Installing the migration toolkit for applications
Installing the migration toolkit for applications user interface and command-line interface
Abstract
- Making open source more inclusive
- 1. Introduction to the migration toolkit for applications
- 2. Supported migration toolkit for applications migration paths
- 3. Installing the migration toolkit for applications user interface
- 4. Installing the migration toolkit for applications command-line interface
- 5. Authentication and Authorization
- 6. Basic authentication for local users
- 7. LDAP authentication
- 8. Red Hat build of Keycloak
- 9. Identity provider authentication
- 10. Token management
- 11. Authentication fields in the Tackle CR
- 12. URI templating and wildcard patterns
- A. How to contribute to the MTA project
Making open source more inclusive
Red Hat is committed to replacing problematic language in our code, documentation, and web properties. We are beginning with these four terms: master, slave, blacklist, and whitelist. Because of the enormity of this endeavor, these changes will be implemented gradually over several upcoming releases. For more details, see our CTO Chris Wright’s message.
Chapter 1. Introduction to the migration toolkit for applications
The migration toolkit for applications (MTA) is a set of tools that you can use to accelerate large-scale application modernization efforts across hybrid cloud environments on Red Hat OpenShift. MTA looks for common resources and problematic spots when migrating applications. It gives a high-level view of the technologies used by the application. MTA also generates a detailed report that evaluates a migration or modernization path. By using this report, you can estimate the effort needed for large-scale projects and reduce the workload involved in the process.
By using MTA, you can perform the following tasks:
- Use the MTA extensive default questionnaire to assess your applications, or create your own custom questionnaire to estimate the difficulty, time, and other resources needed to prepare an application for containerization. You can use the results of an assessment to determine applications suitable for containerization.
- Analyze applications by applying sets of rules to each application. You can use these rules to determine which specific lines of the application you must modify before modernizing the application.
- Examine application artifacts, including project source directories and application archives, and produce an HTML report that highlights areas that require changes.
1.1. MTA features
The migration toolkit for applications (MTA) includes many features that simplify upgrades with multiple migration paths.
MTA brings the following benefits for application analysis and assessment:
- Application inventory and assessment modules to help organizations assess applications' suitability for deployment in containers, including flagging potential risks for migration strategies.
- Integration with source code and binary repositories to automate the applications' retrieval for analysis, along with proxy integration, including HTTP and HTTPS proxy configuration managed in the user interface.
- Improved analysis capabilities with different analysis modes, including source and dependency modes. These modes parse repositories to gather dependencies and add these dependencies to the scope of the analysis. You can also use a simplified user experience to configure the analysis scope, including open source libraries.
Enhanced role-based access control (RBAC) powered by Red Hat build of Keycloak to define the following personas:
- Administrator
- Architect
- Migrator
These personas have different permissions to suit the needs of each user, including credentials management for multiple credential types.
- Administration perspective for administrators to manage tool-wide configuration.
- Support for Red Hat OpenShift on AWS (ROSA)
- Support for Azure Red Hat OpenShift (ARO)
- Support for analyzing applications written in different languages
Additional resources
1.2. MTA rules
The migration toolkit for applications (MTA) contains rule-based migration tools called analyzers. You can use analyzers to examine the technologies, architectures, and application user interfaces (APIs) of the applications you want to move.
MTA analyzer rules use the following rule pattern:
when(condition) message(message) tag(tags)
You can use the MTA rules internally to perform the following tasks:
- Extract files from archives
- Decompile files
- Scan and classify file types
- Analyze XML and other file content
- Analyze the application code
- Build the reports
MTA builds a data model based on the rule execution results and stores component data and relationships in a graph database. This database can then be queried and updated as needed by the migration rules and for reporting purposes.
You can create your own custom analyzer rules. You can use custom rules to identify the use of custom libraries or other components that the provided standard migration rules might not cover.
Additional resources
1.3. MTA tools
The migration toolkit for applications (MTA) tools help in the different stages of your migration and modernization efforts.
You can use the following MTA tools for assessing and analyzing your applications:
User interface (UI)
By using the user interface for the migration toolkit for applications, you can perform the following tasks:
- Assess the risks involved in containerizing an application for hybrid cloud environments on Red Hat OpenShift.
- Analyze the changes that you might need to apply to the code of an application to containerize this application.
Command-line interface (CLI)
The CLI is a command-line tool in the migration toolkit for applications that you can use to assess migration and modernization efforts for applications. It provides reports that highlight the analysis without using the other tools. The CLI includes a wide array of customization options. By using the CLI, you can tune MTA analysis options or integrate with external automation tools.
Migration toolkit for applications (MTA) (MTA) Operator
By using the MTA Operator, you can install the user interface on OpenShift Container Platform.
IDE add-ons
You can migrate and modernize applications by using the migration toolkit for applications add-ons for the following applications:
- Visual Studio Code
- IntelliJ IDEA
You can use these add-ons to perform the following tasks:
- Analyze your projects by using customizable sets of rules
- Mark issues in the source code
- Fix the issues by using the provided guidance
- Use the automatic code replacement, if possible
Chapter 2. Supported migration toolkit for applications migration paths
You can use the migration toolkit for applications (MTA) to assess your applications' suitability for the migration to multiple target platforms. Review the supported migration paths to verify that your planned migration uses a valid combination of source and target technologies. Adhering to these paths helps ensure that MTA can successfully analyze and migrate your applications.
Table 2.1. Supported Java migration paths
| Source platform ⇒ | Migration to JBoss EAP 7 & 8 | OpenShift (cloud readiness) | OpenJDK 11, 17, and 21 | Jakarta EE 9 | Camel 3 & 4 | Spring Boot in Red Hat Runtimes | Quarkus | Open Liberty |
|---|---|---|---|---|---|---|---|---|
|
Oracle WebLogic Server |
✔ |
✔ |
✔ |
- |
- |
- |
- |
- |
|
IBM WebSphere Application Server |
✔ |
✔ |
✔ |
- |
- |
- |
- |
✔ |
|
JBoss EAP 4 |
✘ [a] |
✔ |
✔ |
- |
- |
- |
- |
- |
|
JBoss EAP 5 |
✔ |
✔ |
✔ |
- |
- |
- |
- |
- |
|
JBoss EAP 6 |
✔ |
✔ |
✔ |
- |
- |
- |
- |
- |
|
JBoss EAP 7 |
✔ |
✔ |
✔ |
- |
- |
- |
✔ |
-
|
|
Thorntail |
✔ [b] |
- |
- |
- |
- |
- |
- |
- |
|
Oracle JDK |
- |
✔ |
✔ |
- |
- |
- |
- |
- |
|
Camel 2 |
- |
✔ |
✔ |
- |
✔ |
- |
- |
- |
|
Spring Boot |
- |
✔ |
✔ |
✔ |
- |
✔ |
✔ |
- |
|
Any Java application |
- |
✔ |
✔ |
- |
- |
- |
- |
- |
|
Any Java EE application |
- |
- |
- |
✔ |
- |
- |
- |
- |
[a]
Although MTA does not currently provide rules for this migration path, Red Hat Consulting can assist with migration from any source platform to JBoss EAP 7.
