MigrationToAnotherJAS < Deployment

Engineering Lifecycle Management Wiki - Deployment
Community information and contribution guidelines
TWiki > Deployment Web > DeploymentInstallingUpgradingAndMigrating > JazzAuthorizationServer > MigrationToAnotherJAS
Revision 23 - 2022-07-29 - 06:42:47 - ShubjitNaik
<div id="header-title" style="padding: 10px 15px; border-width:1px; border-style:solid; border-color:#FFD28C; background-image: url(<nop>https://jazz.net/wiki/pub/Deployment/WebPreferences/TLASE.jpg); background-size: cover; font-size:120%">
---+!! Migrating ELM Environment From One Jazz Authorization Server To Another  
%DKGRAY% Authors: Main.ShubjitNaik, Main.DineshKumar <br>
Build basis: Jazz Authorization Server and CLM 6.0.6 and Higher
%ENDCOLOR%</div></sticky>

<!-- Page contents top of page on right hand side in box -->
<sticky><div style="float:right; border-width:1px; border-style:solid; border-color:#DFDFDF; background-color:#F6F6F6; margin:0 0 15px 15px; padding: 0 15px 0 15px;">
%TOC{title="Page contents"}%
</div></sticky>

<sticky><div style="margin:15px;"></sticky>
=DISCLAIMER: These are advanced scenarios which falls out of scope of Standard application support and it requires prior knowledge of working with !WebSphere Liberty command line utilities. These scenarios needs to be first tested on a Non production environment and backups are to be taken before running through the instructions.=
<br>
<br>
Before you begin understanding the different scenarios of Migration that we discuss below, it is important to read and understand distinction between the following : 
   * Configuring JAS - Configure JAS as the OIDC provider for CLM : [[https://jazz.net/wiki/bin/view/Deployment/JASUserRegistryConfig][Instructions]]
   * Migration to JAS - Migrate a CLM instances authorization from OAuth to OIDC : [[https://www.ibm.com/support/knowledgecenter/SSYMRC_6.0.6.1/com.ibm.jazz.install.doc/topics/t_JsaSso_CLM_apps_enable.html][Instructions]]
   * Migration to Another JAS - This is the target area of this article

Focus of this article is to provide methods to migrate a CLM Environment configured to one JAS to a different JAS.  In this article you can find various scenarios in which such a migration is required and for each such scenario, we provide a relevant approach to take. 

Following are some of the Scenarios

   * Migrate a JAS enabled CLM environment to a centralized JAS setup
   * Clone JAS enabled CLM environment from a Production environment to an existing JAS enabled Staging environment
   * Create Multiple Clones of a JAS enabled CLM environment and connect to common JAS on Staging

---++ Scenario - Migrate a JAS enabled CLM environment to a centralized JAS setup

In this scenario we consider multi-tenant production servers
   * Production A - Consists of a CLM installation _Prod_01_ connected to a single Jazz Authorization Server ( _Prod_01_JAS_ )
   * Production B - Consists of a CLM installation _Prod_02_ connected to its own JAS  ( _Prod_02_JAS_ )
   * Both the JAS servers are connected to the corporate LDAP server and the userbase is common
   
<b><i>Requirement is to have a single JAS setup for all production CLM servers</i></b>. This would mean, discard  _Prod_02_JAS_ and move  _Prod_02_ authorization to  _Prod_01_JAS_. Following is a graphical representation of the requirement.<br>
    <img src="%ATTACHURLPATH%/UseCase01_JASConsolidationV1.png" alt="UseCase01_JASConsolidationV1.png" width="900" height="250" /> %BR% 

---+++ Overview of the steps involved
   * Export JAS registration from _Prod_02_JAS_
   * Create JAS registration corresponding to the exported data in _Prod_01_JAS_
   * Update the JAS SSO URL and Client Secret in each application teamserver.properties file
   * Discard _Prod_02_JAS_ application and database

---+++ 1. Export JAS registrations from Prod_02_JAS

The first step is to export the JAS registrations data from _Prod_02_JAS_. Following are instructions

   * On the _Prod_02_JAS_ server, switch directory to =[JazzAuthServerHome]\cli= and run the following commands
      * Linux
      <verbatim> ./lsclient -a https://<JazzAuthServerURL>:9643/oidc/endpoint/jazzop -u [UserName]:[Password] >& prod02jas.json </verbatim>
      * Windows
      <verbatim> lsclient.bat -a https://<JazzAuthServerURL>:9643/oidc/endpoint/jazzop -u [UserName]:[Password] > prod02jas.json </verbatim>
<br>

Here is a sample exported file, we would see one such entry per application.

