Migrating CLM Environment From One Jazz Authorization Server To Another

Authors: ShubjitNaik, DineshKumar
Build basis: Jazz Authorization Server and CLM 6.0.6 and Higher

DISCLAIMER: These are advanced scenarios which falls out of scope of Standard application support and it requires prior knowledge of working with WebSphere Liberty command line utilities. These scenarios needs to be first tested on a Non production environment and backups are to be taken before running through the instructions.

Before you begin understanding the different scenarios of Migration that we discuss below, it is important to read and understand distinction between the following :

• Configuring JAS - Configure JAS as the OIDC provider for CLM : Instructions
• Migration to JAS - Migrate a CLM instances authorization from OAuth to OIDC : Instructions
• Migration to Another JAS - This is the target area of this article

Focus of this article is to provide methods to migrate a CLM Environment configured to one JAS to a different JAS. In this article you can find various scenarios in which such a migration is required and for each such scenario, we provide a relevant approach to take.

Following are some of the Scenarios

• Migrate a JAS enabled CLM environment to a centralized JAS setup
• Clone JAS enabled CLM environment from a Production environment to an existing JAS enabled Staging environment
• Create Multiple Clones of a JAS enabled CLM environment and connect to common JAS on Staging

Scenario - Migrate a JAS enabled CLM environment to a centralized JAS setup

In this scenario we consider multi-tenant production servers

• Production A - Consists of a CLM installation Prod_01 connected to a single Jazz Authorization Server ( Prod_01_JAS )
• Production B - Consists of a CLM installation Prod_02 connected to its own JAS ( Prod_02_JAS )
• Both the JAS servers are connected to the corporate LDAP server and the userbase is common

Requirement is to have a single JAS setup for all production CLM servers. This would mean, discard Prod_02_JAS and move Prod_02 authorization to Prod_01_JAS. Following is a graphical representation of the requirement.

Overview of the steps involved

• Export JAS registration from Prod_02_JAS
• Create JAS registration corresponding to the exported data in Prod_01_JAS
• Update the JAS SSO URL and Client Secret in each application teamserver.properties file
• Discard Prod_02_JAS application and database

1. Export JAS registrations from Prod_02_JAS

The first step is to export the JAS registrations data from Prod_02_JAS. Following are instructions

• On the Prod_02_JAS server, switch directory to [JazzAuthServerHome]\cli and run the following commands
  • Linux

     ./lsclient -a https://<JazzAuthServerURL>:9643/oidc/endpoint/jazzop -u [UserName]:[Password] >& prod02jas.json 

  • Windows

     lsclient.bat -a https://<JazzAuthServerURL>:9643/oidc/endpoint/jazzop -u [UserName]:[Password] > prod02jas.json 

Here is a sample exported file, we would see one such entry per application.

[ {
  "functional_user_groupIds" : [ "JazzAdmins" ],
  "trusted_uri_prefixes" : [ "https://localhost:9443/jts/", "https://prod02.example.com:9443/jts/", "https://127.0.0.1:9443/jts/" ],
  "post_logout_redirect_uris" : [ "https://127.0.0.1:9443/jts/service/com.ibm.team.repository.service.internal.ILogoutRestService", "https://prod02.example.com:9443/jts/service/com.ibm.team.repository.service.internal.ILogoutRestService", "https://localhost:9443/jts/service/com.ibm.team.repository.service.internal.ILogoutRestService" ],
  "grant_types" : [ "authorization_code", "client_credentials", "implicit", "refresh_token", "urn:ietf:params:oauth:grant-type:jwt-bearer" ],
  "subject_type" : "public",
  "application_type" : "web",
  "allow_regexp_redirects" : false,
  "registration_client_uri" : "https://prod02jas.example.com:9643/oidc/endpoint/jazzop/registration/5ba62ee8a310409485e3a60988815875",
  "redirect_uris" : [ "https://localhost:9443/jts/jsa", "https://localhost:9443/jts/jsa?confirm=true", "https://prod02.example.com:9443/jts/jsa", "https://prod02.example.com:9443/jts/jsa?confirm=true", "https://127.0.0.1:9443/jts/jsa", "https://127.0.0.1:9443/jts/jsa?confirm=true" ],
  "token_endpoint_auth_method" : "client_secret_basic",
  "client_id" : "4ce915c5d6a1467b9fcd397d62c29c6e",
  "introspect_tokens" : true,
  "client_secret_expires_at" : 0,
  "scope" : "openid profile email general",
  "etag" : "ax5TWj+MkZm0Uybao5cBBA==",
  "client_id_issued_at" : 1558514044,
  "client_secret" : "*",
  "resource_ids" : [ ],
  "functional_user_id" : "jts_user",
  "client_name" : "/jts",
  "response_types" : [ "code", "token", "id_token token" ],
  "preauthorized_scope" : "openid profile email general"
} ]