[b]
Requires JBoss EAP expansion pack 2 (JBoss EAP XP 2).
| ||||||||
..NET migration paths
| Source platform ⇒ | OpenShift (cloud readiness) | Migration to .NET 8.0 |
|---|---|---|
|
.NET Framework 4.5+ (Windows only) |
✔ |
✔ |
Analyzing applications written in the .NET language is Developer Preview software only. Developer Preview software is not supported by Red Hat in any way and is not functionally complete or production-ready. Do not use Developer Preview software for production or business-critical workloads. Developer Preview software provides early access to upcoming product software in advance of its possible inclusion in a Red Hat product offering. Customers can use this software to test functionality and provide feedback during the development process. This software might not have any documentation, is subject to change or removal at any time, and has received limited testing. Red Hat might provide ways to submit feedback on Developer Preview software without an associated SLA.
For more information about the support scope of Red Hat Developer Preview software, see Developer Preview Support Scope.
Additional resources
Chapter 3. Installing the migration toolkit for applications user interface
By using the migration toolkit for applications (MTA) user interface (UI), you can assess the risks involved in containerizing an application for hybrid cloud environments on Red Hat OpenShift. You can also analyze the changes that you must apply to the application’s code to containerize the application. You can install the migration toolkit for applications UI on all Red Hat OpenShift cloud services and Red Hat OpenShift self-managed editions.
To create MTA instances, you must install the MTA Operator first. The MTA Operator is a structural layer that manages resources deployed on Red Hat OpenShift, such as database, front end, and back end, to automatically create an MTA instance.
3.1. Persistent volume requirements
To successfully deploy the migration toolkit for applications (MTA) Operator, you must create a persistent volume (PV) used by different MTA components.
The MTA Operator requires two ReadWriteOnce (RWO) PVs. If the rwx_supported configuration option is set to true, the MTA Operator needs two additional ReadWriteMany (RWX) PVs used by Maven and the hub file storage.
Table 3.1. Required persistent volumes
| Name | Default size | Access mode | Description |
|---|---|---|---|
|
|
|
RWO |
Hub database |
|
|
|
RWX |
Hub file storage required if the |
|
|
|
RWO |
Keycloak backend database |
|
|
|
RWX |
Maven m2 cache required if the |
|
|
|
RWO |
Red Hat Developer Lightspeed for MTA database required to run an AI-assisted code resolution. |
3.2. Installing the MTA Operator
To create the migration toolkit for applications (MTA) instances, you must install the MTA Operator first.
The MTA Operator is a structural layer that manages resources deployed on Red Hat OpenShift, such as the database, front end, and back end, to automatically create an MTA instance.
Prerequisites
- Your environment has 4 vCPUs, 8 GB RAM, and 40 GB persistent storage.
- Your environment uses Red Hat OpenShift (cloud service or self-hosted), version 4.21–4.22.
- You created two RWO persistent volumes (PVs) used by different components.
-
You logged in as a user with
cluster-adminpermissions.
Procedure
- In the Red Hat OpenShift web console, click Operators.
- Click OperatorHub.
- Type MTA in the Filter by keyword field to search for the MTA Operator.
- Click Migration toolkit for applications (MTA) Operator.
- Click Install.
- On the Install Operator page, click Install.
Optional: Review and edit the custom resource (CR) settings.
A window for creating CR settings opens automatically after the installation of the MTA Operator is complete. The default settings are acceptable. However, make sure to check the system requirements for storage, memory, and cores.
Alternatively, to work directly with the YAML file, click the YAML view and review the CR settings listed in the
specsection of the YAML file.The
specsection of the YAML file can have the following configuration:kind: Tackle apiVersion: tackle.konveyor.io/v1alpha1 metadata: name: mta namespace: openshift-mta spec: hub_bucket_volume_size: "2.5Gi" maven_data_volume_size: "2.5Gi" rwx_supported: "false"
Verify that the MTA pods are running:
- In the Administration view, click Workloads.
- Click Pods.
Verification
-
Verify that you can see the MTA Operator in the
openshift-mtaproject with the status of Succeeded by clicking Operators and then Installed Operators.
Next steps
Additional resources
3.3. Creating an MTA instance
You can use the migration toolkit for applications (MTA) user interface (UI) to get insights about the application adoption process at both the portfolio and application levels. You can use the MTA UI to inventory, assess, analyze, and manage applications for faster migration to Red Hat OpenShift.
To use the MTA UI for assessing and analyzing your applications, you must create a MTA instance first.
Prerequisites
- You installed the MTA Operator on your system. For more information, see Installing the MTA Operator.
- Your environment has 4 vCPUs, 8 GB RAM, and 40 GB persistent storage.
- Your environment uses Red Hat OpenShift (cloud service or self-hosted), version 4.21–4.22.
-
You logged in as a user with
cluster-adminpermissions.
Procedure
- Click MTA Operator.
- Under Provided APIs, search for Tackle.
- Click Create Instance.
-
Access the user interface from your browser by using the route provided by the
mta-uiapplication within Red Hat OpenShift. Log in to the user interface instance by using the default credentials:
-
Username:
admin -
Password:
Passw0rd!
-
Username:
- When prompted, create a new password.
Additional resources
3.4. Custom resource settings
When installing the migration toolkit for applications (MTA) Operator, you might need to create custom resource (CR) settings. The default settings are acceptable. However, make sure to check the system requirements for storage, memory, and cores.
The following are the most commonly used CR settings that you can find in the spec section of the YAML file.
