IBM Performance Management

Disabling OpenID Connect authentication for the Performance Management console

You must disable the OpenID Connect authentication for the Performance Management console before you can enable single sign-on (SSO) between Performance Management and another IBM product that requires LTPA for SSO.

Although OIDC is no longer used for UI authentication after you complete this procedure, the RESTful APIs continue to rely on OIDC. The RESTful APIs do not interfere with SSO (see Exploring the APIs).

Procedure

Complete the following steps to disable OIDC authentication for the Performance Management console.

  1. Stop all servers with the command apm stop_all. For more information, see Starting, stopping, and checking the status of server components.
  2. If LDAP is already configured for Performance Management, you must temporarily modify the commonRegistry.xml file at install_dir/wlp/usr/shared/config/ to include basicRegistry.xml instead of ldapRegistry.xml. Complete the following steps:
    1. Comment out the line that refers to the LDAP registry file as follows: 
      <!--include optional="false" location="${shared.config.dir}/ldapRegistry.xml"/-->
    2. Remove the comment tags from the line that refers to the basic registry file as follows: 
      <include optional="false" location="${shared.config.dir}/basicRegistry.xml"/>
  3. Change the value of the oauthRealm attribute in the install_dir/wlp/usr/shared/config/oauthVariables-onprem.xml file to match the value of the realm attribute in the basicRegistry.xml file.
  4. Edit the server.xml file at install_dir/wlp/usr/servers/apmui/ to comment out the line that refers to server-relying-party.xml as follows: 
    <!--include optional="true" location="server-relying-party.xml"/-->
  5. Edit the following line in the server-itportal.xml file at install_dir/wlp/usr/servers/apmui/: 
     <application type="eba" id="Blaze" name="Blaze"
    location="${server.config.dir}/apps/com.ibm.tivoli.blaze_2.3.0.7.eba">

    Change the line as shown:

     <application type="eba" id="Blaze" name="Blaze"
      location="${server.config.dir}/apps/com.ibm.tivoli.blaze_2.3.0.7.ltpasso.eba">
  6. Run the following command with the correct password for the apmadmin user.

    install_dir/ccm/configureConsole_ltpasso.sh apmadmin <password>

    The default <password> is apmpass.

  7. If you disabled LDAP in step 2, re-enable the LDAP registry in the commonRegistry.xml file by completing the following steps:
    1. Comment out the line that refers to the basic registry as follows: 
      <!--include optional="false" location="${shared.config.dir}/basicRegistry.xml"/-->
    2. Remove the comment tags from the line that refers to the LDAP registry file as follows: 
      <include optional="false" location="${shared.config.dir}/ldapRegistry.xml"/>
  8. If you changed the value of the oauthRealm attribute in step 3, update it to match the value of the realm attribute in the ldapRegistry.xml file.
  9. Start all servers with the command apm restart_all. For more information, see Starting, stopping, and checking the status of server components.

Results

OpenID Connect authentication for the Performance Management console is now disabled.