migration toolkit for applications 8.1

Installing the migration toolkit for applications

Installing the migration toolkit for applications user interface and command-line interface

Red Hat Customer Content Services

Abstract

By using the migration toolkit for applications (MTA), you can accelerate large-scale application modernization efforts across hybrid cloud environments on Red Hat OpenShift. For example, you can inventory, assess, analyze, and manage applications for faster migration to OpenShift through the user interface at both the portfolio and application levels.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. We are beginning with these four terms: master, slave, blacklist, and whitelist. Because of the enormity of this endeavor, these changes will be implemented gradually over several upcoming releases. For more details, see our CTO Chris Wright’s message.

Chapter 1. Introduction to the migration toolkit for applications

The migration toolkit for applications (MTA) is a set of tools that you can use to accelerate large-scale application modernization efforts across hybrid cloud environments on Red Hat OpenShift. MTA looks for common resources and problematic spots when migrating applications. It gives a high-level view of the technologies used by the application. MTA also generates a detailed report that evaluates a migration or modernization path. By using this report, you can estimate the effort needed for large-scale projects and reduce the workload involved in the process.

By using MTA, you can perform the following tasks:

  • Use the MTA extensive default questionnaire to assess your applications, or create your own custom questionnaire to estimate the difficulty, time, and other resources needed to prepare an application for containerization. You can use the results of an assessment to determine applications suitable for containerization.
  • Analyze applications by applying sets of rules to each application. You can use these rules to determine which specific lines of the application you must modify before modernizing the application.
  • Examine application artifacts, including project source directories and application archives, and produce an HTML report that highlights areas that require changes.

1.1. MTA features

The migration toolkit for applications (MTA) includes many features that simplify upgrades with multiple migration paths.

MTA brings the following benefits for application analysis and assessment:

  • Application inventory and assessment modules to help organizations assess applications' suitability for deployment in containers, including flagging potential risks for migration strategies.
  • Integration with source code and binary repositories to automate the applications' retrieval for analysis, along with proxy integration, including HTTP and HTTPS proxy configuration managed in the user interface.
  • Improved analysis capabilities with different analysis modes, including source and dependency modes. These modes parse repositories to gather dependencies and add these dependencies to the scope of the analysis. You can also use a simplified user experience to configure the analysis scope, including open source libraries.
  • Enhanced role-based access control (RBAC) powered by Red Hat build of Keycloak to define the following personas:

    • Administrator
    • Architect
    • Migrator

    These personas have different permissions to suit the needs of each user, including credentials management for multiple credential types.

  • Administration perspective for administrators to manage tool-wide configuration.
  • Support for Red Hat OpenShift on AWS (ROSA)
  • Support for Azure Red Hat OpenShift (ARO)
  • Support for analyzing applications written in different languages

Additional resources

1.2. MTA rules

The migration toolkit for applications (MTA) contains rule-based migration tools called analyzers. You can use analyzers to examine the technologies, architectures, and application user interfaces (APIs) of the applications you want to move.

MTA analyzer rules use the following rule pattern:

when(condition)
 message(message)
 tag(tags)

You can use the MTA rules internally to perform the following tasks:

  • Extract files from archives
  • Decompile files
  • Scan and classify file types
  • Analyze XML and other file content
  • Analyze the application code
  • Build the reports

MTA builds a data model based on the rule execution results and stores component data and relationships in a graph database. This database can then be queried and updated as needed by the migration rules and for reporting purposes.

Note

You can create your own custom analyzer rules. You can use custom rules to identify the use of custom libraries or other components that the provided standard migration rules might not cover.

1.3. MTA tools

The migration toolkit for applications (MTA) tools help in the different stages of your migration and modernization efforts.

You can use the following MTA tools for assessing and analyzing your applications:

  • User interface (UI)

    By using the user interface for the migration toolkit for applications, you can perform the following tasks:

    • Assess the risks involved in containerizing an application for hybrid cloud environments on Red Hat OpenShift.
    • Analyze the changes that you might need to apply to the code of an application to containerize this application.
  • Command-line interface (CLI)

    The CLI is a command-line tool in the migration toolkit for applications that you can use to assess migration and modernization efforts for applications. It provides reports that highlight the analysis without using the other tools. The CLI includes a wide array of customization options. By using the CLI, you can tune MTA analysis options or integrate with external automation tools.

  • Migration toolkit for applications (MTA) (MTA) Operator

    By using the MTA Operator, you can install the user interface on OpenShift Container Platform.

  • IDE add-ons

    You can migrate and modernize applications by using the migration toolkit for applications add-ons for the following applications:

    • Visual Studio Code
    • IntelliJ IDEA

    You can use these add-ons to perform the following tasks:

    • Analyze your projects by using customizable sets of rules
    • Mark issues in the source code
    • Fix the issues by using the provided guidance
    • Use the automatic code replacement, if possible

Chapter 2. Supported migration toolkit for applications migration paths

You can use the migration toolkit for applications (MTA) to assess your applications' suitability for the migration to multiple target platforms. Review the supported migration paths to verify that your planned migration uses a valid combination of source and target technologies. Adhering to these paths helps ensure that MTA can successfully analyze and migrate your applications.

Table 2.1. Supported Java migration paths

Source platform ⇒Migration to JBoss EAP 7 & 8OpenShift (cloud readiness)OpenJDK 11, 17, and 21Jakarta EE 9Camel 3 & 4Spring Boot in Red Hat RuntimesQuarkusOpen Liberty

Oracle WebLogic Server

-

-

-

-

-

IBM WebSphere Application Server

-

-

-

-

JBoss EAP 4

[a]

-

-

-

-

-

JBoss EAP 5

-

-

-

-

-

JBoss EAP 6

-

-

-

-

-

JBoss EAP 7

-

-

-

-

Thorntail

[b]

-

-

-

-

-

-

-

Oracle JDK

-

-

-

-

-

-

Camel 2

-

-

-

-

-

Spring Boot

-

-

-

Any Java application

-

-

-

-

-

-

Any Java EE application

-

-

-

-

-

-

-

[a] Although MTA does not currently provide rules for this migration path, Red Hat Consulting can assist with migration from any source platform to JBoss EAP 7.
[b] Requires JBoss EAP expansion pack 2 (JBoss EAP XP 2).