<verbatim>[ {
  "functional_user_groupIds" : [ "JazzAdmins" ],
  "trusted_uri_prefixes" : [ "https://localhost:9443/jts/", "https://prod02.example.com:9443/jts/", "https://127.0.0.1:9443/jts/" ],
  "post_logout_redirect_uris" : [ "https://127.0.0.1:9443/jts/service/com.ibm.team.repository.service.internal.ILogoutRestService", "https://prod02.example.com:9443/jts/service/com.ibm.team.repository.service.internal.ILogoutRestService", "https://localhost:9443/jts/service/com.ibm.team.repository.service.internal.ILogoutRestService" ],
  "grant_types" : [ "authorization_code", "client_credentials", "implicit", "refresh_token", "urn:ietf:params:oauth:grant-type:jwt-bearer" ],
  "subject_type" : "public",
  "application_type" : "web",
  "allow_regexp_redirects" : false,
  "registration_client_uri" : "https://prod02jas.example.com:9643/oidc/endpoint/jazzop/registration/5ba62ee8a310409485e3a60988815875",
  "redirect_uris" : [ "https://localhost:9443/jts/jsa", "https://localhost:9443/jts/jsa?confirm=true", "https://prod02.example.com:9443/jts/jsa", "https://prod02.example.com:9443/jts/jsa?confirm=true", "https://127.0.0.1:9443/jts/jsa", "https://127.0.0.1:9443/jts/jsa?confirm=true" ],
  "token_endpoint_auth_method" : "client_secret_basic",
  "client_id" : "5ba62ee8a310409485e3a60988815875",
  "introspect_tokens" : true,
  "client_secret_expires_at" : 0,
  "scope" : "openid profile email general",
  "etag" : "ax5TWj+MkZm0Uybao5cBBA==",
  "client_id_issued_at" : 1558514044,
  "client_secret" : "*",
  "resource_ids" : [ ],
  "functional_user_id" : "jts_user",
  "client_name" : "/jts",
  "response_types" : [ "code", "token", "id_token token" ],
  "preauthorized_scope" : "openid profile email general"
} ]</verbatim>

---+++ 2. Create/Import the JAS registration to Prod_01_JAS

The next step is to create/import the configuration to _Prod_01_JAS_. Prior to importing the configuration, we need to change the Client secret and the JAS URL value in the exported data.

Following are instructions

   * Copy the _prod02jas.json_ file exported in the previous step to _Prod_01_JAS_ server. Example path =[JazzAuthServerHome]\cli=
   * Edit the prod02jas.json file and change the JAS URL listed for the parameter =registration_client_uri= to the _Prod_01_JAS_ URL (There would be one parameter per application)
      * Example for *jts* application
      <verbatim> "registration_client_uri" : "https://prod02jas.example.com:9643/oidc/endpoint/jazzop/registration/5ba62ee8a310409485e3a60988815875" </verbatim>
      * TO
      <verbatim> "registration_client_uri" : "https://[Prod_01_JAS_URL]:[PORT]/oidc/endpoint/jazzop/registration/5ba62ee8a310409485e3a60988815875" </verbatim>
   * In edit mode, change the Client Secret, there would one such entry per application
      * Edit the following parameter
      <verbatim>"client_secret" : "*"</verbatim>
      * TO
      <verbatim>"client_secret" : "NewClientSecret"</verbatim>
      
   * Import/Create the new configurations to Staging JAS Server
      * On _Prod_01_JAS_ , switch directory to =[JazzAuthServerHome]\cli= and run  the following command
      * Linux
      <verbatim> ./ldclient -a https://<JazzAuthServerURL>:9643/oidc/endpoint/jazzop -u [UserName]:[Password] -c prod02jas.json </verbatim>
      * Windows
      <verbatim> ldclient.bat -a https://<JazzAuthServerURL>:9643/oidc/endpoint/jazzop -u [UserName]:[Password] -c prod02jas.json </verbatim>

---+++ 3. Update the JAS SSO Details on _Prod_02_ CLM servers

Now that the JAS servers are merged, we have to update the JAS URLs and new Client Secret in the Prod_02 application server teamserver.properties files.

