Edit
Attach
P
rintable
r15 - 2017-02-22 - 15:54:03 -
ShubjitNaik
You are here:
TWiki
>
Deployment Web
>
DeploymentInstallingUpgradingAndMigrating
>
JazzAuthorizationServer
>
JASAndSCIM
<div id="header-title" style="padding: 10px 15px; border-width:1px; border-style:solid; border-color:#FFD28C; background-image: url(<nop>https://jazz.net/wiki/pub/Deployment/WebPreferences/TLASE.jpg); background-size: cover; font-size:120%"> ---+!! Configure Jazz Authorization Server for SCIM <img src="https://jazz.net/wiki/pub/Deployment/WebPreferences/todo.png" alt="todo.png" width="50" height="50" align="right"> %DKGRAY% Author: Main.ShubjitNaik<br> Build basis: JAS and CLM version 6.0.2 and higher %ENDCOLOR%</div></sticky> <!-- Page contents top of page on right hand side in box --> <sticky><div style="float:right; border-width:1px; border-style:solid; border-color:#DFDFDF; background-color:#F6F6F6; margin:0 0 15px 15px; padding: 0 15px 0 15px;"> %TOC{title="Page contents"}% </div></sticky> <sticky><div style="margin:15px;"></sticky> Jazz Authorization Server (*JAS*) can be configured to use the System for Cross-domain Identity Management (SCIM) for the !WebSphere Liberty profile. SCIM is a standard for cloud-based identity management for single sign-on (SSO) in browsers. It is a RESTful protocol for identity account management operations.%BR% Starting in Rational solution for Collaborative Lifecycle Management (CLM) 6.0.2, Jazz Authorization Server supports SCIM in the Liberty profile. This article will focus on configuration steps to setup CLM with JAS for SCIM. ---++ Important Notes and Pre-requisites * Starting in Collaborative Lifecycle Management (CLM) 6.0.2, Jazz Authorization Server (JAS) supports SCIM in the Liberty profile * For Microsoft Active Directory LDAP Server, CLM and JAS version 6.0.2 or higher needs to be deployed * For any other LDAP Registries, the minimum version of CLM and JAS required to configure SCIM is 6.0.4 (GA in 2017) or higher * Currently the User Synchronization operation by default picks *UserID=sAMAccountName* for Microsoft AD and *UserId=uid* for IBM Tivoli Directory Server and !ApacheDS. It is recommended to *disable the Nighty Sync* operation until verification is completed. * Screenshots added for Non-Microsoft AD configurations are from CLM and JAS versions 6.0.4 M2 ---++ Installation *CLM* %BR% * To deploy JAS to an existing environment and migrate to JAS, visit this [[https://www.ibm.com/support/knowledgecenter/SSYMRC_6.0.3/com.ibm.jazz.install.doc/topics/t_JsaSso_CLM_apps_enable.html][Section]] on our Infocenter * For a new deployment of CLM, Install the applications via IBM Installation Manager and Select the option "Enable Jazz Security Architecture SSO" during the installation%BR%%BR% <img src="%ATTACHURLPATH%/Enable_JAS_SSO.jpg" alt="Enable_JAS_SSO.jpg" width="650" height="250" /> %BR% *JAS* %BR% * Download Jazz Authorization Server install bit from [[https://jazz.net/downloads/clm/releases/6.0.3?p=allDownloads][jazz.net]], under All Downloads Section for the specific version%BR%%BR% <img src="%ATTACHURLPATH%/JAS_Download.jpg" alt="JAS_Download.jpg" width="400" height="75" /> %BR%%BR% * Install Jazz Authorization Server application via Installation Manager, instructions available on our [[https://www.ibm.com/support/knowledgecenter/SSYMRC_6.0.3/com.ibm.jazz.install.doc/topics/t_s_server_installation_im.html][Infocenter]]%BR%%BR% <img src="%ATTACHURLPATH%/JAS_Install.jpg" alt="JAS_Install.jpg" width="600" height="200" /> %BR% ---++ Setup and Configure JAS for SCIM with LDAP Registry ---+++ Configuration files * Copy the files from =JazzAuthServer_install_dir/wlp/usr/servers/jazzop/defaults= folder one level up to =JazzAuthServer_install_dir/wlp/usr/servers/jazzop/= * Files we would modify are =server.xml=, =appConfig.xml=, =ldapUserRegistry.xml= and =localUserRegistry.xml= * =appConfig.xml= - Contains Jazz Group/Role mappings and !UserRegistry file information * =ldapUserRegistry.xml= - Configuring Liberty with an LDAP user registry * =localUserRegistry.xml= - Configuring Liberty file based registry ---+++ Enable SCIM * First Enable the Jazz Authorization Server to support SCIM * Edit =JazzAuthServer_install_dir/wlp/usr/servers/jazzop/server.xml= and include the following in the list of features * <verbatim><feature>scim-1.0</feature> </verbatim> * To configure SCIM you must use Lightweight Directory Access Protocol (LDAP) ---+++ Configure JAS with LDAP registry * By default the bundled Liberty profile is configure with File based user registry and we need to configure it to point to the LDAP server to get information * To do that, edit =JazzAuthServer_install_dir/wlp/usr/servers/jazzop/defaults/appConfig.xml= file and towards the end of the file change from <verbatim> <include location="localUserRegistry.xml" optional="true"/> <!