..NET migration paths

Source platform ⇒OpenShift (cloud readiness)Migration to .NET 8.0

.NET Framework 4.5+ (Windows only)

Important

Analyzing applications written in the .NET language is Developer Preview software only. Developer Preview software is not supported by Red Hat in any way and is not functionally complete or production-ready. Do not use Developer Preview software for production or business-critical workloads. Developer Preview software provides early access to upcoming product software in advance of its possible inclusion in a Red Hat product offering. Customers can use this software to test functionality and provide feedback during the development process. This software might not have any documentation, is subject to change or removal at any time, and has received limited testing. Red Hat might provide ways to submit feedback on Developer Preview software without an associated SLA.

For more information about the support scope of Red Hat Developer Preview software, see Developer Preview Support Scope.

Chapter 3. Installing the migration toolkit for applications user interface

By using the migration toolkit for applications (MTA) user interface (UI), you can assess the risks involved in containerizing an application for hybrid cloud environments on Red Hat OpenShift. You can also analyze the changes that you must apply to the application’s code to containerize the application. You can install the migration toolkit for applications UI on all Red Hat OpenShift cloud services and Red Hat OpenShift self-managed editions.

To create MTA instances, you must install the MTA Operator first. The MTA Operator is a structural layer that manages resources deployed on Red Hat OpenShift, such as database, front end, and back end, to automatically create an MTA instance.

3.1. Persistent volume requirements

To successfully deploy the migration toolkit for applications (MTA) Operator, you must create a persistent volume (PV) used by different MTA components.

The MTA Operator requires two ReadWriteOnce (RWO) PVs. If the rwx_supported configuration option is set to true, the MTA Operator needs two additional ReadWriteMany (RWX) PVs used by Maven and the hub file storage.

Table 3.1. Required persistent volumes

NameDefault sizeAccess modeDescription

hub database

10Gi

RWO

Hub database

hub bucket

100Gi

RWX

Hub file storage required if the rwx_supported configuration option is set to true.

keycloak postgresql

1Gi

RWO

Keycloak backend database

cache

100Gi

RWX

Maven m2 cache required if the rwx_supported configuration option is set to true.

kai-db

5Gi

RWO

Red Hat Developer Lightspeed for MTA database required to run an AI-assisted code resolution.

3.2. Installing the MTA Operator

To create the migration toolkit for applications (MTA) instances, you must install the MTA Operator first.

The MTA Operator is a structural layer that manages resources deployed on Red Hat OpenShift, such as the database, front end, and back end, to automatically create an MTA instance.

Prerequisites

  • Your environment has 4 vCPUs, 8 GB RAM, and 40 GB persistent storage.
  • Your environment uses Red Hat OpenShift (cloud service or self-hosted), version 4.21–4.22.
  • You created two RWO persistent volumes (PVs) used by different components.
  • You logged in as a user with cluster-admin permissions.

Procedure

  1. In the Red Hat OpenShift web console, click Operators.
  2. Click OperatorHub.
  3. Type MTA in the Filter by keyword field to search for the MTA Operator.
  4. Click Migration toolkit for applications (MTA) Operator.
  5. Click Install.
  6. On the Install Operator page, click Install.
  7. Optional: Review and edit the custom resource (CR) settings.

    A window for creating CR settings opens automatically after the installation of the MTA Operator is complete. The default settings are acceptable. However, make sure to check the system requirements for storage, memory, and cores.

    Alternatively, to work directly with the YAML file, click the YAML view and review the CR settings listed in the spec section of the YAML file.

    The spec section of the YAML file can have the following configuration:

    kind: Tackle
    apiVersion: tackle.konveyor.io/v1alpha1
    metadata:
      name: mta
      namespace: openshift-mta
    spec:
      hub_bucket_volume_size: "2.5Gi"
      maven_data_volume_size: "2.5Gi"
      rwx_supported: "false"
  8. Verify that the MTA pods are running:

    1. In the Administration view, click Workloads.
    2. Click Pods.

Verification

  • Verify that you can see the MTA Operator in the openshift-mta project with the status of Succeeded by clicking Operators and then Installed Operators.

3.3. Creating an MTA instance

You can use the migration toolkit for applications (MTA) user interface (UI) to get insights about the application adoption process at both the portfolio and application levels. You can use the MTA UI to inventory, assess, analyze, and manage applications for faster migration to Red Hat OpenShift.

To use the MTA UI for assessing and analyzing your applications, you must create a MTA instance first.

Prerequisites

  • You installed the MTA Operator on your system. For more information, see Installing the MTA Operator.
  • Your environment has 4 vCPUs, 8 GB RAM, and 40 GB persistent storage.
  • Your environment uses Red Hat OpenShift (cloud service or self-hosted), version 4.21–4.22.
  • You logged in as a user with cluster-admin permissions.

Procedure

  1. Click MTA Operator.
  2. Under Provided APIs, search for Tackle.
  3. Click Create Instance.
  4. Access the user interface from your browser by using the route provided by the mta-ui application within Red Hat OpenShift.
  5. Log in to the user interface instance by using the default credentials:

    • Username: admin
    • Password: Passw0rd!
  6. When prompted, create a new password.

Additional resources

3.4. Custom resource settings

When installing the migration toolkit for applications (MTA) Operator, you might need to create custom resource (CR) settings. The default settings are acceptable. However, make sure to check the system requirements for storage, memory, and cores.

The following are the most commonly used CR settings that you can find in the spec section of the YAML file.

Table 3.2. Common custom resource settings

CR nameDefault sizeDescription

cache_data_volume_size

100 GB

A size requested for the cache volume. This CR is ignored when the rwx_supported option is set to false.

cache_storage_class

Default storage class

A storage class used for the cache volume. This CR is ignored when the rwx_supported option is set to false.

feature_auth_required

True

A flag that indicates whether keycloak authorization is required. When set to false, the flag mounts to “noauth“, which means only a single user can use the web console. The single user is the default admin user.

feature_isolate_namespace

True

A flag that indicates whether namespace isolation by using network policies is enabled.

hub_database_volume_size

10 GB

A size requested for the Hub database volume.

hub_bucket_volume_size

100 GB

A size requested for the Hub bucket volume.

hub_bucket_storage_class

Default storage class

A storage class used for the bucket volume.

pathfinder_database_data_volume_size

1 GB

A size requested for the Pathfinder database volume.

rwx_supported

True

A flag that indicates whether the cluster storage supports RWX mode.

rwo_storage_class

NA

A storage class requested for the Tackle RWO volumes.

rhsso_external_access

False

A flag that indicates whether a dedicated route is created to access the MTA managed RHSSO instance.

analyzer_container_limits_cpu

1

A maximum number of CPUs the pod is allowed to use.

analyzer_container_limits_memory

4 GB

Maximum amount of memory the pod is allowed to use. You can increase this limit if the pod displays OOMKilled errors.

analyzer_container_requests_cpu

1

A minimum number of CPUs the pod needs to run.

analyzer_container_requests_memory

4 GB

Minimum amount of memory the pod needs to run.