   * Edit the teamserver.properties files on _Prod_02_ application servers. For _jts_, _ccm_, _qm_, _rm_, _dcc_ and _gc_ applications the file is located at =[JAZZ_HOME]\server\conf\[app]\teamserver.properties=
   * For each file update the Client Secret and JAS URL
   * Following is an example for _Prod_02_ _jts_ application teamserver.properties file
      * Change the values from
      <verbatim>com.ibm.team.repository.servlet.sso_as=https\://prod_02_jas.example.com\:9643/oidc/endpoint/jazzop
com.ibm.team.repository.servlet.sso_clientSecret=[qyLk8RKdyNJh0eGxIKjGhbGy8X377VcBQKOGE81CkgKdVX50UT91Xb/rh0uA77d467nb1tDNqctXJ9ppZVzPQw\=\=] </verbatim> 
      * TO
      <verbatim>com.ibm.team.repository.servlet.sso_as=https\://[Prod_01_JAS_URL]\:[PORT]/oidc/endpoint/jazzop
com.ibm.team.repository.servlet.sso_clientSecret=NewClientSecret </verbatim> <br>

   * For _JRS_ the application server file is =[JAZZ_HOME]\server\conf\rs\app.properties=
   * Following is an example for _Prod_02_JRS_ app.properties, update the JAS URL and Client Secret
      * From
       <verbatim>jsa.auth.server.url=https\://prod_02_jas.example.com\:9643/oidc/endpoint/jazzop
jsa.client.secret=[qyLk8RKdyNJh0eGxIKjGhbGy8X377VcBQKOGE81CkgKdVX50UT91Xb/rh0uA77d467nb1tDNqctXJ9ppZVzPQw\=\=] </verbatim> 
      * TO
       <verbatim>jsa.auth.server.url=https\://[Prod_01_JAS_URL]\:[PORT]/oidc/endpoint/jazzop
jsa.client.secret=NewClientSecret </verbatim> 

---+++ 4. Instructions for LQE and LDX

The lqe.properties file does not include the !ClientID and Secret value. For these 2 applications follow the server rename procedure in our [[https://www.ibm.com/support/knowledgecenter/SSYMRC_6.0.6.1/com.ibm.jazz.install.doc/topics/t_lqe_servrename.html][Infocenter 6.0.6.1]]

Highlevel procedure
   * Remove the Data Sources
   * Run Compaction
   * Un-register the applications from JTS > Admin page
   * Change the Config Mode Parameter to True in lqe.properties file , =configMode=true=
   * Register LQE and LDX with JTS
   * Add the Data Sources

---+++ 5. Discard Prod_02_JAS application server and database

Once the JAS servers are merged and the working and testing of Prod_01 and Prod_02 CLM instances are complete, you can discard _Prod_02_JAS_ server.
<br><br>
---++ Scenario - Clone a JAS enabled CLM instance from production to staging 

In this scenario we consider multi-tenant production servers
   * Production - Consists of 2 CLM instances (_Prod_01_, _Prod_02_) connected to a single Jazz Authorization Server (_ProdJAS_)
   * Staging - Consists of a clone one of the production CLM instances ( _Prod_01_ renamed to _Prod_01_Clone_ ) and connected to its own JAS  (_StagingJAS_)
   * Both the JAS servers are connected to the corporate LDAP server and the userbase is common

Requirement is to clone _Prod_02_ to the existing Staging environment as _Prod_02_Clone_ and connect to _StagingJAS_ for Authorization. Following is a graphical representation of the requirement.<br>

   <img src="%ATTACHURLPATH%/	Scenario2_V1.png" alt="	Scenario2_V1.png" width="1000" height="500" /> %BR% 



---+++ Overview of the steps involved

   * Clone the CLM instance _Prod_02_ to staging and perform a server rename to _Prod_02_Clone_
   * Export JAS registration of _Prod_02_ (jts,ccm ..) from _ProdJAS_
   * Create JAS registration corresponding to the exported data in _StagingJAS_ (Update !ClientSecret, !PublicURI references)
   * Update the JAS SSO URL and Client Secret in all _Prod_02_Clone_ application teamserver.properties files
 