2. Create/Import the JAS registration to Prod_01_JAS

The next step is to create/import the configuration to Prod_01_JAS. Prior to importing the configuration, we need to change the Client secret and the JAS URL value in the exported data.

Following are instructions

• Copy the prod02jas.json file exported in the previous step to Prod_01_JAS server. Example path [JazzAuthServerHome]\cli
• Edit the prod02jas.json file and change the JAS URL listed for the parameter registration_client_uri to the Prod_01_JAS URL (There would be one parameter per application)
  • Example for jts application

     "registration_client_uri" : "https://prod02jas.example.com:9643/oidc/endpoint/jazzop/registration/5ba62ee8a310409485e3a60988815875" 

  • TO

     "registration_client_uri" : "https://[Prod_01_JAS_URL]:[PORT]/oidc/endpoint/jazzop/registration/5ba62ee8a310409485e3a60988815875" 

• In edit mode, change the Client Secret, there would one such entry per application
  • Edit the following parameter

    "client_secret" : "*"

  • TO

    "client_secret" : "NewClientSecret"

• Import/Create the new configurations to Staging JAS Server
  • On Prod_01_JAS , switch directory to [JazzAuthServerHome]\cli and run the following command
  • Linux

     ./ldclient -a https://<JazzAuthServerURL>:9643/oidc/endpoint/jazzop -u [UserName]:[Password] -c prod02jas.json 

  • Windows

     ldclient.bat -a https://<JazzAuthServerURL>:9643/oidc/endpoint/jazzop -u [UserName]:[Password] -c prod02jas.json 

3. Update the JAS SSO Details on Prod_02 CLM servers

Now that the JAS servers are merged, we have to update the JAS URLs and new Client Secret in the Prod_02 application server teamserver.properties files.

• Edit the teamserver.properties files on Prod_02 application servers. For jts, ccm, qm, rm, dcc and gc applications the file is located at [JAZZ_HOME]\server\conf\[app]\teamserver.properties
• For each file update the Client Secret and JAS URL
• Following is an example for Prod_02 jts application teamserver.properties file
  • Change the values from

    com.ibm.team.repository.servlet.sso_as=https\://prod_02_jas.example.com\:9643/oidc/endpoint/jazzop
    com.ibm.team.repository.servlet.sso_clientSecret=[qyLk8RKdyNJh0eGxIKjGhbGy8X377VcBQKOGE81CkgKdVX50UT91Xb/rh0uA77d467nb1tDNqctXJ9ppZVzPQw\=\=] 

  • TO

    com.ibm.team.repository.servlet.sso_as=https\://[Prod_01_JAS_URL]\:[PORT]/oidc/endpoint/jazzop
    com.ibm.team.repository.servlet.sso_clientSecret=NewClientSecret 

    
    