Additional resources

Chapter 4. Installing the migration toolkit for applications command-line interface

You can use the migration toolkit for applications (MTA) command-line interface (CLI) to assess and prioritize migration and modernization efforts for applications. You can use different command options to adapt the CLI behavior to your needs. You can tune the MTA analysis options or integrate with external automation tools.

You can install the MTA command-line interface (CLI) on Linux, Windows, or macOS operating systems. You can also install the CLI for use with Docker on Windows. Note, however, that this is a Developer Preview feature only.

4.1. Installing the CLI by using a .zip file

You can use the migration toolkit for applications (MTA) command-line interface (CLI) to assess and analyze your applications to prepare these applications for the migration.

You can install the MTA CLI by using the downloadable .zip file available on the official MTA download page.

Prerequisites

  • You logged in to registry.redhat.io.

    Note

    This prerequisite is not applicable for the containerless mode.

  • You installed Java Development Kit (JDK) version 17 or later.
  • You set the JAVA_HOME environment variable.
  • You installed Maven version 3.9.9 or later and added the Maven binary to the $PATH variable.

Procedure

  1. Navigate to the MTA download page and download one of the following operating system-specific CLI files or the src file:

    • mta-8.1.2-cli-linux-amd64.zip
    • mta-8.1.2-cli-linux-arm64.zip
    • mta-8.1.2-cli-darwin-amd64.zip
    • mta-8.1.2-cli-darwin-arm64.zip
    • mta-8.1.2-cli-windows-amd64.zip
    • mta-8.1.2-cli-windows-arm64.zip
    • mta-8.1.2-cli-src.zip
  2. Extract the .zip file to the .kantra directory inside your $HOME directory. The .zip file extracts the mta-cli binary, along with other required directories and files.
  3. Move the mta-cli binary to your $PATH variable.

    Note

    You can place the mta-cli binary in any folder that is included in the $PATH variable. You can also add a folder that contains mta-cli to $PATH. This way, you do not need to specify a full path when using the CLI.

4.2. Installing the CLI on a disconnected environment

In certain cases, you might want to install the migration toolkit for applications (MTA) command-line interface (CLI) when an internet connection is not available.

When your system is in a disconnected environment, you can install the MTA (CLI) by performing the following actions:

  1. Download the required images by using an external computer.
  2. Copy the downloaded images to the system you want to install the MTA CLI on.
Important

The following procedure applies only to container mode.

Note

The analysis output in the disconnected environment results in fewer incidents because a dependency analysis does not run accurately without access to Maven.

Prerequisites

  • You downloaded the required MTA CLI binary from the migration toolkit for applications Red Hat Developer page.
  • You installed the Podman tool on your system.
  • For the analysis of Java applications, you enabled container runtime usage by setting the --run-local flag to false:

    --run-local=false

    The analysis of non-Java applications runs in container mode by default.

Procedure

  1. On a connected device, perform the following steps:

    1. Authenticate to registry.redhat.io:

      $ podman login registry.redhat.io
    2. Run the mta-cli binary file:

      $ mta-cli analyze
      Important

      The binary file pulls only the required provider images. For example, if you run a command that requires Java images, the command will not pull .NET images.

    3. Display the image list:

      $ podman images
      REPOSITORY                                                        TAG         IMAGE ID      CREATED       SIZE
      registry.redhat.io/mta/mta-generic-external-provider-rhel9        7.3.1       8b8d7fa14570  13 days ago   692 MB
      registry.redhat.io/mta/mta-cli-rhel9                              7.3.1       45422a12d936  13 days ago   1.6 GB
      registry.redhat.io/mta/mta-java-external-provider-rhel9           7.3.1       4d6d0912a38b  13 days ago   715 MB
      registry.redhat.io/mta/mta-dotnet-external-provider-rhel9         7.3.1       66ec9fc51408  13 days ago   1.27 GB
    4. Save the images:

      $ podman save <image_ID> -o <image_name>.image
    5. Copy the images onto a USB drive or directly to the file system of the disconnected device.
  2. On the disconnected device, enter:

    $ podman load --input <image_name>.image

4.3. Installing the CLI for use with Docker on Windows

To migrate applications built with .NET framework version 4.5 or later, on Microsoft Windows to cross-platform .NET 8.0, you must install the migration toolkit for applications (MTA) command-line interface (CLI) for use with Docker on Windows.

To install the MTA CLI for use with Docker on Windows, you must configure Docker to use Windows containers first.

Prerequisites

  • You have a host with 64-bit Windows 11, version 21H2 or later.
  • You downloaded the Docker Desktop for Windows installation program.

Procedure

  1. Open a PowerShell with Administrator privileges.
  2. Ensure Hyper-V is installed and enabled:

    PS C:\Users\<user_name>> Enable-WindowsOptionalFeature -Online ` -FeatureName Microsoft-Hyper-V-All
    PS C:\Users\<user_name>> Enable-WindowsOptionalFeature -Online ` -FeatureName Containers
    Note

    You might need to reboot Windows for the change to take effect.

  3. Install Docker Desktop on Windows.

    1. Run the installation program by double-clicking the Docker_Desktop_Installer.exe file.

      By default, Docker Desktop is installed to the C:\Program Files\Docker\Docker path.

    2. Ensure that Docker runs Windows containers as the backend instead of Linux containers:

      1. In the Windows task bar, right-click the Docker icon.
      2. Click Switch to Windows containers.
  4. In PowerShell, create a folder for MTA:

    PS C:\Users\<user_name>> mkdir C:\Users\<user_name>\MTA
  5. Extract the mta-8.1.2-cli-windows.zip file to the MTA folder:

    PS C:\Users\<user_name>> cd C:\Users\<user_name>\Downloads
    PS C:\Users\<user_name>> Expand-Archive ` -Path "{ProductShortNameLower}-{ProductVersion}-cli-windows.zip" ` -DestinationPath "C:\Users\<user_name>\MTA"
  6. Ensure that Docker is running Windows containers and that the OS/Arch is set to windows/amd64:

    PS C:\Users\<user_name>> docker version
    Client:
     Version:           27.0.3
     API version:       1.46
     Go version:        go1.21.11
     Git commit:        7d4bcd8
     Built:             Sat Jun 29 00:03:32 2024
     OS/Arch:           windows/amd64
     Context:           desktop-windows
    Server: Docker Desktop 4.32.0 (157355)
     Engine:
      Version:          27.0.3
      API version:      1.46 (minimum version 1.24)
      Go version:       go1.21.11
      Git commit:       662f78c
      Built:            Sat Jun 29 00:02:13 2024
      OS/Arch:          windows/amd64
      Experimental:     false
  7. Set the CONTAINER_TOOL environment variable to use Docker:

    PS C:\Users\<user_name>> $env:CONTAINER_TOOL="C:\Windows\system32\docker.exe"
  8. Set the DOTNET_PROVIDER_IMG environment variable to use the upstream dotnet-external-provider:

    PS C:\Users\<user_name>> $env:DOTNET_PROVIDER_IMG="quay.io/konveyor/dotnet-external-provider:v0.5.0"
  9. Set the RUNNER_IMG environment variable to use the upstream image:

    PS C:\Users\<user_name>> $env:RUNNER_IMG="quay.io/konveyor/kantra:v0.5.0"

Additional resources

Chapter 5. Authentication and Authorization

To authenticate users in the migration toolkit for applications (MTA) 8.2.0 installations, you can use the Hub OpenID Connect (OIDC) provider. When upgrading to MTA 8.2.0, you can use the Hub OIDC to reduce infrastructure management or integrate MTA with any OIDC provider.

5.1. Why use the Hub OIDC

The migration toolkit for applications (MTA) Hub implements an OpenID Connect (OIDC) standards-compliant provider that offers local user authentication and federation to other providers.

The MTA Hub OIDC provider offers the following advantages:

  • Provides you with an option to remove Keycloak dependency to configure users, roles, and permissions. To use Keycloak, you must provision and manage more infrastructure resources.
  • Simplifies role-based access control (RBAC) deployment by allowing you to manage users, default and custom roles, and permissions in the MTA application.
  • Provides you with an option to integrate Lightweight Directory Access Protocol (LDAP) or federate to another Identity Provider (IdP).
  • Provides a permanent list of immutable permissions that map to specific API resources and operations. This ensures authorization works consistently across deployments and simplifies security audits.
  • Allows tasks and add-ons access to the MTA Application Programming Interfaces (APIs) through Personal Access Tokens (PATs) with fine-grained permissions.

5.2. Administrative tasks

Administrators can configure user authentication and understand user, role, and token management. migration toolkit for applications (MTA) offers you the flexibility to customize configuration as you need.

You can use any one of the authentication flows by using MTA Hub OpenID Connect (OIDC):

Local authentication and authorization
Add users and link roles to them in the MTA application. You do not need any extra configuration.
Lightweight Directory Access Protocol (LDAP)-backed authentication
Configure an LdapProvider CR to integrate LDAP users. Optionally, configure and deploy secrets in your Red Hat OpenShift cluster for a secure connection with the LDAP client.
Federated authentication to Identity Providers (IdPs)
Configure the IdentityProvider CR to federate authentication to an IdP such as Google, Okta, Keycloak, or Microsoft Entra ID (formerly, Azure Active Directory). Optionally, configure and deploy secrets in your Red Hat OpenShift cluster for a secure connection with the IdP client.

To migrate Keycloak implemented in previous versions after an MTA 8.2.0 upgrade, see Keycloak migration.

5.2.1. Optional configurations

If necessary, you can configure authentication fields, custom roles, and API keys.

  • Configure authentication and token variables in the Tackle custom resource (CR).
  • Create custom roles.
  • Create and revoke API keys.

Additional resources

5.3. Enable authentication in Tackle custom resource

Administrators can optionally configure authentication fields and token lifespan in the Tackle custom resource. If you do not configure, the migration toolkit for applications (MTA) Hub applies default values for the authentication and token fields.

Prerequisites

  • You deployed a Red Hat OpenShift cluster.
  • You installed MTA 8.2.0 in the cluster.

Procedure

  1. Edit the tackle CR:

    $ oc edit tackle
  2. Switch to the edit mode in the terminal text editor:

    i
  3. Optionally, configure the authentication fields:

    spec:
      feature_auth_required:true
      idp_primary:true
      hub_oidc_token_lifespan:300
      hub_oidc_refresh_token_lifespan:172800
      hub_apikey_lifespan:87600
      hub_auth_cache_lifespan:5
      hub_ldap_auth_lifespan:5
      hub_oidc_key_rotation:90
    • feature_auth_required:: Enforces authentication to the Hub API and the web console. By default, the value is true.
    • idp_primary:: If you set this field true, MTA Hub automatically redirects authentication to the auto-discovered Keycloak Identity Provider in upgraded deployments where users authenticated using Keycloak. If the field value is false, users can authenticate on the MTA login page. If you configured an identity provider (IdP), then users can authenticate by using the IdP button on the login page.
    • hub_oidc_token_lifespan:: By default, the OAuth access token lifespan is 300 seconds.
    • hub_oidc_refresh_token_lifespan:: By default, the OAuth refresh token lifespan is 172800 seconds or 2 days.
    • hub_apikey_lifespan:: By default, the OAuth API key lifespan is 87600 hours.
    • hub_auth_cache_lifespan:: By default, the OAuth authentication cache lifespan is 5 minutes.
    • hub_ldap_auth_lifespan:: By default, the LDAP authentication lifespan is 5 minutes.
    • hub_oidc_key_rotation:: By default, the OIDC key rotation interval is 90 days.
  4. Save the changes and exit the text editor to apply the changes:

    :wq!

Chapter 6. Basic authentication for local users

Administrators can use a simple authentication workflow to manage users, roles, role-based access control (RBAC) permissions in the MTA inventory with no added infrastructure requirements.

6.1. Add users and assign roles in the web console

Administrators can manage users and assign one or more roles to a user for local authentication and authorization. If you assign one or more roles to a user, the user gets all the unique permissions associated with the roles.

Prerequisites

  • You are an MTA Administrator.
  • The cluster administrator installed MTA 8.2.

Procedure

  1. Log in to the MTA web console.
  2. In the Administration mode, go to User Management.
  3. Click Users.
  4. Enter the following on the Create user page:

    • Username in the Login field.
    • Name of the user.
    • Email address of the user.
    • A new password in the Password field.
    • The same password in the Confirm Password field.
    • Select one or more roles from the Roles list.
  5. Click Create.

6.2. Change password in the web console

To ensure that your account is not accessible with the default admin password, you must change your account password after the first login. When you change your password for the first time, you must also enter your account details.

Procedure

  1. Log in to the MTA application with admin as your password.
  2. Click your role dropdown at the top right corner.
  3. Select User account.
  4. Enter the following on the Edit user page:

    • Name
    • Email address
    • A new password in the Password field.
    • The same password in the Confirm Password field.
  5. Click Save.