--include location="ldapUserRegistry.xml" optional="true"/--></verbatim> *TO* <verbatim> <!--include location="localUserRegistry.xml" optional="true"/--> <include location="ldapUserRegistry.xml" optional="true"/></verbatim> %BR% * To Configure the LDAP User Registry, guidance fro LDAP administrators / Network admins may be necessary to complete the configuration Typical information needed from your LDAP Admin * LDAP Server Name and Port (_LDAP Server hostname and Port_) * The Base DN (LDAP Root Tree where Users/Groups can be queried from_) * bindDN and bindPassword (_User ID and password for the user who can query the LDAP directory_) * Group and User filter (_inetOrgPerson, groupOfNames etc_) * User ID and Group ID mappings (_sAMAccountName, cn etc_) * Example configuration for different LDAPs information is available in our [[https://www.ibm.com/support/knowledgecenter/SSYMRC_6.0.3/com.ibm.jazz.install.doc/topics/t_config_ldap_connection_liberty.html][Infocenter]] * We have included a few examples from different LDAP environments (MS Active Directory, Tivoli and ApacheDS) to help guide the configuration * We have also included SCIM related configurations in ldapRegistry.xml * Users or Groups listed under <administrator-role> tag are *SCIM administrators* * Edit =JazzAuthServer_install_dir/wlp/usr/servers/jazzop/defaults/ldapUserRegistry.xml= and modify to match your environment, examples below ---++++ Microsoft Active Directory * <verbatim><server> <ldapRegistry ldapType="Microsoft Active Directory" baseDN="CN=Users,DC=test,DC=com" bindDN="CN=CLM Admin,CN=Users,DC=test,DC=com" bindPassword="********" host="ldapserver" id="ldapserver:389" ignoreCase="true" port="389" realm="ldapserver:389" recursiveSearch="true" referal="follow" sslEnabled="false"> <activedFilters userFilter="(&(sAMAccountName=%v)(objectcategory=user))" groupFilter="(&(cn=%v)(objectcategory=group))" userIdMap="user:sAMAccountName" groupIdMap="*:cn" groupMemberIdMap="memberOf:member" > </activedFilters> </ldapRegistry> <federatedRepository> <primaryRealm name="FVTRegistry"> <participatingBaseEntry name="CN=Users,DC=test,DC=com"/> </primaryRealm> </federatedRepository> <administrator-role> <user>clmadmin</user> <group>MyJazzAdmins</group> </administrator-role> </font> </server></verbatim> ---++++ IBM Tivoli Directory Server * <verbatim> <server> <ldapRegistry ldapType="IBM Tivoli Directory Server" baseDN="o=test.com" bindDN="uid=clmadmin,c=in,ou=Users,o=test.com" bindPassword="********" host="ldapserver" id="ldapserver:389" ignoreCase="true" port="389" realm="ldapserver:389" recursiveSearch="true" searchTimeout="10m" sslEnabled="false"> <idsFilters groupFilter="(&(cn=%v)(|(objectclass=groupOfUniqueNames)(objectclass=posixGroup)))" groupIdMap="*:cn" groupMemberIdMap="groupOfUniqueNames:uniquemember" userFilter="(&(uid=%v)(objectclass=person))" userIdMap="*:uid"> </idsFilters> <ldapEntityType name="PersonAccount"> <searchBase>c=in,ou=Users,o=test.com</searchBase> </ldapEntityType> <ldapEntityType name="Group"> <searchBase>ou=JazzGroups,ou=Groups,o=test.com</searchBase> </ldapEntityType> </ldapRegistry> <administrator-role> <user>myscimadmin</user> </administrator-role> </server> </verbatim> * =< ldapEntityType >= tag is not mandatory, but can be used to limit the User and group query scope ---++++ Apache DS * <verbatim><server> <ldapRegistry ldapType="Custom" baseDN="dc=example,dc=com" host="ldapserver" id="ldapserver:10389" ignoreCase="true" port="10389" realm="ldapserver:10389" recursiveSearch="true" referal="follow" sslEnabled="false" timestampFormat="yyyyMMddHHmmss.SSSSSSZ"> <customFilters