• For JRS the application server file is [JAZZ_HOME]\server\conf\rs\app.properties
• Following is an example for Prod_02_JRS app.properties, update the JAS URL and Client Secret
  • From

    jsa.auth.server.url=https\://prod_02_jas.example.com\:9643/oidc/endpoint/jazzop
    jsa.client.secret=[qyLk8RKdyNJh0eGxIKjGhbGy8X377VcBQKOGE81CkgKdVX50UT91Xb/rh0uA77d467nb1tDNqctXJ9ppZVzPQw\=\=] 

  • TO

    jsa.auth.server.url=https\://[Prod_01_JAS_URL]\:[PORT]/oidc/endpoint/jazzop
    jsa.client.secret=NewClientSecret 

4. Instructions for LQE and LDX

NOTES TO BE ADDED

5. Discard Prod_02_JAS application server and database

Once the JAS servers are merged and the working and testing of Prod_01 and Prod_02 CLM instances are complete, you can discard Prod_02_JAS server.

Scenario - Clone a JAS enabled CLM instance from production to staging

In this scenario we consider multi-tenant production servers

• Production - Consists of 2 CLM instances (Prod_01, Prod_02) connected to a single Jazz Authorization Server (ProdJAS)
• Staging - Consists of a clone one of the production CLM instances ( Prod_01 renamed to Prod_01_Clone ) and connected to its own JAS (StagingJAS)
• Both the JAS servers are connected to the corporate LDAP server and the userbase is common

Requirement is to clone Prod_02 to the existing Staging environment as Prod_02_Clone and connect to StagingJAS for Authorization. Following is a graphical representation of the requirement.

Overview of the steps involved

• Clone the CLM instance Prod_02 to staging and perform a server rename to Prod_02_Clone
• Export JAS registration of Prod_02 (jts,ccm ..) from ProdJAS
• Create JAS registration corresponding to the exported data in StagingJAS (Update ClientSecret, PublicURI references)
• Update the JAS SSO URL and Client Secret in all Prod_02_Clone application teamserver.properties files

1. Clone CLM instance and Server Rename

The first step is to clone the production CLM environment Prod_02 to staging without the JAS data and perform a Server Rename to change Public URI to Prod_02_Clone. The instructions to be followed are listed in the following links, however, follow JAS related steps only to disable it from all applications before the Server Rename. To re-enable JAS on the clone, use the steps in this article to connect to existing JAS StagingJAS.

• Server Rename instructions on Infocenter
• Server Rename Addendum

2. Export JAS registrations from Production

The next step is to export the JAS registrations data for prod4 from ProdJAS. In this scenario we consider the Prod_02 server consists of jts, ccm, dcc and jrs applications. We will export individual application registration data from ProdJAS.

Following are instructions

• Find the ClientID for each application
  • For jts, ccm, qm, rm, dcc and gc applications, look for the clientId value in [JAZZ_HOME]\server\conf\[app]\teamserver.properties
  • For each application find the clientid, following is an example for Prod_02 jts application teamserver.properties file

    com.ibm.team.repository.servlet.sso_clientId=4ce915c5d6a1467b9fcd397d62c29c6e

  • For jrs Access the JAS Registration URL to find the ClientID
  • Access the following URL for the list for registrations

    https://prodjas.example.com:9643/oidc/endpoint/jazzop/registration

  • Search for Prod_02 specific application URLs , example for jrs search for https://prod02.example.com/rs
  • Find the clientid as shown below

    "client_id" : "9b4d6f2d534749fcb11502be2aac86b8"
    client_name   "/jrs"

• Export the data from JAS for each client ID
  • Switch directory to [JazzAuthServerHome]\cli and run the following command
  • Linux

     ./lsclient -a https://<JazzAuthServerURL>:9643/oidc/endpoint/jazzop -u <UserName>:<Password> <ClientID> >& prod02jts.json 

  • Windows

     lsclient.bat -a https://<JazzAuthServerURL>:9643/oidc/endpoint/jazzop -u <UserName>:<Password> <ClientID> > prod02jts.json 

  • An example of prod4 jts application

     ./lsclient -a https://prodjas.example.com:9643/oidc/endpoint/jazzop -u clmadmin:mypassword 4ce915c5d6a1467b9fcd397d62c29c6e >& prod02jts.json 

In this scenario as we considered 4 applications jts, ccm, dcc and jrs we would now have exported 4 files, example prod02jts.json, prod02ccm.json, prod02dcc.json and _prod02jrs.json. Here is a sample exported file.

