If you used the Jazz™ Team
Server setup wizard to create the Tomcat configuration files, this
procedure was automatically completed, and you do not need to configure
the web container.
About this task
If you prefer to manually configure the web container for
LDAP in Apache Tomcat, follow these steps:
Procedure
- Open the JazzInstallDir/server/tomcat/conf/server.xml file
for editing and place the following tag in a comment:
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"
digest="SHA-1"
digestEncoding="UTF-8"/>
- Depending on which directory you use, add one of the following
tags:
Add the following tag for Oracle Internet Directory
(OID) and change the information to match your configuration:
<Realm className="org.apache.catalina.realm.JNDIRealm"
debug="99"
connectionURL="ldap://ldap.company.com:389"
roleBase="cn=Groups,dc=company,dc=com"
roleSearch="(uniquemember={0})"
roleName="cn"
userBase="cn=Users,dc=company,dc=com"
userSearch="(uid={0})"/>
Add the following tag
for Microsoft Active Directory
and change the information to match your configuration:
<Realm className="org.apache.catalina.realm.JNDIRealm"
debug="99"
connectionURL="ldap://ldap.company.com:3268"
authentication="simple"
referrals="follow"
connectionName="cn=LDAPUser,ou=Service Accounts,dc=company,dc=com"
connectionPassword="VerySecretPassword"
userSearch="(sAMAccountName={0})"
userBase="dc=company,dc=com"
userSubtree="true"
roleSearch="(member={0})"
roleName="cn"
roleSubtree="true"
roleBase="dc=company,dc=com"/>
Add the following
tag for Tivoli® Directory
Server and change the information to match your configuration:
<RealmclassName="org.apache.catalina.realm.JNDIRealm"
debug="9"
connectionURL="ldap://Machine where TDS is installed>:389"
userBase="o=company.com"
userSearch="(mail={0})"
userSubtree="true"
roleBase="o=company.com"
roleSubtree="true"
roleSearch="(member={0})"
roleName="cn"/>
- Open JazzInstallDir/server/tomcat/webapps/app
name/WEB-INF/web.xml for editing, where app
name is the installed application, such as jts, ccm, qm,
or rm.
- In the file that you opened, link and map the security
role references to the security roles:
<web-app id="WebApp">
<servlet id="bridge">
<servlet-name>equinoxbridgeservlet</servlet-name>
<display-name>Equinox Bridge Servlet</display-name>
<description>Equinox Bridge Servlet</description>
<servlet-class>org.eclipse.equinox.servletbridge.BridgeServlet</servlet-class>
<init-param><!-- ... --></init-param>
<!-- ... -->
<load-on-startup>1</load-on-startup>
<!-- Addendum
If the names of your LDAP Groups are the same as the default Jazz roles
you don't need to add the following tags
-->
<security-role-ref>
<role-name>JazzAdmins</role-name>
<role-link>[LDAP Group for Jazz admins]</role-link>
</security-role-ref>
<security-role-ref>
<role-name>JazzDWAdmins</role-name>
<role-link>[LDAP Group for Jazz data warehouse admins]</role-link>
</security-role-ref>
<security-role-ref>
<role-name>JazzGuests</role-name>
<role-link>[LDAP Group for Jazz guests]</role-link>
</security-role-ref>
<security-role-ref>
<role-name>JazzUsers</role-name>
<role-link>[LDAP Group for Jazz users]</role-link>
</security-role-ref>
<security-role-ref>
<role-name>JazzProjectAdmins</role-name>
<role-link>[LDAP Group for Jazz project admins]</role-link>
</security-role-ref>
</servlet>
<!-- ... -->
</web-app>
Use the following tags to declare the LDAP
groups as security roles:<web-app id="WebApp">
<servlet id="bridge">
<!-- ... -->
<security-role>
<role-name>JazzAdmins</role-name>
<role-name>JazzDWAdmins</role-name>
<role-name>JazzGuests</role-name>
<role-name>JazzUsers</role-name>
<role-name>JazzProjectAdmins</role-name>
<!-- Addendum
If the names of your LDAP Groups are the same as the default Jazz roles
you don't need to add the following tags
-->
<role-name>[LDAP Group for Jazz Admins]</role-name>
<role-name>[LDAP Group for Jazz Data Warehouse Admins]</role-name>
<role-name>[LDAP Group for Jazz Guests]</role-name>
<role-name>[LDAP Group for Jazz Users]</role-name>
<role-name>[LDAP Group for Jazz Project Admins]</role-name>
<!-- End Addendum -->
</security-role>
<!-- ... -->
</web-app>
Use the following tags to update the security-constraint
section:<web-app id="WebApp">
<!-- ... -->
<security-constraint>
<web-resource-collection>
<web-resource-name>secure</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>JazzUsers</role-name>
<role-name>JazzAdmins</role-name>
<role-name>JazzGuests</role-name>
<role-name>JazzDWAdmins</role-name>
<role-name>JazzProjectAdmins</role-name>
<!-- Addendum
If the names of your LDAP Groups are the same as the default Jazz roles
you don't need to add the following tags
-->
<role-name>[LDAP Group for Jazz Admins]</role-name>
<role-name>[LDAP Group for Jazz Data Warehouse Admins]</role-name>
<role-name>[LDAP Group for Jazz Guests]</role-name>
<role-name>[LDAP Group for Jazz Users]</role-name>
<role-name>[LDAP Group for Jazz Project Admins]</role-name>
<!-- End Addendum -->
</auth-constraint>
<user-data-constarint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<!-- ... -->
</web-app>
Repeat the same addendum on each security-constraint
by referencing a Jazz group:<web-app id="WebApp">
<!-- ... -->
<security-constraint>
<web-resource-collection>
<web-resource-name>adminsecure</web-resource-name>
<url-pattern>/admin/cmd/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>JazzAdmins</role-name>
<!-- Addendum -->
<role-name>[LDAP Group for Jazz Admins]</role-name>
<!-- End addendum -->
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<!-- ... -->
</web-app>