Table 3.2. Common custom resource settings
| CR name | Default size | Description |
|---|---|---|
|
|
100 GB |
A size requested for the cache volume. This CR is ignored when the |
|
|
Default storage class |
A storage class used for the cache volume. This CR is ignored when the |
|
|
True |
A flag that indicates whether keycloak authorization is required. When set to |
|
|
True |
A flag that indicates whether namespace isolation by using network policies is enabled. |
|
|
10 GB |
A size requested for the Hub database volume. |
|
|
100 GB |
A size requested for the Hub bucket volume. |
|
|
Default storage class |
A storage class used for the bucket volume. |
|
|
1 GB |
A size requested for the Pathfinder database volume. |
|
|
True |
A flag that indicates whether the cluster storage supports RWX mode. |
|
|
NA |
A storage class requested for the Tackle RWO volumes. |
|
|
False |
A flag that indicates whether a dedicated route is created to access the MTA managed RHSSO instance. |
|
|
1 |
A maximum number of CPUs the pod is allowed to use. |
|
|
4 GB |
Maximum amount of memory the pod is allowed to use. You can increase this limit if the pod displays |
|
|
1 |
A minimum number of CPUs the pod needs to run. |
|
|
4 GB |
Minimum amount of memory the pod needs to run. |
Additional resources
Chapter 4. Installing the migration toolkit for applications command-line interface
You can use the migration toolkit for applications (MTA) command-line interface (CLI) to assess and prioritize migration and modernization efforts for applications. You can use different command options to adapt the CLI behavior to your needs. You can tune the MTA analysis options or integrate with external automation tools.
You can install the MTA command-line interface (CLI) on Linux, Windows, or macOS operating systems. You can also install the CLI for use with Docker on Windows. Note, however, that this is a Developer Preview feature only.
4.1. Installing the CLI by using a .zip file
You can use the migration toolkit for applications (MTA) command-line interface (CLI) to assess and analyze your applications to prepare these applications for the migration.
You can install the MTA CLI by using the downloadable .zip file available on the official MTA download page.
Prerequisites
You logged in to
registry.redhat.io.NoteThis prerequisite is not applicable for the containerless mode.
- You installed Java Development Kit (JDK) version 17 or later.
-
You set the
JAVA_HOMEenvironment variable. -
You installed Maven version 3.9.9 or later and added the Maven binary to the
$PATHvariable.
Procedure
Navigate to the MTA download page and download one of the following operating system-specific CLI files or the
srcfile:- mta-8.1.2-cli-linux-amd64.zip
- mta-8.1.2-cli-linux-arm64.zip
- mta-8.1.2-cli-darwin-amd64.zip
- mta-8.1.2-cli-darwin-arm64.zip
- mta-8.1.2-cli-windows-amd64.zip
- mta-8.1.2-cli-windows-arm64.zip
- mta-8.1.2-cli-src.zip
-
Extract the
.zipfile to the.kantradirectory inside your$HOMEdirectory. The.zipfile extracts themta-clibinary, along with other required directories and files. Move the
mta-clibinary to your$PATHvariable.NoteYou can place the
mta-clibinary in any folder that is included in the$PATHvariable. You can also add a folder that containsmta-clito$PATH. This way, you do not need to specify a full path when using the CLI.
Additional resources
4.2. Installing the CLI on a disconnected environment
In certain cases, you might want to install the migration toolkit for applications (MTA) command-line interface (CLI) when an internet connection is not available.
When your system is in a disconnected environment, you can install the MTA (CLI) by performing the following actions:
- Download the required images by using an external computer.
- Copy the downloaded images to the system you want to install the MTA CLI on.
The following procedure applies only to container mode.
The analysis output in the disconnected environment results in fewer incidents because a dependency analysis does not run accurately without access to Maven.
Prerequisites
- You downloaded the required MTA CLI binary from the migration toolkit for applications Red Hat Developer page.
- You installed the Podman tool on your system.
For the analysis of Java applications, you enabled container runtime usage by setting the
--run-localflag tofalse:--run-local=false
The analysis of non-Java applications runs in container mode by default.
Procedure
On a connected device, perform the following steps:
Authenticate to
registry.redhat.io:$ podman login registry.redhat.ioRun the
mta-clibinary file:$ mta-cli analyzeImportantThe binary file pulls only the required provider images. For example, if you run a command that requires Java images, the command will not pull .NET images.
Display the image list:
$ podman imagesREPOSITORY TAG IMAGE ID CREATED SIZE registry.redhat.io/mta/mta-generic-external-provider-rhel9 7.3.1 8b8d7fa14570 13 days ago 692 MB registry.redhat.io/mta/mta-cli-rhel9 7.3.1 45422a12d936 13 days ago 1.6 GB registry.redhat.io/mta/mta-java-external-provider-rhel9 7.3.1 4d6d0912a38b 13 days ago 715 MB registry.redhat.io/mta/mta-dotnet-external-provider-rhel9 7.3.1 66ec9fc51408 13 days ago 1.27 GB
Save the images:
$ podman save <image_ID> -o <image_name>.image- Copy the images onto a USB drive or directly to the file system of the disconnected device.
On the disconnected device, enter:
$ podman load --input <image_name>.image
4.3. Installing the CLI for use with Docker on Windows
To migrate applications built with .NET framework version 4.5 or later, on Microsoft Windows to cross-platform .NET 8.0, you must install the migration toolkit for applications (MTA) command-line interface (CLI) for use with Docker on Windows.
To install the MTA CLI for use with Docker on Windows, you must configure Docker to use Windows containers first.
Prerequisites
- You have a host with 64-bit Windows 11, version 21H2 or later.
- You downloaded the Docker Desktop for Windows installation program.
Procedure
- Open a PowerShell with Administrator privileges.
Ensure Hyper-V is installed and enabled:
PS C:\Users\<user_name>> Enable-WindowsOptionalFeature -Online ` -FeatureName Microsoft-Hyper-V-AllPS C:\Users\<user_name>> Enable-WindowsOptionalFeature -Online ` -FeatureName ContainersNoteYou might need to reboot Windows for the change to take effect.
Install Docker Desktop on Windows.
Run the installation program by double-clicking the
Docker_Desktop_Installer.exefile.By default, Docker Desktop is installed to the
C:\Program Files\Docker\Dockerpath.Ensure that Docker runs Windows containers as the backend instead of Linux containers:
- In the Windows task bar, right-click the Docker icon.
- Click Switch to Windows containers.