[ {
  "functional_user_groupIds" : [ "JazzAdmins" ],
  "trusted_uri_prefixes" : [ "https://localhost:9443/jts/", "https://prod02.example.com:9443/jts/", "https://127.0.0.1:9443/jts/" ],
  "post_logout_redirect_uris" : [ "https://127.0.0.1:9443/jts/service/com.ibm.team.repository.service.internal.ILogoutRestService", "https://prod02.example.com:9443/jts/service/com.ibm.team.repository.service.internal.ILogoutRestService", "https://localhost:9443/jts/service/com.ibm.team.repository.service.internal.ILogoutRestService" ],
  "grant_types" : [ "authorization_code", "client_credentials", "implicit", "refresh_token", "urn:ietf:params:oauth:grant-type:jwt-bearer" ],
  "subject_type" : "public",
  "application_type" : "web",
  "allow_regexp_redirects" : false,
  "registration_client_uri" : "https://prodjas.example.com:9643/oidc/endpoint/jazzop/registration/5ba62ee8a310409485e3a60988815875",
  "redirect_uris" : [ "https://localhost:9443/jts/jsa", "https://localhost:9443/jts/jsa?confirm=true", "https://prod02.example.com:9443/jts/jsa", "https://prod02.example.com:9443/jts/jsa?confirm=true", "https://127.0.0.1:9443/jts/jsa", "https://127.0.0.1:9443/jts/jsa?confirm=true" ],
  "token_endpoint_auth_method" : "client_secret_basic",
  "client_id" : "4ce915c5d6a1467b9fcd397d62c29c6e",
  "introspect_tokens" : true,
  "client_secret_expires_at" : 0,
  "scope" : "openid profile email general",
  "etag" : "ax5TWj+MkZm0Uybao5cBBA==",
  "client_id_issued_at" : 1558514044,
  "client_secret" : "*",
  "resource_ids" : [ ],
  "functional_user_id" : "jts_user",
  "client_name" : "/jts",
  "response_types" : [ "code", "token", "id_token token" ],
  "preauthorized_scope" : "openid profile email general"
} ]

3. Create/Import JAS registration on Staging

The next step is to create/import these configuration to the staging JAS environment StagingJAS. Prior to importing the configuration, we need to change the URLs to match the server rename performed and the Client secret.

Following are instructions

• Copy the .json files exported in the previous step to Staging JAS server ( StagingJAS ), example path [JazzAuthServerHome]\cli
• Change the URLs to match staging servers URLs in each exported .json file
  • Edit each .json file and change the URLs under the parameters trusted_uri_prefixes , post_logout_redirect_uris and redirect_uris
  • Example change URL from https://prod02.example.com to https://prod02clone.example.com
  • Change the JAS URL listed for the parameter registration_client_uri to the Staging JAS URL

     "registration_client_uri" : "https://prodjas.example.com:9643/oidc/endpoint/jazzop/registration/5ba62ee8a310409485e3a60988815875" 

  • TO

     "registration_client_uri" : "https://[STAGING_JAS_URL]:[PORT]/oidc/endpoint/jazzop/registration/5ba62ee8a310409485e3a60988815875" 

• Change the Client Secret
  • Edit the following paramter

    "client_secret" : "*"

  • TO

    "client_secret" : "NewClientSecret"

• Import/Create the new configurations to StagingJAS Server
  • Switch directory to [JazzAuthServerHome]\cli and run the following command
  • Linux