---+++ 1. Clone CLM instance and Server Rename

      The first step is to clone the production CLM environment _Prod_02_ to staging without the JAS data and perform a Server Rename to change Public URI to _Prod_02_Clone_. The instructions to be followed are listed in the following links, however, follow JAS related steps only to disable it from all applications before the Server Rename. To re-enable JAS on the clone, use the steps in this article to connect to existing JAS _StagingJAS_.  
   * [[https://jazz.net/help-dev/clm/index.jsp?topic=%2Fcom.ibm.jazz.install.doc%2Ftopics%2Ft_prepare_sandbox_server_rename.html][Server Rename instructions on Infocenter]]
   * [[https://jazz.net/wiki/bin/view/Deployment/ServerRenameAddendum][Server Rename Addendum]]

---+++ 2. Export JAS registrations from Production 

The next step is to export the JAS registrations data for _prod4_ from _ProdJAS_. In this scenario we consider the _Prod_02_ server consists of _jts_, _ccm_, _dcc_ and _jrs_ applications. We will export individual application registration data from _ProdJAS_. 

Following are instructions
   * Find the !ClientID for each application
      * For _jts_, _ccm_, _qm_, _rm_, _dcc_ and _gc_ applications, look for the clientId value in =[JAZZ_HOME]\server\conf\[app]\teamserver.properties=
      * For each application find the clientid, following is an example for _Prod_02_ jts application teamserver.properties file
      <verbatim>com.ibm.team.repository.servlet.sso_clientId=4ce915c5d6a1467b9fcd397d62c29c6e</verbatim>
      * For _jrs_ Access the JAS Registration URL to find the !ClientID
      * Access the following URL for the list for registrations
      <verbatim>https://prodjas.example.com:9643/oidc/endpoint/jazzop/registration</verbatim>
      * Search for _Prod_02_ specific application URLs , example for _jrs_ search for =https://prod02.example.com/rs=
      * Find the clientid as shown below
      <verbatim>"client_id" : "9b4d6f2d534749fcb11502be2aac86b8"
client_name	"/jrs"</verbatim>

   * Export the data from JAS for each client ID
      * Switch directory to =[JazzAuthServerHome]\cli= and run the following command
      * Linux
      <verbatim> ./lsclient -a https://<JazzAuthServerURL>:9643/oidc/endpoint/jazzop -u <UserName>:<Password> <ClientID> >& prod02jts.json </verbatim>
      * Windows
      <verbatim> lsclient.bat -a https://<JazzAuthServerURL>:9643/oidc/endpoint/jazzop -u <UserName>:<Password> <ClientID> > prod02jts.json </verbatim>
      * An example of prod4 _jts_ application
      <verbatim> ./lsclient -a https://prodjas.example.com:9643/oidc/endpoint/jazzop -u clmadmin:mypassword 4ce915c5d6a1467b9fcd397d62c29c6e >& prod02jts.json </verbatim>
<br>
In this scenario as we considered 4 applications _jts_, _ccm_, _dcc_ and _jrs_ we would now have exported 4 files, example _prod02jts.json_, _prod02ccm.json_, _prod02dcc.json_ and _prod02jrs.json. Here is a sample exported file.