In PowerShell, create a folder for MTA:
PS C:\Users\<user_name>> mkdir C:\Users\<user_name>\MTAExtract the
mta-8.1.2-cli-windows.zipfile to theMTAfolder:PS C:\Users\<user_name>> cd C:\Users\<user_name>\DownloadsPS C:\Users\<user_name>> Expand-Archive ` -Path "{ProductShortNameLower}-{ProductVersion}-cli-windows.zip" ` -DestinationPath "C:\Users\<user_name>\MTA"Ensure that Docker is running Windows containers and that the
OS/Archis set towindows/amd64:PS C:\Users\<user_name>> docker versionClient: Version: 27.0.3 API version: 1.46 Go version: go1.21.11 Git commit: 7d4bcd8 Built: Sat Jun 29 00:03:32 2024 OS/Arch: windows/amd64 Context: desktop-windows Server: Docker Desktop 4.32.0 (157355) Engine: Version: 27.0.3 API version: 1.46 (minimum version 1.24) Go version: go1.21.11 Git commit: 662f78c Built: Sat Jun 29 00:02:13 2024 OS/Arch: windows/amd64 Experimental: false
Set the
CONTAINER_TOOLenvironment variable to use Docker:PS C:\Users\<user_name>> $env:CONTAINER_TOOL="C:\Windows\system32\docker.exe"Set the
DOTNET_PROVIDER_IMGenvironment variable to use the upstreamdotnet-external-provider:PS C:\Users\<user_name>> $env:DOTNET_PROVIDER_IMG="quay.io/konveyor/dotnet-external-provider:v0.5.0"Set the
RUNNER_IMGenvironment variable to use the upstream image:PS C:\Users\<user_name>> $env:RUNNER_IMG="quay.io/konveyor/kantra:v0.5.0"
Additional resources
Chapter 5. Authentication and Authorization
To authenticate users in the migration toolkit for applications (MTA) 8.2.0 installations, you can use the Hub OpenID Connect (OIDC) provider. When upgrading to MTA 8.2.0, you can use the Hub OIDC to reduce infrastructure management or integrate MTA with any OIDC provider.
5.1. Why use the Hub OIDC
The migration toolkit for applications (MTA) Hub implements an OpenID Connect (OIDC) standards-compliant provider that offers local user authentication and federation to other providers.
The MTA Hub OIDC provider offers the following advantages:
- Provides you with an option to remove Keycloak dependency to configure users, roles, and permissions. To use Keycloak, you must provision and manage more infrastructure resources.
- Simplifies role-based access control (RBAC) deployment by allowing you to manage users, default and custom roles, and permissions in the MTA application.
- Provides you with an option to integrate Lightweight Directory Access Protocol (LDAP) or federate to another Identity Provider (IdP).
- Provides a permanent list of immutable permissions that map to specific API resources and operations. This ensures authorization works consistently across deployments and simplifies security audits.
- Allows tasks and add-ons access to the MTA Application Programming Interfaces (APIs) through Personal Access Tokens (PATs) with fine-grained permissions.
5.2. Administrative tasks
Administrators can configure user authentication and understand user, role, and token management. migration toolkit for applications (MTA) offers you the flexibility to customize configuration as you need.
You can use any one of the authentication flows by using MTA Hub OpenID Connect (OIDC):
- Local authentication and authorization
- Add users and link roles to them in the MTA application. You do not need any extra configuration.
- Lightweight Directory Access Protocol (LDAP)-backed authentication
-
Configure an
LdapProviderCR to integrate LDAP users. Optionally, configure and deploy secrets in your Red Hat OpenShift cluster for a secure connection with the LDAP client. - Federated authentication to Identity Providers (IdPs)
-
Configure the
IdentityProviderCR to federate authentication to an IdP such as Google, Okta, Keycloak, or Microsoft Entra ID (formerly, Azure Active Directory). Optionally, configure and deploy secrets in your Red Hat OpenShift cluster for a secure connection with the IdP client.
To migrate Keycloak implemented in previous versions after an MTA 8.2.0 upgrade, see Keycloak migration.
5.2.1. Optional configurations
If necessary, you can configure authentication fields, custom roles, and API keys.
- Configure authentication and token variables in the Tackle custom resource (CR).
- Create custom roles.
- Create and revoke API keys.
Additional resources
5.3. Enable authentication in Tackle custom resource
Administrators can optionally configure authentication fields and token lifespan in the Tackle custom resource. If you do not configure, the migration toolkit for applications (MTA) Hub applies default values for the authentication and token fields.
Prerequisites
- You deployed a Red Hat OpenShift cluster.
- You installed MTA 8.2.0 in the cluster.
Procedure
Edit the tackle CR:
$ oc edit tackleSwitch to the edit mode in the terminal text editor:
iOptionally, configure the authentication fields:
spec: feature_auth_required:true idp_primary:true hub_oidc_token_lifespan:300 hub_oidc_refresh_token_lifespan:172800 hub_apikey_lifespan:87600 hub_auth_cache_lifespan:5 hub_ldap_auth_lifespan:5 hub_oidc_key_rotation:90
-
feature_auth_required:: Enforces authentication to the Hub API and the web console. By default, the value istrue. -
idp_primary:: If you set this fieldtrue, MTA Hub automatically redirects authentication to the auto-discovered Keycloak Identity Provider in upgraded deployments where users authenticated using Keycloak. If the field value isfalse, users can authenticate on the MTA login page. If you configured an identity provider (IdP), then users can authenticate by using the IdP button on the login page. -
hub_oidc_token_lifespan:: By default, the OAuth access token lifespan is 300 seconds. -
hub_oidc_refresh_token_lifespan:: By default, the OAuth refresh token lifespan is 172800 seconds or 2 days. -
hub_apikey_lifespan:: By default, the OAuth API key lifespan is 87600 hours. -
hub_auth_cache_lifespan:: By default, the OAuth authentication cache lifespan is 5 minutes. -
hub_ldap_auth_lifespan:: By default, the LDAP authentication lifespan is 5 minutes. -
hub_oidc_key_rotation:: By default, the OIDC key rotation interval is 90 days.
-
Save the changes and exit the text editor to apply the changes:
:wq!
Additional resources
Chapter 6. Basic authentication for local users
Administrators can use a simple authentication workflow to manage users, roles, role-based access control (RBAC) permissions in the MTA inventory with no added infrastructure requirements.