     ./ldclient -a https://<JazzAuthServerURL>:9643/oidc/endpoint/jazzop -u <UserName>:<Password> -c prod02jts.json 

  • Windows

     ldclient.bat -a https://<JazzAuthServerURL>:9643/oidc/endpoint/jazzop -u <UserName>:<Password> -c prod02jts.json 

  • An example of prod4 jts .json file imported into stagingjas

     ./ldclient -a https://stagingjas.example.com:9643/oidc/endpoint/jazzop -u clmadmin:mypassword -c prod02jts.json 

4. Complete Server Rename - JAS

In Step 1 we had performed a Server rename of the cloned Prod_02 CLM instance in staging server to _Prod_02_Clone. We can now complete the Server Rename process with the following steps.

• Enable JAS on each application teamserver.properties and update the JAS URL to StagingJAS URL
• Edit the Client Secret value to the new value updated during Import (A restart would encrypt the value)
• For jts, ccm, qm, rm, dcc and gc applications, you can find the Client Secret in [JAZZ_HOME]\server\conf\[app]\teamserver.properties
  • For each application update the Client Secret, JAS URL and enable JAS SSO, following is an example for _Prod_02_Clone jts application

  • com.ibm.team.repository.servlet.sso_as=https\://pordjas.example.com\:9643/oidc/endpoint/jazzop
    com.ibm.team.repository.servlet.sso_clientSecret=[qyLk8RKdyNJh0eGxIKjGhbGy8X377VcBQKOGE81CkgKdVX50UT91Xb/rh0uA77d467nb1tDNqctXJ9ppZVzPQw\=\=]  

  • TO

  • com.ibm.team.repository.servlet.sso_as=https\://[STAGING_JAS_URL]\:[PORT]/oidc/endpoint/jazzop
    com.ibm.team.repository.servlet.sso_clientSecret=NewClientSecret 

• For jrs application, the Client Secret and JAS URL can be found in [JAZZ_HOME]\server\conf\rs\app.properties
  • Edit the following parameters

    jsa.auth.server.url=https\://prodjas.example.com\:9643/oidc/endpoint/jazzop
    jsa.client.secret=[qyLk8RKdyNJh0eGxIKjGhbGy8X377VcBQKOGE81CkgKdVX50UT91Xb/rh0uA77d467nb1tDNqctXJ9ppZVzPQw\=\=] 

  • TO

    jsa.auth.server.url=https\://[STAGING_JAS_URL]\:[PORT]/oidc/endpoint/jazzop
    jsa.client.secret=NewClientSecret 

5. Additional Instructions for LQE and LDX

Scenario - Setup Multiple Clones of a JAS enabled CLM environment

In this scenario we consider multi-tenant production servers

• Production - Consists of 2 CLM instances (Prod_01, Prod_02) connected to a single Jazz Authorization Server (ProdJAS)
• Staging - Consists of a clone of the production CLM instances ( Prod_01_Clone and Prod_02_Clone) and connected to its own JAS (StagingJAS)
• Both the JAS servers are connected to the corporate LDAP server and the userbase is common

Requirement is to clone another copy of Prod_01 to the existing Staging environment as Prod_01_Clone02 and connect to StagingJAS for Authorization. Following is a graphical representation of the requirement.

Overview of the steps involved

• Clone the CLM instance Prod_01 to sating and perform a server rename to Prod_01_Clone02 ( Prod_01 instance has already been cloned as Prod_01_Clone )
• Export JAS registration of Prod_01 (jts,ccm ..) from ProdJAS
• Update the ClientID, ClientSecret and PublicURI references in the exported file
• Create JAS registration corresponding to the exported data in StagingJAS
• Update the JAS SSO URL, ClientID and Client Secret in all Prod_01_Clone02 application teamserver.properties files

1. Clone Another Copy of CLM instance and Server Rename

The first step is to clone another copy the production CLM environment Prod_01 to staging without the JAS data and perform a Server Rename to change Public URI to Prod_01_Clone02. The instructions to be followed are listed in the following links, however, follow JAS related steps only to disable it from all applications before the Server Rename. To re-enable JAS on the clone, use the steps in this article to connect to existing JAS StagingJAS.