<verbatim>[ {
  "functional_user_groupIds" : [ "JazzAdmins" ],
  "trusted_uri_prefixes" : [ "https://localhost:9443/jts/", "https://prod02.example.com:9443/jts/", "https://127.0.0.1:9443/jts/" ],
  "post_logout_redirect_uris" : [ "https://127.0.0.1:9443/jts/service/com.ibm.team.repository.service.internal.ILogoutRestService", "https://prod02.example.com:9443/jts/service/com.ibm.team.repository.service.internal.ILogoutRestService", "https://localhost:9443/jts/service/com.ibm.team.repository.service.internal.ILogoutRestService" ],
  "grant_types" : [ "authorization_code", "client_credentials", "implicit", "refresh_token", "urn:ietf:params:oauth:grant-type:jwt-bearer" ],
  "subject_type" : "public",
  "application_type" : "web",
  "allow_regexp_redirects" : false,
  "registration_client_uri" : "https://prodjas.example.com:9643/oidc/endpoint/jazzop/registration/5ba62ee8a310409485e3a60988815875",
  "redirect_uris" : [ "https://localhost:9443/jts/jsa", "https://localhost:9443/jts/jsa?confirm=true", "https://prod02.example.com:9443/jts/jsa", "https://prod02.example.com:9443/jts/jsa?confirm=true", "https://127.0.0.1:9443/jts/jsa", "https://127.0.0.1:9443/jts/jsa?confirm=true" ],
  "token_endpoint_auth_method" : "client_secret_basic",
  "client_id" : "5ba62ee8a310409485e3a60988815875",
  "introspect_tokens" : true,
  "client_secret_expires_at" : 0,
  "scope" : "openid profile email general",
  "etag" : "ax5TWj+MkZm0Uybao5cBBA==",
  "client_id_issued_at" : 1558514044,
  "client_secret" : "*",
  "resource_ids" : [ ],
  "functional_user_id" : "jts_user",
  "client_name" : "/jts",
  "response_types" : [ "code", "token", "id_token token" ],
  "preauthorized_scope" : "openid profile email general"
} ]</verbatim>

---+++ 3. Create/Import JAS registration on Staging

The next step is to create/import these configuration to the staging JAS environment _StagingJAS_. Prior to importing the configuration, we need to change the URLs to match the server rename performed and the Client secret.

Following are instructions

   * Copy the .json files exported in the previous step to Staging JAS server ( _StagingJAS_ ), example path =[JazzAuthServerHome]\cli=
   * Change the URLs to match staging servers URLs in each exported .json file
      * Edit each .json file and change the URLs under the parameters =trusted_uri_prefixes= , =post_logout_redirect_uris= and =redirect_uris=
      * Example change URL from =https://prod02.example.com= to =https://prod02clone.example.com=
      * Change the JAS URL listed for the parameter =registration_client_uri= to the Staging JAS URL
       <verbatim> "registration_client_uri" : "https://prodjas.example.com:9643/oidc/endpoint/jazzop/registration/5ba62ee8a310409485e3a60988815875" </verbatim>
      * TO
       <verbatim> "registration_client_uri" : "https://[STAGING_JAS_URL]:[PORT]/oidc/endpoint/jazzop/registration/5ba62ee8a310409485e3a60988815875" </verbatim>

   * Change the <b>Client Secret</b>
      * Edit the following paramter
      <verbatim>"client_secret" : "*"</verbatim>
      * TO
      <verbatim>"client_secret" : "NewClientSecret"</verbatim>
   * Import/Create the new configurations to _StagingJAS_ Server
      * Switch directory to =[JazzAuthServerHome]\cli= and run  the following command
      * Linux
      <verbatim> ./ldclient -a https://<JazzAuthServerURL>:9643/oidc/endpoint/jazzop -u <UserName>:<Password> -c prod02jts.json </verbatim>
      * Windows
      <verbatim> ldclient.bat -a https://<JazzAuthServerURL>:9643/oidc/endpoint/jazzop -u <UserName>:<Password> -c prod02jts.json </verbatim>
      * An example of _prod4_ _jts_ .json file imported into _stagingjas_
      <verbatim> ./ldclient -a https://stagingjas.example.com:9643/oidc/endpoint/jazzop -u clmadmin:mypassword -c prod02jts.json </verbatim>

---+++ 4. Complete Server Rename - JAS

In Step 1 we had performed a Server rename of the cloned _Prod_02_ CLM instance in staging server to _Prod_02_Clone. We can now complete the Server Rename process with the following steps.

   * Enable JAS on each application teamserver.properties and update the JAS URL to _StagingJAS_ URL
   * Edit the Client Secret value to the new value updated during Import (A restart would encrypt the value)
   * For _jts_, _ccm_, _qm_, _rm_, _dcc_ and _gc_ applications, you can find the Client Secret in =[JAZZ_HOME]\server\conf\[app]\teamserver.properties=
      * For each application update the Client Secret, JAS URL and enable JAS SSO, following is an example for _Prod_02_Clone jts application
      * <verbatim>com.ibm.team.repository.servlet.sso_as=https\://pordjas.example.com\:9643/oidc/endpoint/jazzop
com.ibm.team.repository.servlet.sso_clientSecret=[qyLk8RKdyNJh0eGxIKjGhbGy8X377VcBQKOGE81CkgKdVX50UT91Xb/rh0uA77d467nb1tDNqctXJ9ppZVzPQw\=\=]  </verbatim> 
      * TO
      * <verbatim>com.ibm.team.repository.servlet.sso_as=https\://[STAGING_JAS_URL]\:[PORT]/oidc/endpoint/jazzop
com.ibm.team.repository.servlet.sso_clientSecret=NewClientSecret </verbatim>