Verification

Log out of your account and log in with your new password.

6.3. Create a custom role and assign permissions

To enforce fine-grained role-based access control (RBAC) permissions for users to perform specific tasks, create custom roles and assign specific permissions in the migration toolkit for applications (MTA) web console. MTA exposes features based on the scope of the permissions you assign.

Note

You cannot alter or delete the default roles and permissions scoped to them.

Prerequisites

  • You are an MTA Administrator user.
  • You installed MTA 8.2.0.

Procedure

  1. Log in to the MTA web console.
  2. In the Administration mode, go to User Management.
  3. Click Roles.
  4. Click the number of permissions scoped to the admin role to explore the resources and scoped permissions.
  5. On the Roles page, click Create.
  6. Enter a unique name for the new role in the Name field.
  7. Type the name of a resource to see the list of permissions.
  8. Add one or more permissions:

    • Select a permission from the Permissions list and click the Add selected icon.
    • Click the Add all icon to select all the permissions for that resource.
  9. Click Create.

Chapter 7. LDAP authentication

Manage users by organization hierarchy, apply centralized identity management, and scale role assignment, by integrating the Hub OpenID Connect (OIDC) provider with Lightweight Directory Access Protocol (LDAP)-based authentication.

7.1. LDAP token lifecycle

Migration toolkit for applications (MTA) Hub manages token lifecycle in a Lightweight Directory Access Protocol (LDAP)-based authentication to account for changes in membership, user permission, and user account status.

A user authenticated by LDAP gets an access token that has a default lifespan of 5 minutes. When the access token expires, the authentication server checks for a cached LDAP identity. If the LDAP identity is cached and not expired, the Hub OIDC provider issues a new token with the cached scopes for the user. If the LDAP identity expires or is not cached, the Hub OIDC provider reauthenticates the user by connecting with the Directory Server (DS).

To issue or refresh an access token, the migration toolkit for applications (MTA) Hub connects with the DS by using the stored password, queries the LDAP groups again, maps the LDAP groups to MTA roles, and updates the user identity with expiration. The user need not manually reauthenticate to start the token refresh process.

7.2. Create a custom resource for LDAP or AD federation

To enable the Hub OpenID Connect (OIDC) provider to federate authentication to the Lightweight Directory Access Protocol (LDAP) or an Active Directory (AD) server, the Administrator must create an LdapProvider custom resource and a secret for the LDAP service account.

Prerequisites

  • You installed MTA 8.2.0 in an OpenShift cluster.
  • You have admin access to the cluster.
  • You configured an LDAP service account with read-only permissions.

Procedure

  1. Create an ldap-secret.yaml file:

    apiVersion: v1
    kind: Secret
    metadata:
      name: ldap-service-account
      namespace: openshift-mta
    type: Opaque
    stringData:
      password: "<service-account-password>"
  2. Apply the ldap-secret file in the cluster:

    $ oc apply -f ldap-secret.yaml
  3. Create an ldap.yaml file for the custom resource (CR):

    apiVersion: tackle.konveyor.io/v1alpha1
    kind: LdapProvider
    metadata:
      name: corporate-ldap
      namespace: openshift-mta
    spec:
      name: "Corporate LDAP"
      kind: "ActiveDirectory"
      url: "ldaps://ldap.example.com:636"
      baseDN: "dc=example,dc=com"
      bindDN: "cn=service,dc=example,dc=com"
      password:
        name: ldap-service-account
        namespace: openshift-mta
      userFilter: "(sAMAccountName=${login})"
      groupFilter: "(&(objectClass=group)(member=${dn}))"
      hasMemberOf: true
      roleMappings:
        - and:
            - Developers
          roles:
            - architect
        - any:
            - "**Administrator**"
          roles:
            - admin
    • kind:: Server type is "ACTIVEDIRECTORY", "AD", or blank for other LDAP implementations such as OpenLDAP.
    • url:: LDAP server URL
    • baseDN:: Base Distinguished Name to narrow the scope for LDAP searches
    • bindDN:: unique identifier of the service account used to authenticate against the LDAP directory
    • password:: Reference to Secret containing service account password
    • userFilter:: User search filter. The default value for the user filter in AD is (sAMAccountName=%s) and (uid=%s) for other LDAP implementations when you do not configure a value in the CR.

      To override the default, configure userFilter: "(sAMAccountName=${login})" for AD or userFilter: "(uid=${uid})" for other LDAP implementations.

    • groupFilter:: Group search filter. The default value for the group filter in AD is groupFilter: "(&(objectClass=group)(member=%s))" and (&(objectClass=*)(member=%s)) for other LDAP implementations when you do not configure a group in the CR.

      To override the default, configure groupFilter: "(&(objectClass=group)(member=${dn}))" for distinguished name. You can replace {dn} with {uid} for a unique identifier or {cn} for a common name.

    • hasMemberOf:: Use memberOf attribute for group membership in AD.
    • roleMappings:: Map LDAP groups to Hub roles. The MTA roles can be a list of default or custom roles. When you use global patterns to match the LDAP roles, you must use the DoubleStar pattern or double asterisk to match the complete role name.
  4. Apply the LDAP CR in the cluster:

    $ oc apply -f ldap.yaml
  5. Restart the Hub to load the new client and the secret:

    $ oc rollout restart deployment/tackle-hub -n openshift-mta

7.3. Logic operators and rules in LDAP mappings

To apply flexible policy changes without code changes for Lightweight Directory Access Protocol (LDAP) and Active Directory (AD) integrations, you can configure the LDAP group-to-migration toolkit for applications (MTA) role mapping as YAML rules.

In the rule, you can use the or and and logic. You can write the or logic to apply the any condition while the and logic to apply the and condition. The rules for role mapping follow certain behaviors:

  • Rule matches for LDAP groups are case sensitive. For example, Admins match Global-Admins but not global-admins.
  • When you use wildcards (*), the pattern must match the common name (CN) that the LDAP server returns.

    You can use the wildcard (*) pattern at the start or at the end for partial matching. For example, the rule CN=\*, OU=Security,* matches any common name in the Security organizational unit (OU) but not in other OUs.

  • An LDAP user that matches multiple rules gets roles mapped in all the rules.

Table 7.1. RoleMappings field description

FieldsDescriptionExample

and

ALL patterns must match at least one group

roleMappings:
  - and:
      - "**migration**"
      - "mta-**"
    roles:
       - migrator

MTA assigns the Migrator role to all users of the LDAP group mta-migration-team since the group matches both "migration" and "mta".

any

At least one pattern must match a group

roleMappings:
  - any:
      - "**-administrators"
    roles:
       - admin
  - any:
       - "**Architects**"
    roles:
       - architect

MTA assigns a role from either rule to the LDAP user. LDAP users who match both rules get two roles.

roles

Roles assigned when the LDAP member matches a rule

 

Table 7.2. Wildcard operators

WildcardBehaviorExample

*

Matches any characters within a segment. The match does not cross the comma (,) separator in common names.