• Server Rename instructions on Infocenter
• Server Rename Addendum

2. Export JAS registrations from Production

The next step is to export the JAS registrations data for Prod_01 from ProdJAS. In this scenario we consider the Prod_01 server consists of jts, ccm applications. We will export individual application registration data from ProdJAS.

Following are instructions

• Find the Client Id for each application
  • For jts, ccm, look for the clientId value in [JAZZ_HOME]\server\conf\[app]\teamserver.properties
  • For each application find the clientid, following is an example for Prod_01 jts application teamserver.properties file

    com.ibm.team.repository.servlet.sso_clientId=4ce915c5d6a1467b9fcd397d62c29c6e

• Export the data from JAS for each client ID
  • Switch directory to [JazzAuthServerHome]\cli and run the following command
  • Linux

     ./lsclient -a https://<JazzAuthServerURL>:9643/oidc/endpoint/jazzop -u <UserName>:<Password> <ClientID> >& prod01jts.json 

  • Windows

     lsclient.bat -a https://<JazzAuthServerURL>:9643/oidc/endpoint/jazzop -u <UserName>:<Password> <ClientID> > prod01jts.json 

  • An example of prod4 jts application

     ./lsclient -a https://prodjas.example.com:9643/oidc/endpoint/jazzop -u clmadmin:mypassword 4ce915c5d6a1467b9fcd397d62c29c6e >& prod01jts.json 

In this scenario as we considered 2 applications jts, ccm we would now have exported 2 files, example prod01jts.json, prod01ccm.json. Here is a sample exported file.

[ {
  "functional_user_groupIds" : [ "JazzAdmins" ],
  "trusted_uri_prefixes" : [ "https://localhost:9443/jts/", "https://prod02.example.com:9443/jts/", "https://127.0.0.1:9443/jts/" ],
  "post_logout_redirect_uris" : [ "https://127.0.0.1:9443/jts/service/com.ibm.team.repository.service.internal.ILogoutRestService", "https://prod02.example.com:9443/jts/service/com.ibm.team.repository.service.internal.ILogoutRestService", "https://localhost:9443/jts/service/com.ibm.team.repository.service.internal.ILogoutRestService" ],
  "grant_types" : [ "authorization_code", "client_credentials", "implicit", "refresh_token", "urn:ietf:params:oauth:grant-type:jwt-bearer" ],
  "subject_type" : "public",
  "application_type" : "web",
  "allow_regexp_redirects" : false,
  "registration_client_uri" : "https://prod02jas.example.com:9643/oidc/endpoint/jazzop/registration/5ba62ee8a310409485e3a60988815875",
  "redirect_uris" : [ "https://localhost:9443/jts/jsa", "https://localhost:9443/jts/jsa?confirm=true", "https://prod02.example.com:9443/jts/jsa", "https://prod02.example.com:9443/jts/jsa?confirm=true", "https://127.0.0.1:9443/jts/jsa", "https://127.0.0.1:9443/jts/jsa?confirm=true" ],
  "token_endpoint_auth_method" : "client_secret_basic",
  "client_id" : "4ce915c5d6a1467b9fcd397d62c29c6e",
  "introspect_tokens" : true,
  "client_secret_expires_at" : 0,
  "scope" : "openid profile email general",
  "etag" : "ax5TWj+MkZm0Uybao5cBBA==",
  "client_id_issued_at" : 1558514044,
  "client_secret" : "*",
  "resource_ids" : [ ],
  "functional_user_id" : "jts_user",
  "client_name" : "/jts",
  "response_types" : [ "code", "token", "id_token token" ],
  "preauthorized_scope" : "openid profile email general"
} ]

3. Create/Import JAS registration on Staging

The next step is to create/import these configuration to the staging JAS environment StagingJAS. Prior to importing the configuration, we need to change the URLs to match the server rename performed and the Client ID and Secret needs to be changed as well to make the new configuration unique as the CLient ID exists from the previous import for Prod_01_Clone .