6.1. Add users and assign roles in the web console
Administrators can manage users and assign one or more roles to a user for local authentication and authorization. If you assign one or more roles to a user, the user gets all the unique permissions associated with the roles.
Prerequisites
- You are an MTA Administrator.
- The cluster administrator installed MTA 8.2.
Procedure
- Log in to the MTA web console.
- In the Administration mode, go to User Management.
- Click Users.
Enter the following on the Create user page:
- Username in the Login field.
- Name of the user.
- Email address of the user.
- A new password in the Password field.
- The same password in the Confirm Password field.
- Select one or more roles from the Roles list.
- Click Create.
6.2. Change password in the web console
To ensure that your account is not accessible with the default admin password, you must change your account password after the first login. When you change your password for the first time, you must also enter your account details.
Procedure
-
Log in to the MTA application with
adminas your password. - Click your role dropdown at the top right corner.
- Select User account.
Enter the following on the Edit user page:
- Name
- Email address
- A new password in the Password field.
- The same password in the Confirm Password field.
- Click Save.
Verification
Log out of your account and log in with your new password.
6.3. Create a custom role and assign permissions
To enforce fine-grained role-based access control (RBAC) permissions for users to perform specific tasks, create custom roles and assign specific permissions in the migration toolkit for applications (MTA) web console. MTA exposes features based on the scope of the permissions you assign.
You cannot alter or delete the default roles and permissions scoped to them.
Prerequisites
- You are an MTA Administrator user.
- You installed MTA 8.2.0.
Procedure
- Log in to the MTA web console.
- In the Administration mode, go to User Management.
- Click Roles.
-
Click the number of permissions scoped to the
adminrole to explore the resources and scoped permissions. - On the Roles page, click Create.
- Enter a unique name for the new role in the Name field.
- Type the name of a resource to see the list of permissions.
Add one or more permissions:
- Select a permission from the Permissions list and click the Add selected icon.
- Click the Add all icon to select all the permissions for that resource.
- Click Create.
Chapter 7. LDAP authentication
Manage users by organization hierarchy, apply centralized identity management, and scale role assignment, by integrating the Hub OpenID Connect (OIDC) provider with Lightweight Directory Access Protocol (LDAP)-based authentication.
7.1. LDAP token lifecycle
Migration toolkit for applications (MTA) Hub manages token lifecycle in a Lightweight Directory Access Protocol (LDAP)-based authentication to account for changes in membership, user permission, and user account status.
A user authenticated by LDAP gets an access token that has a default lifespan of 5 minutes. When the access token expires, the authentication server checks for a cached LDAP identity. If the LDAP identity is cached and not expired, the Hub OIDC provider issues a new token with the cached scopes for the user. If the LDAP identity expires or is not cached, the Hub OIDC provider reauthenticates the user by connecting with the Directory Server (DS).
To issue or refresh an access token, the migration toolkit for applications (MTA) Hub connects with the DS by using the stored password, queries the LDAP groups again, maps the LDAP groups to MTA roles, and updates the user identity with expiration. The user need not manually reauthenticate to start the token refresh process.
7.2. Create a custom resource for LDAP or AD federation
To enable the Hub OpenID Connect (OIDC) provider to federate authentication to the Lightweight Directory Access Protocol (LDAP) or an Active Directory (AD) server, the Administrator must create an LdapProvider custom resource and a secret for the LDAP service account.
Prerequisites
- You installed MTA 8.2.0 in an OpenShift cluster.
-
You have
adminaccess to the cluster. - You configured an LDAP service account with read-only permissions.
Procedure
Create an
ldap-secret.yamlfile:apiVersion: v1 kind: Secret metadata: name: ldap-service-account namespace: openshift-mta type: Opaque stringData: password: "<service-account-password>"
Apply the
ldap-secretfile in the cluster:$ oc apply -f ldap-secret.yamlCreate an
ldap.yamlfile for the custom resource (CR):apiVersion: tackle.konveyor.io/v1alpha1 kind: LdapProvider metadata: name: corporate-ldap namespace: openshift-mta spec: name: "Corporate LDAP" kind: "ActiveDirectory" url: "ldaps://ldap.example.com:636" baseDN: "dc=example,dc=com" bindDN: "cn=service,dc=example,dc=com" password: name: ldap-service-account namespace: openshift-mta userFilter: "(sAMAccountName=${login})" groupFilter: "(&(objectClass=group)(member=${dn}))" hasMemberOf: true roleMappings: - and: - Developers roles: - architect - any: - "**Administrator**" roles: - admin-
kind:: Server type is "ACTIVEDIRECTORY", "AD", or blank for other LDAP implementations such as OpenLDAP. -
url:: LDAP server URL -
baseDN:: Base Distinguished Name to narrow the scope for LDAP searches -
bindDN:: unique identifier of the service account used to authenticate against the LDAP directory -
password:: Reference to Secret containing service account password userFilter:: User search filter. The default value for the user filter in AD is(sAMAccountName=%s)and(uid=%s)for other LDAP implementations when you do not configure a value in the CR.To override the default, configure
userFilter: "(sAMAccountName=${login})"for AD oruserFilter: "(uid=${uid})"for other LDAP implementations.groupFilter:: Group search filter. The default value for the group filter in AD isgroupFilter: "(&(objectClass=group)(member=%s))"and(&(objectClass=*)(member=%s))for other LDAP implementations when you do not configure a group in the CR.To override the default, configure
groupFilter: "(&(objectClass=group)(member=${dn}))"for distinguished name. You can replace{dn}with{uid}for a unique identifier or{cn}for a common name.-
hasMemberOf:: Use memberOf attribute for group membership in AD. -
roleMappings:: Map LDAP groups to Hub roles. The MTA roles can be a list of default or custom roles. When you use global patterns to match the LDAP roles, you must use the DoubleStar pattern or double asterisk to match the complete role name.
-
Apply the LDAP CR in the cluster:
$ oc apply -f ldap.yamlRestart the Hub to load the new client and the secret:
$ oc rollout restart deployment/tackle-hub -n openshift-mta
7.3. Logic operators and rules in LDAP mappings
To apply flexible policy changes without code changes for Lightweight Directory Access Protocol (LDAP) and Active Directory (AD) integrations, you can configure the LDAP group-to-migration toolkit for applications (MTA) role mapping as YAML rules.