Administrator matches Global-Administrator or AdministratorGroup

**

Matches across multiple segments. The match crosses comma (,) separators.

CN=IT,**/Administrators matches CN=IT,OU=Security,CN=Administrators

{a,b}

Brace expansion matches either a or b

{-admins,-administrators} matches either pattern

?

Matches exactly one character

Administrator? matches Administrators or Administrator1

[abc]

Matches one character from the set

Administrator[123] matches Administrator1, Administrator2, Administrator3

Table 7.3. Common wildcard patterns to match LDAP groups patterns

PatternDescriptionMatched parametersUnmatched parameters

**Administrators**

Contains "Administrators" anywhere

CN=Global-Administrators,OU=Groups, Security-Administrators, CN=Administrators-IT

CN=Administrator,OU=Users as 's' is absent in the common name. CN=ADMINISTRATORS as the pattern does not match the uppercase in the common name.

**-administrators

Ends with "-administrators"

platform-administrators, security-administrators, CN=it-administrators,OU=Groups

administrator-users as the common name does not end with "administrators". Administrators-Group as the role name starts with uppercase and does not occur at the end.

Developers,**

Starts with "Developers"

CN=Developers,OU=Groups,DC=example,DC=com, CN=Developers,DC=example

CN=Senior,OU=Developers, OU=Developers,CN=Team

**Developer**

Contains "Developer"

CN=Developers,OU=IT, Senior-Developer, Developer-Team

CN=Develop,OU=Groups

{**-administrators,**-administrator}

Ends with -administrators or -administrator

platform-administrators, global-administrator

administrator-group

7.4. OpenLDAP and Active Directory configurations

The OpenLDAP and Active Directory (AD) implementations have different configurations for select fields.

Table 7.4. OpenLDAP and Active Directory configurations

FieldsActive DirectoryOpenLDAP

Username attribute

sAMAccountName

uid

Group objectClass

group

Generic wildcard (*)

memberOf support

Usually present

May not be present

userFilter

(sAMAccountName=${login})

(uid=${uid})

groupFilter

(&(objectClass=group)(member=${dn}))

(&(objectClass=*)(member=${uid}))

Chapter 8. Red Hat build of Keycloak

The migration toolkit for applications (MTA) Hub OpenID Connect supports integration of a Red Hat build of Keycloak (RHBK) instance for user authentication and authorization for users who upgrade to MTA 8.2.0.

8.1. Keycloak migration

As a Migration toolkit for applications (MTA) administrator, you can federate user authentication to your Keycloak instance and reduce configuration complexity when you upgrade to MTA 8.2.0.

When you upgrade to MTA 8.2.0, the MTA Operator finds the Red Hat Build of Keycloak (RHBK) in the MTA namespace if you deployed Keycloak in earlier versions.

If RHBK is available, MTA installs a Keycloak Operator and deploys an IdentityProvider custom resource (CR) for your Keycloak instance.

In this case, the Keycloak Operator manages the RHBK instance and configures a dedicated realm with necessary roles and permissions. You can configure Keycloak as the primary authentication method in the MTA Tackle CR for an automatic redirect to your instance for user authentication. If you do not configure Keycloak as the primary authentication, you can select the Sign-in with Keycloak option from the Hub login page to redirect authentication.

If you did not deploy an RHBK instance in the MTA namespace (openshift-mta) before the upgrade or if you install MTA for the first time, then MTA no longer deploys the Keycloak Operator, Postgres database, and other RHBK resources. You no longer need to provision 1 GiB for Keycloak database volume in the MTA namespace.

In such cases, you can configure a Keycloak instance separately and integrate it as an Identity Provider (IdP) for user authentication in MTA. The Hub OpenID Connect (OIDC) federates user authentication to the Keycloak provider.

Configure Keycloak as the OIDC provider by using the IdentityProvider CR. You can continue to manage users and roles in Keycloak.

To configure the existing Keycloak instance as an IdP for user authentication:

  • Configure the Idp by using the IdentityProvider CR.
  • Configure the Keycloak instance uniform resource identifier (URI) as the OIDC issuer in the CR.
  • Configure the Hub URL with the callback endpoint as the redirect URI.
  • Deploy the CR in the same namespace where you installed the MTA application in your cluster.

    The MTA Operator reconfigures the Hub to federate OIDC to your existing Keycloak instance.

8.2. Scope management in RHBK

You can manually manage migration toolkit for applications (MTA) scopes in Red Hat Build of Keycloak (RHBK) and assign the scopes to roles so that MTA assigns the necessary permissions to the Keycloak user.

For example, Keycloak administrators can perform create, read, update, and delete tasks for users, tokens, and roles in MTA only if the administrator role has the following scopes:

  • users:get
  • users:post
  • users:put
  • users:delete
  • roles:get
  • roles:post
  • roles:put
  • roles:delete
  • tokens:get
  • tokens:post
  • tokens:delete
  • scopes:get

You can assign the following scopes to non-administrator user roles in Keycloak:

  • users:get
  • users:put
  • users:delete
  • roles:get
  • tokens:get
  • tokens:post
  • tokens:delete
  • scopes:get

8.2.1. Dynamic scopes

You need not manage more than 100 scopes that the migration toolkit for applications (MTA) Hub OpenID Connect (OIDC) supports in your RHBK instance. The Hub dynamically expands the RHBK roles to apply necessary permissions for the role.

You can define the following roles in RHBK:

  • role.admin
  • role.architect
  • role.migrator
  • role.project-manager

If the access token request also specifies specific scopes, the MTA Hub additionally assigns permissions based on the scope reference.

8.3. Accessing the RHBK Admin Console

To perform advanced configurations on an RHBK instance, you must log in to the RHBK Admin Console.

Procedure

  1. Retrieve your admin credentials:

    $ oc get secret mta-keycloak-rhbk -n openshift-mta -o json| jq -r '.data.password | @base64d'

    The admin credentials for RHBK are stored in the mta-keycloak-rhbk secret file in the namespace where you installed MTA.

  2. Enter the following URL in your browser:

    https://<web_console_address>/auth/admin
  3. Access the RHBK Admin Console by entering your credentials.

