E
dit
A
ttach
P
rintable
r4 - 2022-07-29 - 13:06:08 -
ShubjitNaik
You are here:
TWiki
>
Deployment Web
>
DeploymentInstallingUpgradingAndMigrating
>
JazzAuthorizationServer
>
JASClientIdAndSecret
<div id="header-title" style="padding: 10px 15px; border-width:1px; border-style:solid; border-color:#FFD28C; background-image: url(<nop>https://jazz.net/wiki/pub/Deployment/WebPreferences/TLASE.jpg); background-size: cover; font-size:120%"> ---+!! Updating Client Registration Data In Jazz Authorization Server <img src="https://jazz.net/wiki/pub/Deployment/WebPreferences/new.png" alt="new.png" width="50" height="50" align="right"> %DKGRAY% Authors: Main.ShubjitNaik <br> Build basis: IBM Engineering Lifecycle Management and Jazz Authorization Server 7.x %ENDCOLOR%</div></sticky> <!-- Page contents top of page on right hand side in box --> <sticky><div style="float:right; border-width:1px; border-style:solid; border-color:#DFDFDF; background-color:#F6F6F6; margin:0 0 15px 15px; padding: 0 15px 0 15px;"> %TOC{title="Page contents"}% </div></sticky> <sticky><div style="margin:15px;"></sticky> When IBM Engineering Lifecycle Management Solution (ELM) is deployed with [[https://www.ibm.com/docs/en/elm/7.0.2?topic=management-managing-users-jazz-authorization-server][Jazz Authorization Server]] (JAS), for each ELM application there is a client registration in JAS. The registration contains details such as !ClientId, !ClientSecret, Redirect URIs etc and the URL to retrieve the data from JAS is =https://JazzAuthServerURI/oidc/endpoint/jazzop/registration=. There are instances where the !ClientSecret or !RedirectURI for a registered application needs to be changed. Example , when you migrate an application from one JAS server to another or when you see the following error accessing an ELM application: <br> <verbatim>error_code: _invalid_client_credentials error_message: CRJSA0009E The single sign-on authentication did not succeed because of an application error. error_message_explanation: The authentication process could not be completed because of a problem with the application. The application might be violating a protocol or using an underlying single sign-on library incorrectly. error_message_useraction: For details about the cause of the error, check the log files for the application and the authorization server.</verbatim> The focus of this article is to share methods on updating Client registration data like !ClientSecret in JAS and ELM applications =Note: These instructions do not apply for LQE and LDX as the properties file does not include the !ClientId and Secret value= ---++ Update the Client Secret for application in JAS ---+++ Update Client Secret Using JAS CLI Jazz Authorization Server has bundled CLI tools which helps in management of Client registrations. Following are the steps to update !ClientSecret for Jazz Team Server (JTS) application. *First find the !ClientId for the JTS application* * You can either load the URL =https://JazzAuthServerURI/oidc/endpoint/jazzop/registration= and search for the value of the parameter =client_id= under client name =Jazz Team Server= * OR on the JTS server view the file =[JTS_HOME]\server\conf\jts\teamserver.properties= and search for =com.ibm.team.repository.servlet.sso_clientId= * Lets assume the !ClientId for JTS application is =bd23ca7b376b4bb7a17680a496048473= *Export the Client Registration for JTS* * On the JAS server * Change directory to =[JAS_HOME]\cli= and run the following command <verbatim>./lsclient -a https://JazzAuthServerURI/oidc/endpoint/jazzop -u [AdminUser]:[AdminPassword] bd23ca7b376b4bb7a17680a496048473 >& jts.json </verbatim> * Here is a sample exported file, we would see one such entry per application. <verbatim>[ { "functional_user_groupIds" : [ "JazzAdmins" ], "trusted_uri_prefixes" : [ "https://localhost:9443/jts/", "https://elm.example.org/jts/", "https://127.0.0.1:9443/jts/" ], "post_logout_redirect_uris" : [ "https://127.0.0.1:9443/jts/service/com.ibm.team.repository.service.internal.ILogoutRestService", "https://elm.example.org/jts/service/com.ibm.team.repository.service.internal.ILogoutRestService", "https://localhost:9443/jts/service/com.ibm.team.repository.service.internal.ILogoutRestService" ], "grant_types" : [ "authorization_code", "client_credentials", "implicit", "refresh_token", "urn:ietf:params:oauth:grant-type:jwt-bearer" ], "subject_type" : "public", "application_type" : "web", "allow_regexp_redirects" : false, "registration_client_uri" : "https://JazzAuthServerURI/oidc/endpoint/jazzop/registration/bd23ca7b376b4bb7a17680a496048473", "redirect_uris" : [ "https://localhost:9443/jts/jsa", "https://localhost:9443/jts/jsa?confirm=true", "https://prod02.example.com:9443/jts/jsa", "https://elm.example.org/jts/jsa?confirm=true", "https://127.0.0.1:9443/jts/jsa", "https://127.0.0.1:9443/jts/jsa?confirm=true" ], "token_endpoint_auth_method" : "client_secret_basic", "client_id" : "bd23ca7b376b4bb7a17680a496048473", "introspect_tokens" : true, "client_secret_expires_at" : 0, "scope" : "openid profile email general", "etag" : "ax5TWj+MkZm0Uybao5cBBA==", "client_id_issued_at" : 1558514044, "client_secret" : "*", "resource_ids" : [ ], "functional_user_id" : "jts_user", "client_name" : "/jts", "response_types" : [ "code", "token", "id_token token" ], "preauthorized_scope" : "openid profile email general" } ]</verbatim> * While in edit mode, change the Client Secret value and save the file * Edit the following parameter <verbatim>"client_secret" : "*"</verbatim> * TO <verbatim>"client_secret" : "NewClientSecret"</verbatim> *Import the updated data into JAS* * On the JAS server * Change directory to =[JAS_HOME]\cli= and run the following command <verbatim>./ldclient -a https://JazzAuthServerURI/oidc/endpoint/jazzop -u [AdminUser]:[AdminPassword] jts.json </verbatim> ---+++ OR Update Client Secret Using JAS Web UI In Jazz Authorization Server version 7.0.2 or higher you could use the Liberty client management UI to update Client registration data. (Not recommended in earlier versions due to a Liberty defect). <br> Following are the instructions to update !ClientSecret for JTS application. <br> * Access JAS URL =https://JazzAuthServerURI/oidc/endpoint/jazzop/clientManagement= and login as an Admin User * Click =Edit= next to the Client name =Jazz Team Server= (or the application you intend to change the Client secret) <br> <img src="%ATTACHURLPATH%/jas_client_mgmt.png" alt="jas_client_mgmt.png" width="600" height="230" /> <br><br> * Modify the value for =Client secret= from =*= to secret of your choice and click =Update= <br> <img src="%ATTACHURLPATH%/update_secret.png" alt="update_secret.png" width="600" height="300" /> <br> <br> ---++ Update Client Secret in ELM Application The !ClientId and !ClientSecret values can be found in each applications properties file. Following are the steps to update the !Client Secret for JTS application * Switch to the JTS server and stop the JTS application server * Edit =[JTS_HOME]\server\conf\jts\teamserver.properties= file * Update the following =com.ibm.team.repository.servlet.sso_clientSecret=[Encryptedvalue]= TO =com.ibm.team.repository.servlet.sso_clientSecret=NewClientSecret= * Start JTS server and test login ---+++++!! Related topics: [[https://jazz.net/wiki/bin/view/Deployment/JazzAuthorizationServer][Jazz Authorization Server]], [[https://jazz.net/wiki/bin/view/Deployment/MigrationToAnotherJAS][Migrating JAS Servers]] <sticky></div></sticky>
E
dit
|
A
ttach
|
P
rintable
|
V
iew topic
|
Backlinks:
We
b
,
A
l
l Webs
|
H
istory
: r4
<
r3
<
r2
<
r1
|
M
ore topic actions
Deployment
Deployment web
Planning and design
Installing and upgrading
Migrating and evolving
Integrating
Administering
Monitoring
Troubleshooting
Community information and contribution guidelines
Create new topic
Topic list
Search
Advanced search
Notify
RSS
Atom
Changes
Statistics
Web preferences
NOTE: Please use the Sandbox web for testing
Status icon key:
To do
Under construction
New
Updated
Constant change
None - stable page
Smaller versions of status icons for inline text:
Copyright © by IBM and non-IBM contributing authors. All material on this collaboration platform is the property of the contributing authors.
Contributions are governed by our
Terms of Use.
Please read the following
disclaimer
.
Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more
here
.