In the rule, you can use the or and and logic. You can write the or logic to apply the any condition while the and logic to apply the and condition. The rules for role mapping follow certain behaviors:
-
Rule matches for LDAP groups are case sensitive. For example, Admins match
Global-Adminsbut notglobal-admins. When you use wildcards (*), the pattern must match the common name (CN) that the LDAP server returns.
You can use the wildcard (*) pattern at the start or at the end for partial matching. For example, the rule
CN=\*, OU=Security,*matches any common name in the Security organizational unit (OU) but not in other OUs.- An LDAP user that matches multiple rules gets roles mapped in all the rules.
Table 7.1. RoleMappings field description
| Fields | Description | Example |
|---|---|---|
|
|
ALL patterns must match at least one group |
roleMappings:
- and:
- "**migration**"
- "mta-**"
roles:
- migrator
MTA assigns the |
|
|
At least one pattern must match a group |
roleMappings:
- any:
- "**-administrators"
roles:
- admin
- any:
- "**Architects**"
roles:
- architect
MTA assigns a role from either rule to the LDAP user. LDAP users who match both rules get two roles. |
|
|
Roles assigned when the LDAP member matches a rule |
Table 7.2. Wildcard operators
| Wildcard | Behavior | Example |
|---|---|---|
|
|
Matches any characters within a segment. The match does not cross the comma ( |
|
|
|
Matches across multiple segments. The match crosses comma ( |
|
|
|
Brace expansion matches either |
|
|
|
Matches exactly one character |
|
|
|
Matches one character from the set |
|
Table 7.3. Common wildcard patterns to match LDAP groups patterns
| Pattern | Description | Matched parameters | Unmatched parameters |
|---|---|---|---|
|
|
Contains "Administrators" anywhere |
|
|
|
|
Ends with "-administrators" |
|
|
|
|
Starts with "Developers" |
|
|
|
|
Contains "Developer" |
|
|
|
|
Ends with |
|
|
7.4. OpenLDAP and Active Directory configurations
The OpenLDAP and Active Directory (AD) implementations have different configurations for select fields.
Table 7.4. OpenLDAP and Active Directory configurations
| Fields | Active Directory | OpenLDAP |
|---|---|---|
|
Username attribute |
|
|
|
Group objectClass |
|
Generic wildcard ( |
|
|
Usually present |
May not be present |
|
|
|
|
|
|
|
|
Chapter 8. Red Hat build of Keycloak
The migration toolkit for applications (MTA) Hub OpenID Connect supports integration of a Red Hat build of Keycloak (RHBK) instance for user authentication and authorization for users who upgrade to MTA 8.2.0.
8.1. Keycloak migration
As a Migration toolkit for applications (MTA) administrator, you can federate user authentication to your Keycloak instance and reduce configuration complexity when you upgrade to MTA 8.2.0.
When you upgrade to MTA 8.2.0, the MTA Operator finds the Red Hat Build of Keycloak (RHBK) in the MTA namespace if you deployed Keycloak in earlier versions.
If RHBK is available, MTA installs a Keycloak Operator and deploys an IdentityProvider custom resource (CR) for your Keycloak instance.
In this case, the Keycloak Operator manages the RHBK instance and configures a dedicated realm with necessary roles and permissions. You can configure Keycloak as the primary authentication method in the MTA Tackle CR for an automatic redirect to your instance for user authentication. If you do not configure Keycloak as the primary authentication, you can select the Sign-in with Keycloak option from the Hub login page to redirect authentication.
If you did not deploy an RHBK instance in the MTA namespace (openshift-mta) before the upgrade or if you install MTA for the first time, then MTA no longer deploys the Keycloak Operator, Postgres database, and other RHBK resources. You no longer need to provision 1 GiB for Keycloak database volume in the MTA namespace.
In such cases, you can configure a Keycloak instance separately and integrate it as an Identity Provider (IdP) for user authentication in MTA. The Hub OpenID Connect (OIDC) federates user authentication to the Keycloak provider.
Configure Keycloak as the OIDC provider by using the IdentityProvider CR. You can continue to manage users and roles in Keycloak.
To configure the existing Keycloak instance as an IdP for user authentication:
-
Configure the Idp by using the
IdentityProviderCR. - Configure the Keycloak instance uniform resource identifier (URI) as the OIDC issuer in the CR.
- Configure the Hub URL with the callback endpoint as the redirect URI.
Deploy the CR in the same namespace where you installed the MTA application in your cluster.
The MTA Operator reconfigures the Hub to federate OIDC to your existing Keycloak instance.
8.2. Scope management in RHBK
You can manually manage migration toolkit for applications (MTA) scopes in Red Hat Build of Keycloak (RHBK) and assign the scopes to roles so that MTA assigns the necessary permissions to the Keycloak user.
For example, Keycloak administrators can perform create, read, update, and delete tasks for users, tokens, and roles in MTA only if the administrator role has the following scopes:
- users:get
- users:post
- users:put
- users:delete
- roles:get
- roles:post
- roles:put
- roles:delete
- tokens:get
- tokens:post
- tokens:delete
- scopes:get
You can assign the following scopes to non-administrator user roles in Keycloak:
- users:get
- users:put
- users:delete
- roles:get
- tokens:get
- tokens:post
- tokens:delete
- scopes:get
8.2.1. Dynamic scopes
You need not manage more than 100 scopes that the migration toolkit for applications (MTA) Hub OpenID Connect (OIDC) supports in your RHBK instance. The Hub dynamically expands the RHBK roles to apply necessary permissions for the role.
You can define the following roles in RHBK:
-
role.admin -
role.architect -
role.migrator -
role.project-manager
If the access token request also specifies specific scopes, the MTA Hub additionally assigns permissions based on the scope reference.
8.3. Accessing the RHBK Admin Console
To perform advanced configurations on an RHBK instance, you must log in to the RHBK Admin Console.
Procedure
Retrieve your admin credentials:
$ oc get secret mta-keycloak-rhbk -n openshift-mta -o json| jq -r '.data.password | @base64d'The admin credentials for RHBK are stored in the
mta-keycloak-rhbksecret file in the namespace where you installed MTA.Enter the following URL in your browser:
https://<web_console_address>/auth/admin- Access the RHBK Admin Console by entering your credentials.
8.4. Roles, personas, users, and permissions
The migration toolkit for applications (MTA) uses three roles, each corresponding to a persona. The roles are predefined in your Red Hat build of Keycloak (RHBK) instance. If you are an MTA Administrator, you can create users in your RHBK instance and assign each user one or more roles, one role per persona.
