20the%20Jazz%20Authorization%20Server

If the user skips the configuration steps mentioned in the section – UPDATE CLIENT REGISTRATION INFORMATION IN JAZZ AUTHORIZATION SERVER, the following error message appears on the browser upon trying to authenticate:
“error_code: unknown_or_missing_jsa_service_parameter
error_message: CRJSA0009E the single sign -on authentication did not succeed because of an application error.
error_message_explanation: The authentication process could not be completed because of a problem with the application. The application might be violating a protocol or using an underlying single sign-on library incorrectly.
error_message_useraction: For details about the cause of the error, check the log files for the application and the authorization server.”

About the author

Kamal Kumar is senior member of Rational Team Concert testing team. He can  be reached at kamal_chandrashekar@in.ibm.com

© Copyright IBM Corporation 2017
Feedback
Was this information helpful? Yes No 1 person rated this as helpful.