   * For _jrs_ application, the Client Secret and JAS URL can be found in =[JAZZ_HOME]\server\conf\rs\app.properties=
      * Edit the following parameters
       <verbatim>jsa.auth.server.url=https\://prodjas.example.com\:9643/oidc/endpoint/jazzop
jsa.client.secret=[qyLk8RKdyNJh0eGxIKjGhbGy8X377VcBQKOGE81CkgKdVX50UT91Xb/rh0uA77d467nb1tDNqctXJ9ppZVzPQw\=\=] </verbatim> 
      * TO
       <verbatim>jsa.auth.server.url=https\://[STAGING_JAS_URL]\:[PORT]/oidc/endpoint/jazzop
jsa.client.secret=NewClientSecret </verbatim> 

---+++ 5. Additional Instructions for LQE and LDX
As part of the Server Rename process you would have Un-registered LQE and LDX applications as per instructions from our [[https://www.ibm.com/support/knowledgecenter/SSYMRC_6.0.6.1/com.ibm.jazz.install.doc/topics/t_lqe_servrename.html][Infocenter 6.0.6.1]]. 
At this stage you would Register the LQE and LDX application with the new URL (example: https://prod02clone.example.com/lqe/scr and https://prod02clone.example.com/lqe/scr) to the cloned JTS server. This would automatiically register a new !ClientID, !ClientSecret and application URIs to the _stagingjas_ server.
<br><br><br>

---++ Scenario - Setup Multiple Clones of a JAS enabled CLM environment

In this scenario we consider multi-tenant production servers
   * Production - Consists of 2 CLM instances (_Prod_01_, _Prod_02_) connected to a single Jazz Authorization Server (_ProdJAS_)
   * Staging - Consists of a clone of the production CLM instances ( _Prod_01_Clone_ and _Prod_02_Clone_) and connected to its own JAS  (_StagingJAS_)
   * Both the JAS servers are connected to the corporate LDAP server and the userbase is common

Requirement is to clone another copy of _Prod_01_ to the existing Staging environment as _Prod_01_Clone02_ and connect to _StagingJAS_ for Authorization. Following is a graphical representation of the requirement.<br>

<img src="%ATTACHURLPATH%/Scenario03_V1.png" alt="Scenario03_V1.png" width="1000" height="500" /> %BR% 

---+++ Overview of the steps involved

   * Clone the CLM instance _Prod_01_ to sating and perform a server rename to _Prod_01_Clone02_ ( _Prod_01_ instance has already been cloned as _Prod_01_Clone_ )
   * Export JAS registration of _Prod_01_ (jts,ccm ..) from _ProdJAS_
   * Update the !ClientID, !ClientSecret and !PublicURI references in the exported file
   * Create JAS registration corresponding to the exported data in _StagingJAS_
   * Update the JAS SSO URL, !ClientID and Client Secret in all _Prod_01_Clone02_ application teamserver.properties files



---+++ 1. Clone Another Copy of CLM instance and Server Rename

      The first step is to clone another copy the production CLM environment _Prod_01_ to staging without the JAS data and perform a Server Rename to change Public URI to _Prod_01_Clone02_. The instructions to be followed are listed in the following links, however, follow JAS related steps only to disable it from all applications before the Server Rename. To re-enable JAS on the clone, use the steps in this article to connect to existing JAS _StagingJAS_.  
   * [[https://jazz.net/help-dev/clm/index.jsp?topic=%2Fcom.ibm.jazz.install.doc%2Ftopics%2Ft_prepare_sandbox_server_rename.html][Server Rename instructions on Infocenter]]
   * [[https://jazz.net/wiki/bin/view/Deployment/ServerRenameAddendum][Server Rename Addendum]]

---+++ 2. Export JAS registrations from Production 

The next step is to export the JAS registrations data for _Prod_01_ from _ProdJAS_. In this scenario we consider the _Prod_01_ server consists of _jts_, _ccm_ applications. We will export individual application registration data from _ProdJAS_. 