A user can have more than one role. Each role must correspond to a specific persona:
-
The
adminrole corresponds to the Administrator persona. The Administrator has all permissions that Architects and Migrators have. Administrators can also create application-wide configuration parameters that other users can consume but cannot change or view, for example, Git credentials or Mavensettings.xmlfiles. -
The
architectrole corresponds to the Architect persona. An Architect is a technical lead for the migration project. Architects can run assessments and can create and modify applications and information related to the applications. Architects cannot modify or delete sensitive information, but can consume such information. For example, architects can associate an existing set of credentials to the repository of a specific application. -
The
migratorrole corresponds to the Migrator persona. A Migrator can analyze applications. However, the Migrator cannot create, modify, or delete the applications. -
The
project-managerrole corresponds to the Project Manager persona. Project managers can create, read, update, and delete migration waves. They can also create Red Hat Developer Lightspeed for migration toolkit for applications resources and adoption plans, and update business stakeholders included in a project. Project managers have read-only access to other MTA resources.
MTA has two views, Administration, and Migration. Only an Administrator can access the Administration view. Architects and Migrators cannot see or access the Administration view. Administrators can perform all actions supported by the Migration view. Architects and Migrators can see all elements of the Migration view. However, whether Architects and Migrators can perform actions in the Migration view depends on the permissions granted to their role.
Chapter 9. Identity provider authentication
Administrators can simplify security and regulatory compliance by implementing the migration toolkit for applications (MTA) Hub as an OpenID Connect (OIDC) Broker to federate user authentication to an identity provider (IdP).
MTA supports integrating IdPs and managing roles and permissions in the MTA web console for authorization:
- Keycloak instance
- Microsoft Entra ID (formerly, Azure Active Directory)
- Okta
9.1. Create a secret for the IdP client
If you configured a secret in the Identity Provider (IdP) client configuration, enable the migration toolkit for applications (MTA) Hub to use the secret to connect to the Identity Provider (IdP) client.
Prerequisites
- You installed MTA 8.2 in an OpenShift cluster.
-
You have
adminaccess to the cluster. - You configured a secret in the IdP configuration for a secure connection.
Procedure
Create a secret such as
<idp-client-secret>.yaml:apiVersion: v1 kind: Secret metadata: name: idp-client-secret namespace: <mta-namespace> type: Opaque stringData: clientSecret: "<secret>"
-
<mta-namespace>:: The namespace where you deployed MTA. -
<secret>:: The secret that you configured in the identity provider configuration.
-
Apply the
<idp-client-secret>.yamlfile in the cluster:$ oc apply -f<idp-client-secret>.yamlRestart the Hub to load the secret:
$ oc rollout restart deployment/tackle-hub -n openshift-mta
9.2. Configure an identity provider custom resource
To enable the migration toolkit for applications (MTA) Hub OpenID Connect (OIDC) to integrate with the Identity Provider (IdP), you must create an IdentityProvider custom resource (CR).
Prerequisites
- You installed the MTA 8.2 application in an OpenShift cluster.
-
You have
adminaccess to the cluster. - You optionally created a secret for the IdP.
Procedure
Create an
<my-idp>.yamlcustom resource:apiVersion: tackle.konveyor.io/v1alpha1 kind: IdentityProvider metadata: name: corporate-sso namespace: openshift-mta spec: name: "Corporate SSO" issuer: "https://idp.example.com/realms/tackle" clientId: "tackle-hub" clientSecret: name: idp-client-secret namespace: openshift-mta redirectURI: "https://hub.example.com/oidc/idp/callback" primary: description: IdP is the primary authentication method. When true, users are automatically redirected to this IdP for authentication. type: true scopes: - openid - profile - email-
name:: A display name for the IdP button in the UI. -
issuer:: IdP issuer URL for OIDC discovery. You can use template variables in the issuer field. For example,"${issuer.proto}://${issuer.host}/auth/realms/tackle". -
clientId:: OAuth client ID registered with the IdP. -
clientSecret:: Optional Kubernetes secret for the MTA Hub to securely connect to the IdP. Omit this configuration if you did not create a secret for the IdP. -
redirectURI:: Callback URI to the MTA Hub after the IdP authentication completes. You must add the/oidc/idp/callbackpath to the Hub URI. You can use template variables in the redirect URI field. For example,"${issuer.proto}://${issuer.host}/oidc/idp/callback". -
primary:: IdP is the primary authentication method. Whentrue, the Hub redirects users automatically to this IdP for authentication. If you configured the field in the Tackle CR, the MTA Hub resolves the configuration for this field from the Tackle CR value. -
scopes:: OAuth scopes used by an OpenID Connect client to request the access privileges for the access token.
-
Apply the
`<my-idp>.yamlfile in the cluster:$ oc apply -f<my-idp>.yamlRestart the Hub to load the configuration:
$ oc rollout restart deployment/tackle-hub -n openshift-mta
Chapter 10. Token management
As an administrator, you can manage access tokens and application programming interface (API) keys in the Migration toolkit for applications (MTA) web console. To enhance security for task-authentication, the MTA Hub generates task personal access tokens with task-scoped permissions.
10.1. Generate API key from the web console
You can generate application programming interface (API) keys in the Migration toolkit for applications (MTA) web console. The API key inherits permissions from the authenticated user’s roles and has a maximum lifespan limit of 10 years. You can optionally configure the lifespan period when you create a token.
Prerequisites
- You installed MTA 8.2.0 in a Red Hat OpenShift cluster.
- You are an MTA Administrator.
Procedure
- Log in to the MTA application.
- In the Administration mode, go to User Management.
- Select Tokens.
- Click Create API Key.
- Optionally enter the lifespan of the token.
- Click Create.
Copy the displayed token.
You can use the API key for the Red Hat Developer Lightspeed for migration toolkit for applications agent.
10.2. Revoke API keys as an administrator
Administrators can revoke an application programming interface (API) key before its lifespan in the migration toolkit for application (MTA) web console.
Prerequisites
You installed MTA 8.2.0 in a Red Hat OpenShift cluster.
Procedure
- Log in to the MTA web console.
- In the Administration mode, go to User Management.
- Select Tokens.
- On the Tokens page, click the options icon.
- Click Revoke.
10.3. Revoke API keys as an migrator
As a Migrator, you can revoke an application programming interface (API) key before its lifespan in Migration toolkit for applications (MTA) web console.