groupFilter="(&(cn=%v)(|(objectclass=groupOfUniqueNames)(objectclass=posixGroup)))" groupIdMap="*:cn" groupMemberIdMap="groupOfUniqueNames:uniquemember" userFilter="(&(uid=%v)(objectclass=inetOrgPerson))" userIdMap="*:uid" > </customFilters> </ldapRegistry> <administrator-role> <user>myscimdmin</user> </administrator-role> </server> </verbatim> * There are instances during JTS Setup , the SCIM configuration test would report a Timestamp mismatch error. Including the =<timestampFormat>= attribute as shown above resolves the error. ---++++ Search results limit Large User User Registry * Default Search results limit for Users and Groups is set to 4000 for SCIM. To increase it example 100k users, add the following within the ldapRegistry.xml within the <server> pair * <verbatim><federatedRepository maxSearchResults="100000" /> </verbatim> ---++++ Encrypt Passwords * To encrypt passwords entered in "bindPassword", run the script =JazzAuthServer_install_dir/wlp/bin/securityUtility= * After the script completes, copy the output to the bindPassword attribute for the ldapRegistry section * To run the securityUtility script, use the following syntax: * <verbatim>$ securityUtility encode userPassword </verbatim> where _userPassword_ is the password to encode ---++++ Group Mappings * Map Groups to the respective Jazz Roles * Edit =JazzAuthServer_install_dir/wlp/usr/servers/jazzop/appConfig.xml= * <verbatim> <application id="com.ibm.team.integration.jazzop" location="jazzop.war" name="com.ibm.team.integration.jazzop" context-root="jazzop" type="war"> <application-bnd> <security-role name="JazzAdmins"> <group name="MYJAZZADMINS"/> </security-role> <security-role name="JazzUsers"> <group name="MYJAZZUSERS"/> </security-role> <security-role name="JazzProjectAdmins"> <group name="MYJAZZPROJECTADMINS"/> </security-role> <security-role name="JazzGuests"> <group name="MYJAZZGUESTS"/> </security-role> <security-role name="JazzDebug"> <group name="MYJAZZDEBUG"/> </security-role> </application-bnd> </application></verbatim> * Map Groups and Users who would Administrate JAS * <verbatim><oauth-roles> <authenticated> <special-subject type="ALL_AUTHENTICATED_USERS" /> </authenticated> <clientManager> <group name="MYJAZZADMINS" /> <user name = "MYSCIMADMIN" /> </clientManager> </oauth-roles> </verbatim> ---+++ Configure Database for JAS When you first install the JAS, it comes configured to use a local Derby database for storing information. It is not recommended to use Derby database for a production environment and note that Derby database won't work in a clustered JAS environment, since that information won't be available to all the instances. The basic steps to configure the database are: * Create database tables on a database server which all JAS instances can access * Update the JAS configuration file (appConfig.xml) to use the database server The following links provide information for both Oracle and DB2, and sample SQL scripts are available that can create the necessary tables. But note that you will need to customize these scripts for your own environment. * [[https://jazz.net/wiki/bin/view/Deployment/PerformanceClusteredJAS#DB2][Configure IBM DB2 Database]] * [[https://jazz.net/wiki/bin/view/Deployment/PerformanceClusteredJAS#Oracle][Configure Oracle Database]] ---+++ Test SCIM * Now that JAS is configured with LDAP and SCIM, it is time to start and test if it is configured right * Start the server (Linux example) <verbatim> $ cd JazzAuthServer_install_dir $ ./start-jazz </verbatim> * Access the following URLs to test JAS and SCIM configuration * JAS Configuration URL (Default value for a new setup is _data [ ]_ ) %BR% https://fully_qualified_domain_name_of_JAS_server:defined_port/oidc/endpoint/jazzop/.well-known/openid-configuration %BR% https://fully_qualified_domain_name_of_JAS_server:defined_port/oidc/endpoint/jazzop/registration * Confirm the SCIM API for Users with this URL %BR% https://fully_qualified_domain_name_of_JAS_server:defined_port/ibm/api/scim/Users * Confirm the SCIM API for Groups with this URL %BR% https://fully_qualified_domain_name_of_JAS_server:defined_port/ibm/api/scim/Groups %BR% ---++ Jazz Team Server (JTS) Setup with JAS and SCIM * For a new deployment, CLM installation should be enabled for Jazz Security Architecture SSO * Ensure pop-up blocker is disabled on the browser, or Pop-ups are allowed for CLM and JAS URLs * Accessing the JTS setup page https://jtsserver:port/jts/setup , would not prompt for a Username / Password * Express setup would be disabled for a CLM instance enabled for Jazz Security Architecture SSO %BR% <img src="%ATTACHURLPATH%/JTS_Setup.png" alt="JTS_Setup.png" width="600" height="125" /> %BR% * Run through JTS setup following the prompts until you reach "Register Applications" Page * Enter the Jazz Authorization Server details. *The URL you enter should be accessible by all and is as important as the Jazz Public URI* %BR% %BR% <img src="%ATTACHURLPATH%/JAS_Server.png" alt="JAS_Server.png" width="575" height="350" /> %BR% * *DONOT* register applications at this stage, delete the listed applications that was found and proceed to next step %BR% * In the Next step (Step 6), "Select a type of User Registry", select SCIM %BR% %BR% <img src="%ATTACHURLPATH%/SCIM_Config.png" alt="SCIM_Config.png" width="550" height="375" /> %BR% %BR% * Enter the SCIM Provider URL and Bind User Information %BR% <img src="%ATTACHURLPATH%/SCIM_Registry.png" alt="SCIM_Registry.png" width="550" height="375" /> %BR% %BR% * Enter the Base Group DN and Group mapping information %BR%%BR% *Version 6.0.3 and below* %BR% <img src="%ATTACHURLPATH%/SCIM_User_Group.png" alt="SCIM_User_Group.png" width="600" height="450" /> %BR% %BR% *Version 6.0.4 and above* %BR% <img src="%ATTACHURLPATH%/SCIM_User_Group_604.png" alt="SCIM_User_Group_604.png" width="625" height="600" /> %BR% %BR% * Click Test Connection, Save and Next, A Login window would be displayed, Login as a user with !JazzAdmin role assigned * Assign a License for the User * Go back to *Register Applications* page (Step 5) and register all the applications * Complete the setup ---++ Enable an Existing CLM setup for Jazz Security Architecture * Complete the Jazz Authorization Server SCIM Setup, Configuration and testing as per instructions within this article * Enable CLM applications for Jazz Security Architecture single sign-on following the instructions on our [[https://www.ibm.com/support/knowledgecenter/SSYMRC_6.0.3/com.ibm.jazz.install.doc/topics/t_JsaSso_CLM_apps_enable.html][InfoCenter]] * Access the JTS Setup URL and click next until you reach step 6 * "Select a type of User Registry", select SCIM and follow instructions similar to a new JTS setup * Click Test Connection and Next to save the Configuration ---++ Importing Users * *DONOT* click or manually run "Synchronize Jazz Team Server Users With External User Registry" * First test by importing a user manually * Click on *Users > Active Users > Import Users* * Enter a search term, click on the User and Import the user * In the Active User Page, click on the newly imported user and confirm the !UserId maps to what is configured in JAS * Default is *uid* for Tivoli and Apache DS and *sAMAccountName* for Microsoft AD * If there are discrepancies in the !UserID, disable SCIM "Nightly Sync" * Click Server > Advanced Properties and set *Enable Nightly Sync with SCIM provider* to *false* * Manually Import users using repotools from csv file. Instructions are available on the [[https://www.ibm.com/support/knowledgecenter/SSYMRC_6.0.4/com.ibm.jazz.install.doc/topics/r_repotools_importusers.html][IBM Knowledge Center]] ---+++++!! Related topics: [[JazzAuthorizationServer][Jazz Authorization Server]], [[DeploymentWebHome][Deployment web home]] ---+++++!! External links: * [[https://www.ibm.com][IBM]] <sticky></div></sticky>
Edit
|
Attach
|
P
rintable
|
V
iew topic
|
Backlinks:
We
b
,
A
l
l Webs
|
H
istory
:
r29
|
r17
<
r16
<
r15
<
r14
|
More topic actions...
Deployment
Deployment web
Planning and design
Installing and upgrading
Migrating and evolving
Integrating
Administering
Monitoring
Troubleshooting
Community information and contribution guidelines
Create new topic
Topic list
Search
Advanced search
Notify
RSS
Atom
Changes
Statistics
Web preferences
NOTE: Please use the Sandbox web for testing
Status icon key:
To do
Under construction
New
Updated
Constant change
None - stable page
Smaller versions of status icons for inline text:
Copyright © by IBM and non-IBM contributing authors. All material on this collaboration platform is the property of the contributing authors.
Contributions are governed by our
Terms of Use.
Please read the following
disclaimer
.
Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more
here
.