Following are instructions
   * Find the Client Id for each application
      * For _jts_, _ccm_, look for the clientId value in =[JAZZ_HOME]\server\conf\[app]\teamserver.properties=
      * For each application find the clientid, following is an example for _Prod_01_ jts application teamserver.properties file
      <verbatim>com.ibm.team.repository.servlet.sso_clientId=4ce915c5d6a1467b9fcd397d62c29c6e</verbatim>

   * Export the data from JAS for each client ID
      * Switch directory to =[JazzAuthServerHome]\cli= and run the following command
      * Linux
      <verbatim> ./lsclient -a https://<JazzAuthServerURL>:9643/oidc/endpoint/jazzop -u <UserName>:<Password> <ClientID> >& prod01jts.json </verbatim>
      * Windows
      <verbatim> lsclient.bat -a https://<JazzAuthServerURL>:9643/oidc/endpoint/jazzop -u <UserName>:<Password> <ClientID> > prod01jts.json </verbatim>
      * An example of prod4 _jts_ application
      <verbatim> ./lsclient -a https://prodjas.example.com:9643/oidc/endpoint/jazzop -u clmadmin:mypassword 4ce915c5d6a1467b9fcd397d62c29c6e >& prod01jts.json </verbatim>
<br>
In this scenario as we considered 2 applications _jts_, _ccm_ we would now have exported 2 files, example _prod01jts.json_, _prod01ccm.json_. Here is a sample exported file.

<verbatim>[ {
  "functional_user_groupIds" : [ "JazzAdmins" ],
  "trusted_uri_prefixes" : [ "https://localhost:9443/jts/", "https://prod02.example.com:9443/jts/", "https://127.0.0.1:9443/jts/" ],
  "post_logout_redirect_uris" : [ "https://127.0.0.1:9443/jts/service/com.ibm.team.repository.service.internal.ILogoutRestService", "https://prod02.example.com:9443/jts/service/com.ibm.team.repository.service.internal.ILogoutRestService", "https://localhost:9443/jts/service/com.ibm.team.repository.service.internal.ILogoutRestService" ],
  "grant_types" : [ "authorization_code", "client_credentials", "implicit", "refresh_token", "urn:ietf:params:oauth:grant-type:jwt-bearer" ],
  "subject_type" : "public",
  "application_type" : "web",
  "allow_regexp_redirects" : false,
  "registration_client_uri" : "https://prod02jas.example.com:9643/oidc/endpoint/jazzop/registration/5ba62ee8a310409485e3a60988815875",
  "redirect_uris" : [ "https://localhost:9443/jts/jsa", "https://localhost:9443/jts/jsa?confirm=true", "https://prod02.example.com:9443/jts/jsa", "https://prod02.example.com:9443/jts/jsa?confirm=true", "https://127.0.0.1:9443/jts/jsa", "https://127.0.0.1:9443/jts/jsa?confirm=true" ],
  "token_endpoint_auth_method" : "client_secret_basic",
  "client_id" : "4ce915c5d6a1467b9fcd397d62c29c6e",
  "introspect_tokens" : true,
  "client_secret_expires_at" : 0,
  "scope" : "openid profile email general",
  "etag" : "ax5TWj+MkZm0Uybao5cBBA==",
  "client_id_issued_at" : 1558514044,
  "client_secret" : "*",
  "resource_ids" : [ ],
  "functional_user_id" : "jts_user",
  "client_name" : "/jts",
  "response_types" : [ "code", "token", "id_token token" ],
  "preauthorized_scope" : "openid profile email general"
} ]</verbatim>

---+++ 3. Create/Import JAS registration on Staging

The next step is to create/import these configuration to the staging JAS environment _StagingJAS_. Prior to importing the configuration, we need to change the URLs to match the server rename performed and the Client ID and Secret needs to be changed as well to make the new configuration unique as the CLient ID exists from the previous import for _Prod_01_Clone_ .