Prerequisites
Your administrator installed MTA 8.2.0 in a Red Hat OpenShift cluster.
Procedure
- Log in to the MTA web console.
- In the Migration mode, click your username at the top right corner.
- Select Tokens.
- On the Tokens page, click the options icon.
- Click Revoke.
Chapter 11. Authentication fields in the Tackle CR
Administrators can enable migration toolkit for applications (MTA) to include permission and role changes in new tokens, apply stateless validation, and control staleness for sessions and tokens by configuring the authentication fields in the Tackle custom resource (CR).
JSON Web Token: The MTA Hub generates JWTs as short-lived access tokens for API authentication. When Hub issues a JWT token, it signs the token by using the Rivest-Shamir-Adleman (RSA) algorithm. The Hub also supports signing JWTs with the Hash-based Message Authentication Code (HMAC) algorithm for backward compatibility.
The JWT payload does not expose personally identifiable information (PII) such as username or password. The default lifespan is 5 minutes but you can configure a custom lifespan by using the
hub_oidc_token_lifespanfield. If an administrator updates a user’s roles or permissions, the changes will not apply to their current active token. The new permissions will only take effect after the current token expires and the Hub issues a new one, such as during a token refresh.Refresh tokens: After the current token expires, clients use the long-lived refresh tokens to request a new access token to refresh the session. The refresh token workflow does not require the user to manually reauthenticate.
When a session for the Lightweight Directory Access Protocol (LDAP) or an Identity Provider (IdP) client expires, the refresh token workflow checks for changes in user permission scopes to include when the MTA Hub issues a new token.
The default token lifespan is 2 days or 172800 seconds. You can configure a custom lifespan by using the
hub_oidc_refresh_token_lifespanfield.API keys: The maximum default token lifespan is 10 years. Administrators can configure the maximum permissible lifespan by using the
hub_apikey_lifespanfield.To provide security against a cache miss or a direct database modification, a safety-net cache refresh guarantees that the worst-case staleness for API key is 5 minutes. You can configure the
hub_auth_cache_lifespanfield for the safety-net cache refresh period.
Table 11.1. Authentication fields
| Field | Type | Default | Description |
|---|---|---|---|
|
|
Boolean |
true |
Enable the flag to enforce authentication for the web console and the Hub API. To allow insecure access, set this flag to false. |
|
|
Integer (minutes) |
5 |
Specifies the cache refresh interval in minutes. The Hub periodically refreshes every cache lifespan interval as a secondary mechanism to control staleness for Basic authentication and personal access tokens. |
|
|
Integer (minutes) |
5 |
Specifies LDAP identity cache duration to control LDAP query frequency. |
|
|
Integer (seconds) |
300 |
Specifies the OAuth access token lifespan in seconds. By default, the lifespan is 5 minutes. |
|
|
Integer (seconds) |
172800 |
Specifies the OAuth refresh token lifespan in seconds. By default, the refresh token lifespan is 2 days. |
|
|
Integer (days) |
90 |
Specify key rotation interval in days. |
|
|
Integer (hours) |
87600 |
API key lifespan in hours. By default, the lifespan period is 10 years. |
|
|
Boolean |
true |
By default, the field has the value |
Chapter 12. URI templating and wildcard patterns
To enable portable configuration, the Hub OpenID Connect (OIDC) provider resolves template variables and wildcard patterns with the expected OIDC issuer in client configuration at runtime.
12.1. URI template variables
The migration toolkit for applications (MTA) Hub OIDC provider must resolve the redirect uniform resource identifier (URI) dynamically in deployment environments such as local development and testing (localhost), OpenShift custom routes, and custom domains.
To prevent entering hard-coded redirect URIs for an MTA client deployed in different environments, you can use template variables. In the authorization workflow, the Hub OIDC provider resolves the template variables by substituting them with values in the incoming HTTP request from the OIDC Issuer at runtime.
You can use the following template variables in the URIs:
-
${issuer}: Replaced with the complete issuer URL. -
${issuer.host}: Replaced with host and the port. -
${issuer.port}: Replaces only the port. -
${issuer.path}: Replaces only the path. -
${issuer.proto}: Replaces with the issuer scheme.
For example,
-
"${issuer}/callback"becomeshttps://hub.example.com:8080/oidc/callback -
"http://${issuer.host}/auth"becomeshttp://hub.example.com:8080/auth -
"http://localhost:${issuer.port}/done"becomeshttp://localhost:8080/done
12.2. URI wildcard patterns
After template variable substitution, the Hub OIDC provider matches the wildcard patterns in the uniform resource identifier (URI) configuration against the requested URI. The wildcard uses / as path separator to split the pattern and matches the URI segment-by-segment.
Table 12.1. Wildcard pattern behavior
| Wildcard | Behavior | Example Pattern | Matched URI | Unmatched URI |
|---|---|---|---|---|
|
|
Matches any characters except |
|
|
|
|
|
Matches zero or more complete path segments. For example, matches across segments separated by |
|
|
|
|
|
Brace expansion - matches either |
|
Matches URIs with or without port and with or without path |
N/A |
For example,
-
https://*.example.com/**to match a specific domain, any subdomain, and any path. -
http://localhost:*/**to match localhost, any port, and any path. -
${issuer.proto}://${issuer.host}{,}/*to match the same scheme and host as the OIDC issuer, any port, and any path. You can use this pattern for the MTA web console.
Appendix A. How to contribute to the MTA project
You can help the migration toolkit for applications (MTA) to cover most application builds and server configurations, including yours.
You can help with any of the following items:
- Send an email to jboss-migration-feedback@redhat.com and let us know what MTA migration rules must cover.
- Provide example applications to test migration rules.
Identify application components and problem areas that might be difficult to migrate:
- Write a short description of the problem migration areas.
- Write a brief overview describing how to solve the problem in migration areas.
- Try migration toolkit for applications on your application. Report any issues you encounter. MTA uses Jira as its issue tracking system. If you encounter an issue when using MTA, submit a Jira issue.
Contribute to the migration toolkit for applications rules repository:
- Write a migration toolkit for applications rule to identify or automate a migration process.
Create a test for the new rule.
For more information, see Configuring and using rules for an MTA analysis.
Contribute to the project source code:
- Create a core rule.
- Improve MTA performance or efficiency.
Any level of involvement is greatly appreciated!
Additional resources