8.4. Roles, personas, users, and permissions

The migration toolkit for applications (MTA) uses three roles, each corresponding to a persona. The roles are predefined in your Red Hat build of Keycloak (RHBK) instance. If you are an MTA Administrator, you can create users in your RHBK instance and assign each user one or more roles, one role per persona.

A user can have more than one role. Each role must correspond to a specific persona:

  • The admin role corresponds to the Administrator persona. The Administrator has all permissions that Architects and Migrators have. Administrators can also create application-wide configuration parameters that other users can consume but cannot change or view, for example, Git credentials or Maven settings.xml files.
  • The architect role corresponds to the Architect persona. An Architect is a technical lead for the migration project. Architects can run assessments and can create and modify applications and information related to the applications. Architects cannot modify or delete sensitive information, but can consume such information. For example, architects can associate an existing set of credentials to the repository of a specific application.
  • The migrator role corresponds to the Migrator persona. A Migrator can analyze applications. However, the Migrator cannot create, modify, or delete the applications.
  • The project-manager role corresponds to the Project Manager persona. Project managers can create, read, update, and delete migration waves. They can also create Red Hat Developer Lightspeed for migration toolkit for applications resources and adoption plans, and update business stakeholders included in a project. Project managers have read-only access to other MTA resources.

MTA has two views, Administration, and Migration. Only an Administrator can access the Administration view. Architects and Migrators cannot see or access the Administration view. Administrators can perform all actions supported by the Migration view. Architects and Migrators can see all elements of the Migration view. However, whether Architects and Migrators can perform actions in the Migration view depends on the permissions granted to their role.

Chapter 9. Identity provider authentication

Administrators can simplify security and regulatory compliance by implementing the migration toolkit for applications (MTA) Hub as an OpenID Connect (OIDC) Broker to federate user authentication to an identity provider (IdP).

MTA supports integrating IdPs and managing roles and permissions in the MTA web console for authorization:

  • Keycloak instance
  • Microsoft Entra ID (formerly, Azure Active Directory)
  • Google
  • Okta

9.1. Create a secret for the IdP client

If you configured a secret in the Identity Provider (IdP) client configuration, enable the migration toolkit for applications (MTA) Hub to use the secret to connect to the Identity Provider (IdP) client.

Prerequisites

  • You installed MTA 8.2 in an OpenShift cluster.
  • You have admin access to the cluster.
  • You configured a secret in the IdP configuration for a secure connection.

Procedure

  1. Create a secret such as <idp-client-secret>.yaml:

    apiVersion: v1
    kind: Secret
    metadata:
      name: idp-client-secret
      namespace: <mta-namespace>
    type: Opaque
    stringData:
      clientSecret: "<secret>"
    • <mta-namespace>:: The namespace where you deployed MTA.
    • <secret>:: The secret that you configured in the identity provider configuration.
  2. Apply the <idp-client-secret>.yaml file in the cluster:

    $ oc apply -f <idp-client-secret>.yaml
  3. Restart the Hub to load the secret:

    $ oc rollout restart deployment/tackle-hub -n openshift-mta

9.2. Configure an identity provider custom resource

To enable the migration toolkit for applications (MTA) Hub OpenID Connect (OIDC) to integrate with the Identity Provider (IdP), you must create an IdentityProvider custom resource (CR).

Prerequisites

  • You installed the MTA 8.2 application in an OpenShift cluster.
  • You have admin access to the cluster.
  • You optionally created a secret for the IdP.

Procedure

  1. Create an <my-idp>.yaml custom resource:

    apiVersion: tackle.konveyor.io/v1alpha1
    kind: IdentityProvider
    metadata:
      name: corporate-sso
      namespace: openshift-mta
    spec:
      name: "Corporate SSO"
      issuer: "https://idp.example.com/realms/tackle"
      clientId: "tackle-hub"
      clientSecret:
        name: idp-client-secret
        namespace: openshift-mta
      redirectURI: "https://hub.example.com/oidc/idp/callback"
      primary:
        description: IdP is the primary authentication method. When true, users are automatically redirected to this IdP for authentication.
        type: true
      scopes:
        - openid
        - profile
        - email
    • name:: A display name for the IdP button in the UI.
    • issuer:: IdP issuer URL for OIDC discovery. You can use template variables in the issuer field. For example, "${issuer.proto}://${issuer.host}/auth/realms/tackle".
    • clientId:: OAuth client ID registered with the IdP.
    • clientSecret:: Optional Kubernetes secret for the MTA Hub to securely connect to the IdP. Omit this configuration if you did not create a secret for the IdP.
    • redirectURI:: Callback URI to the MTA Hub after the IdP authentication completes. You must add the /oidc/idp/callback path to the Hub URI. You can use template variables in the redirect URI field. For example, "${issuer.proto}://${issuer.host}/oidc/idp/callback".
    • primary:: IdP is the primary authentication method. When true, the Hub redirects users automatically to this IdP for authentication. If you configured the field in the Tackle CR, the MTA Hub resolves the configuration for this field from the Tackle CR value.
    • scopes:: OAuth scopes used by an OpenID Connect client to request the access privileges for the access token.
  2. Apply the `<my-idp>.yaml file in the cluster:

    $ oc apply -f <my-idp>.yaml
  3. Restart the Hub to load the configuration:

    $ oc rollout restart deployment/tackle-hub -n openshift-mta

Chapter 10. Token management

As an administrator, you can manage access tokens and application programming interface (API) keys in the Migration toolkit for applications (MTA) web console. To enhance security for task-authentication, the MTA Hub generates task personal access tokens with task-scoped permissions.

10.1. Generate API key from the web console

You can generate application programming interface (API) keys in the Migration toolkit for applications (MTA) web console. The API key inherits permissions from the authenticated user’s roles and has a maximum lifespan limit of 10 years. You can optionally configure the lifespan period when you create a token.

Prerequisites

  • You installed MTA 8.2.0 in a Red Hat OpenShift cluster.
  • You are an MTA Administrator.

Procedure

  1. Log in to the MTA application.
  2. In the Administration mode, go to User Management.
  3. Select Tokens.
  4. Click Create API Key.
  5. Optionally enter the lifespan of the token.
  6. Click Create.
  7. Copy the displayed token.

    You can use the API key for the Red Hat Developer Lightspeed for migration toolkit for applications agent.

10.2. Revoke API keys as an administrator

Administrators can revoke an application programming interface (API) key before its lifespan in the migration toolkit for application (MTA) web console.

Prerequisites

You installed MTA 8.2.0 in a Red Hat OpenShift cluster.

Procedure

  1. Log in to the MTA web console.
  2. In the Administration mode, go to User Management.
  3. Select Tokens.
  4. On the Tokens page, click the options icon.
  5. Click Revoke.