Following are instructions

   * Copy the .json files exported in the previous step to Staging JAS server ( _StagingJAS_ ), example path =[JazzAuthServerHome]\cli=
   * Change the URLs to match staging servers URLs in each exported .json file
      * Edit each .json file and change the URLs under the parameters =trusted_uri_prefixes= , =post_logout_redirect_uris= and =redirect_uris=
      * Example change URL from =https://prod01.example.com= to =https://prod01clone02.example.com=
      * Change the JAS URL listed for the parameter =registration_client_uri= to the Staging JAS URL
        <verbatim> "registration_client_uri" : "https://prodjas.example.com:9643/oidc/endpoint/jazzop/registration/5ba62ee8a310409485e3a60988815875" </verbatim>
      * TO
        <verbatim> "registration_client_uri" : "https://[STAGING_JAS_URL]:[PORT]/oidc/endpoint/jazzop/registration/5ba62ee8a310409485e3a60988815875" </verbatim>

   * Change the <b>Client Id</b> to make it unique to the second clone
      * Edit the following parameter
      <verbatim>"client_id" : "4ce915c5d6a1467b9fcd397d62c29c6e"</verbatim>
      * TO
      <verbatim>"client_id" : "prod_01_clone02"</verbatim>
   * Change the <b>Client Secret</b>
      * Edit the following parameter
      <verbatim>"client_secret" : "*"</verbatim>
      * TO
      <verbatim>"client_secret" : "NewClientSecret"</verbatim>
   * Import/Create the new configurations to _StagingJAS_ Server
      * Switch directory to =[JazzAuthServerHome]\cli= and run  the following command
      * Linux
      <verbatim> ./ldclient -a https://<JazzAuthServerURL>:9643/oidc/endpoint/jazzop -u <UserName>:<Password> -c prod01jts.json </verbatim>
      * Windows
      <verbatim> ldclient.bat -a https://<JazzAuthServerURL>:9643/oidc/endpoint/jazzop -u <UserName>:<Password> -c prod01jts.json </verbatim>
      * An example of _prod01jts.json_ file imported into _stagingjas_
      <verbatim> ./ldclient -a https://stagingjas.example.com:9643/oidc/endpoint/jazzop -u clmadmin:mypassword -c prod01jts.json </verbatim>

---+++ 4. Complete Server Rename - JAS

In Step1 we had performed a Server rename of another clone _Prod_01_ CLM instance in staging server to _Prod_01_Clone02. We can now complete the Server Rename process with the following steps.

   * Enable JAS on each application teamserver.properties and update the JAS URL to _StagingJAS_ URL
   * Edit the Client ID and Client Secret value to the new value updated during Import (A restart would encrypt the value)
   * For _jts_, _ccm_, _qm_, _rm_, _dcc_ and _gc_ applications, you can find the Client Secret in =[JAZZ_HOME]\server\conf\[app]\teamserver.properties=
      * For each application update the Client ID, Client Secret, JAS URL and enable JAS SSO, following is an example for _Prod_01_Clone02 jts application
       <verbatim>com.ibm.team.repository.servlet.sso_as=https\://prodjas.example.com\:9643/oidc/endpoint/jazzop
com.ibm.team.repository.servlet.sso_clientId=4ce915c5d6a1467b9fcd397d62c29c6e
com.ibm.team.repository.servlet.sso_clientSecret=[qyLk8RKdyNJh0eGxIKjX377VcBQK81CkgKdVX1Xb/rh0uA77d467nb1tDNqctXJ9ppZVzPQw\=\=]  </verbatim> 
      * TO 
       <verbatim>com.ibm.team.repository.servlet.sso_as=https\://stagingjas.example.com\:9643/oidc/endpoint/jazzop
com.ibm.team.repository.servlet.sso_clientId=Prod_01_Clone02
com.ibm.team.repository.servlet.sso_clientSecret=NewClientSecret </verbatim> 
<br>


---+++++!! Related topics: [[JazzAuthorizationServer][Jazz Authorization Server Landing Page]], [[DeploymentWebHome][Deployment web home]]

---+++++!! External links:          

   * [[https://www.ibm.com][IBM]]


<sticky></div></sticky>
Copyright © by IBM and non-IBM contributing authors. All material on this collaboration platform is the property of the contributing authors.
Contributions are governed by our Terms of Use. Please read the following disclaimer.
Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.