Following are instructions

• Copy the .json files exported in the previous step to Staging JAS server ( StagingJAS ), example path [JazzAuthServerHome]\cli
• Change the URLs to match staging servers URLs in each exported .json file
  • Edit each .json file and change the URLs under the parameters trusted_uri_prefixes , post_logout_redirect_uris and redirect_uris
  • Example change URL from https://prod01.example.com to https://prod01clone02.example.com
  • Change the JAS URL listed for the parameter registration_client_uri to the Staging JAS URL

     "registration_client_uri" : "https://prodjas.example.com:9643/oidc/endpoint/jazzop/registration/5ba62ee8a310409485e3a60988815875" 

  • TO

     "registration_client_uri" : "https://[STAGING_JAS_URL]:[PORT]/oidc/endpoint/jazzop/registration/5ba62ee8a310409485e3a60988815875" 

• Change the Client Id to make it unique to the second clone
  • Edit the following parameter

    "client_id" : "4ce915c5d6a1467b9fcd397d62c29c6e"

  • TO

    "client_id" : "prod_01_clone02"

• Change the Client Secret
  • Edit the following parameter

    "client_secret" : "*"

  • TO

    "client_secret" : "NewClientSecret"

• Import/Create the new configurations to StagingJAS Server
  • Switch directory to [JazzAuthServerHome]\cli and run the following command
  • Linux

     ./ldclient -a https://<JazzAuthServerURL>:9643/oidc/endpoint/jazzop -u <UserName>:<Password> -c prod01jts.json 

  • Windows

     ldclient.bat -a https://<JazzAuthServerURL>:9643/oidc/endpoint/jazzop -u <UserName>:<Password> -c prod01jts.json 

  • An example of prod01jts.json file imported into stagingjas

     ./ldclient -a https://stagingjas.example.com:9643/oidc/endpoint/jazzop -u clmadmin:mypassword -c prod01jts.json 

4. Complete Server Rename - JAS

In Step1 we had performed a Server rename of another clone Prod_01 CLM instance in staging server to _Prod_01_Clone02. We can now complete the Server Rename process with the following steps.

• Enable JAS on each application teamserver.properties and update the JAS URL to StagingJAS URL
• Edit the Client ID and Client Secret value to the new value updated during Import (A restart would encrypt the value)
• For jts, ccm, qm, rm, dcc and gc applications, you can find the Client Secret in [JAZZ_HOME]\server\conf\[app]\teamserver.properties
  • For each application update the Client ID, Client Secret, JAS URL and enable JAS SSO, following is an example for _Prod_01_Clone02 jts application

    com.ibm.team.repository.servlet.sso_as=https\://prodjas.example.com\:9643/oidc/endpoint/jazzop
    com.ibm.team.repository.servlet.sso_clientId=4ce915c5d6a1467b9fcd397d62c29c6e
    com.ibm.team.repository.servlet.sso_clientSecret=[qyLk8RKdyNJh0eGxIKjX377VcBQK81CkgKdVX1Xb/rh0uA77d467nb1tDNqctXJ9ppZVzPQw\=\=]  

  • TO

    com.ibm.team.repository.servlet.sso_as=https\://stagingjas.example.com\:9643/oidc/endpoint/jazzop
    com.ibm.team.repository.servlet.sso_clientId=Prod_01_Clone02
    com.ibm.team.repository.servlet.sso_clientSecret=NewClientSecret 

5. Instructions for LQE and LDX

Related topics: Jazz Authorization Server Landing Page, Deployment web home

External links:

• IBM