10.3. Revoke API keys as an migrator

As a Migrator, you can revoke an application programming interface (API) key before its lifespan in Migration toolkit for applications (MTA) web console.

Prerequisites

Your administrator installed MTA 8.2.0 in a Red Hat OpenShift cluster.

Procedure

  1. Log in to the MTA web console.
  2. In the Migration mode, click your username at the top right corner.
  3. Select Tokens.
  4. On the Tokens page, click the options icon.
  5. Click Revoke.

Chapter 11. Authentication fields in the Tackle CR

Administrators can enable migration toolkit for applications (MTA) to include permission and role changes in new tokens, apply stateless validation, and control staleness for sessions and tokens by configuring the authentication fields in the Tackle custom resource (CR).

  • JSON Web Token: The MTA Hub generates JWTs as short-lived access tokens for API authentication. When Hub issues a JWT token, it signs the token by using the Rivest-Shamir-Adleman (RSA) algorithm. The Hub also supports signing JWTs with the Hash-based Message Authentication Code (HMAC) algorithm for backward compatibility.

    The JWT payload does not expose personally identifiable information (PII) such as username or password. The default lifespan is 5 minutes but you can configure a custom lifespan by using the hub_oidc_token_lifespan field. If an administrator updates a user’s roles or permissions, the changes will not apply to their current active token. The new permissions will only take effect after the current token expires and the Hub issues a new one, such as during a token refresh.

  • Refresh tokens: After the current token expires, clients use the long-lived refresh tokens to request a new access token to refresh the session. The refresh token workflow does not require the user to manually reauthenticate.

    When a session for the Lightweight Directory Access Protocol (LDAP) or an Identity Provider (IdP) client expires, the refresh token workflow checks for changes in user permission scopes to include when the MTA Hub issues a new token.

    The default token lifespan is 2 days or 172800 seconds. You can configure a custom lifespan by using the hub_oidc_refresh_token_lifespan field.

  • API keys: The maximum default token lifespan is 10 years. Administrators can configure the maximum permissible lifespan by using the hub_apikey_lifespan field.

    To provide security against a cache miss or a direct database modification, a safety-net cache refresh guarantees that the worst-case staleness for API key is 5 minutes. You can configure the hub_auth_cache_lifespan field for the safety-net cache refresh period.

Table 11.1. Authentication fields

FieldTypeDefaultDescription

feature_auth_required

Boolean

true

Enable the flag to enforce authentication for the web console and the Hub API. To allow insecure access, set this flag to false.

hub_auth_cache_lifespan

Integer (minutes)

5

Specifies the cache refresh interval in minutes. The Hub periodically refreshes every cache lifespan interval as a secondary mechanism to control staleness for Basic authentication and personal access tokens.

hub_ldap_auth_lifespan

Integer (minutes)

5

Specifies LDAP identity cache duration to control LDAP query frequency.

hub_oidc_token_lifespan

Integer (seconds)

300

Specifies the OAuth access token lifespan in seconds. By default, the lifespan is 5 minutes.

hub_oidc_refresh_token_lifespan

Integer (seconds)

172800

Specifies the OAuth refresh token lifespan in seconds. By default, the refresh token lifespan is 2 days.

hub_oidc_key_rotation

Integer (days)

90

Specify key rotation interval in days.

hub_apikey_lifespan

Integer (hours)

87600

API key lifespan in hours. By default, the lifespan period is 10 years.

idp_primary

Boolean

true

By default, the field has the value true to mark an auto-discovered Identity Provider as the primary authentication method. MTA automatically redirects users to the IdP for authentication.

Chapter 12. URI templating and wildcard patterns

To enable portable configuration, the Hub OpenID Connect (OIDC) provider resolves template variables and wildcard patterns with the expected OIDC issuer in client configuration at runtime.

12.1. URI template variables

The migration toolkit for applications (MTA) Hub OIDC provider must resolve the redirect uniform resource identifier (URI) dynamically in deployment environments such as local development and testing (localhost), OpenShift custom routes, and custom domains.

To prevent entering hard-coded redirect URIs for an MTA client deployed in different environments, you can use template variables. In the authorization workflow, the Hub OIDC provider resolves the template variables by substituting them with values in the incoming HTTP request from the OIDC Issuer at runtime.

You can use the following template variables in the URIs:

  • ${issuer}: Replaced with the complete issuer URL.
  • ${issuer.host}: Replaced with host and the port.
  • ${issuer.port}: Replaces only the port.
  • ${issuer.path}: Replaces only the path.
  • ${issuer.proto}: Replaces with the issuer scheme.

For example,

12.2. URI wildcard patterns

After template variable substitution, the Hub OIDC provider matches the wildcard patterns in the uniform resource identifier (URI) configuration against the requested URI. The wildcard uses / as path separator to split the pattern and matches the URI segment-by-segment.

Table 12.1. Wildcard pattern behavior

WildcardBehaviorExample PatternMatched URIUnmatched URI

*

Matches any characters except / within one path segment

https://*/callback

https://app.example.com/callback

https://app.example.com/auth/callback

**

Matches zero or more complete path segments. For example, matches across segments separated by / in URI.

https://**/callback

https://app.example.com/auth/v1/callback

https://different.com/

{a,b}

Brace expansion - matches either a or b

https://host{,}/*

Matches URIs with or without port and with or without path

N/A

For example,

  • https://*.example.com/** to match a specific domain, any subdomain, and any path.
  • http://localhost:*/** to match localhost, any port, and any path.
  • ${issuer.proto}://${issuer.host}{,}/* to match the same scheme and host as the OIDC issuer, any port, and any path. You can use this pattern for the MTA web console.

Appendix A. How to contribute to the MTA project

You can help the migration toolkit for applications (MTA) to cover most application builds and server configurations, including yours.

You can help with any of the following items:

  • Send an email to jboss-migration-feedback@redhat.com and let us know what MTA migration rules must cover.
  • Provide example applications to test migration rules.
  • Identify application components and problem areas that might be difficult to migrate:

    • Write a short description of the problem migration areas.
    • Write a brief overview describing how to solve the problem in migration areas.
  • Try migration toolkit for applications on your application. Report any issues you encounter. MTA uses Jira as its issue tracking system. If you encounter an issue when using MTA, submit a Jira issue.
  • Contribute to the migration toolkit for applications rules repository:

  • Contribute to the project source code:

    • Create a core rule.
    • Improve MTA performance or efficiency.

Any level of involvement is greatly appreciated!

Additional resources

Legal Notice

Copyright © 2026 Red Hat, Inc.
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.