I have ISCP 2.1 beta drop 5 installed and running. I am trying to add the HSLT cloud group but have not yet been successful. I am using the webservice ip address and have tried with a couple of different HSLT users with admin privileges but every time get the message that
either the user does not exist on the HSLT backend or it has no access ids with admistrative privileges in teh admininstrative group associated. I thought this might mean the userid needs to be a member of a group, so I tried that but it didn't help. I tried using the userid and I also tried using the access id but neither has worked for me. Is there something that I am missing? Thanks,
This topic has been locked.
9 replies Latest Post - 2012-05-29T18:48:50Z by rossdavibm
Pinned topic how to add the hslt cloud group?
Answered question This question has been answered.
Unanswered question This question has not been answered yet.
Updated on 2012-05-29T18:48:50Z at 2012-05-29T18:48:50Z by rossdavibm
DJSchaefer 270001FDY417 PostsACCEPTED ANSWER
Re: how to add the hslt cloud group?2012-05-23T10:25:40Z in response to PamGHi Pam,
I am not on drop 5 yet, but I got it to work on an earlier drop with the following settings:
Hostname: IP address of the webservice VM
Password: default password for that user
The adminuser has the role "Admin" and is in the admingroup of HSLT.
The resulting URL that I see that is userd for the connect is:
But maybe something in drop 5 changed that this doesn't work anymore?
GiuseppeFioretti 120000PYCG3 PostsACCEPTED ANSWER
Re: how to add the hslt cloud group?2012-05-24T10:56:41Z in response to PamGThe requirements for an SCP user to create an HSLT cloud group are the following:
1. Exist also in HSLT user registry (same user name and password). This is of course implicitly satisfied if SCP and HSLT are using the same LDAP (manual configuration in beta 6)
2. Be registered into HSLT with at least one access id with admin role and in the built-in admingroup
We have found a defect that prevents cbadmin (that by default satisfies all the requirements above) to register HSLT cloud groups. You can overcome this issue through creating another user with the same characteristics. This means:
1. Create the user into the SCP UI and give it cloud admin rights
2. Using the HSLT CLI, create and register the same user into HSLT
3. If SCP and HSLT aere sharing the same LDAP, in step 2 only register the user
4. Using the HSLT, give the access id of the user admin role and add it to the admingroup
At this time, you can log into SCP UI using this new user and create the HSLT cloud group with its credentials (you need to enter its user name, not the access id you registered through the HSLT CLI).
Re: how to add the hslt cloud group?2012-05-24T15:05:32Z in response to GiuseppeFiorettiThanks for the input, Giuseppe. I am working with Pam on this, and have a few more observations. My efforts are actually based on drop6, so if that introduces variables, keep this in mind.
#1: We know the that the environment is sharing LDAP: In the SCP Admin console, the cbadmin user is listed.
#2: When you create a user ID and set the access ID to be 'admin', the user ID is assigned to the 'default_admin_role' group only. This is of note, because in the IWD interface, when you are registering the cloud (attempting to, anyway), the dialog would not close, with the error: "Error registering the cloud group: the user does not exist in the hslt manager or the user has no access ID in the administrative group and with administrative role...." Interestingly, if you modify the access ID to have BOTH the default_admin_role AND default_user_role, you do not get this error.
u61163 | iwdadmin | default_admin_role | admingroup | .... | normal | vm_service
Issue the command: iaas-modify-access -a u61163 -r default_admin_role,default_user_role
u61163 | iwdadmin | default_admin_role,default_user_role | admingroup | .... | normal | vm_service
At this point, I could complete the 'register cloud dialog' and it would be listed. HOWEVER, it still does NOT work. Status 'unable to connect to HSLT'.
#3: After unsuccessful registration, the cloud information panel indicates the URL for the cloud as http://<ip>:8090. Shouldn't this port be 5678 (the webservices port?) There is nothing listening on the webservices kernel service VM at 9080
You mentioned: This is of course implicitly satisfied if SCP and HSLT are using the same LDAP (manual configuration in beta 6) Does this mean that there is further work we need to do with IWD to get both HSLT and IWD using the same LDAP?
GiuseppeFioretti 120000PYCG3 PostsACCEPTED ANSWER
Re: how to add the hslt cloud group?2012-05-24T15:36:00Z in response to rossdavibmYes, it means you need - after installation - to perform manual steps to make SCP and HSLT (and VIL) use the same LDAP. The SCP installation - in beta 6 - creates cbadmin into the HSLT LDAP, but it is not the same as the SCP LDAP. Unfortunately, we also found that the cbadmin that gets created is someway corrupted, that's why I asked you to create a new user.
About the second issue you have, you are right, the WS port is 5678, but we do actually enforce that one when we submit the request to register the cloud group.
So, I really do not know the reason for which SCP is unable to connect to HSLT in your environment. This is an issue we did not face in beta 6 in our test environments, so I guess it is due to some misconfiguration of yours. Unfortunately, I am not the right person to help here. You can try to reproduce the issue and send me the relevant logs.
Re: how to add the hslt cloud group?2012-05-24T15:46:19Z in response to GiuseppeFiorettiAre you able to provide those 'manual steps' to make the three components use the same LDAP? Or is this something that is to be fixed in the next drop, and if so, how soon can we expect that? This environment is pretty much useless if you can't register a cloud group in SCP, and at this time, the only cloud group we have is the default HSLT.
I'd love to provide log files - if I could find meaningful ones that might help related to the SCP interface. I cannot figure out what I misconfigured, as I simply ran the standard installation using the GUI installer.
Re: how to add the hslt cloud group?2012-05-25T16:45:35Z in response to GiuseppeFiorettiGiuseppe,
Do you know who the right contact would be to help us get past this? We have a number of folks on board to develop SCP 2.1 enablement materials and can't do much until we resolve this issue. Thanks!
rossella 120000Q98F58 PostsACCEPTED ANSWER
Re: how to add the hslt cloud group?2012-05-28T11:30:01Z in response to PamGHi!
Actually you should be ablet to have HSLT, VIL and SCP attached to the same LDAP easily:
consider HSLT comes with an open LDAP. You can attach VIL to that using WAS console:
https://<vil hostname>:9043/ibm/console, then go to Security->global security and then click Security Configuration Wizard and provide there the information to access the open ldap included in SCP. Another possibility is to do that at VIL installation time editing install_vil.config
For SCP, you can do that from the self service UI going into the System tab
Re: how to add the hslt cloud group?2012-05-29T18:43:13Z in response to rossellaOk, geting closer on the LDAP I think. Followed the instructions in the open-LDAP configuration guide and configured on SCP as follows:
JNDI provider URL: ldap://ldap-server;389/
JNDI base DN (users): ou=user,ou=people,dc=isaac,dc=com
JNDI base DN (groups): dc=isaac,dc=com
JNDI security authentication: cn=admin,dc=isaac,dc=com
when I test the settings, the user test works but the group test gets: The LDAP query test has failed (see trace file for details). I haven't yet found the trace file. I looked at the log and it really doesn't provide additional information. Any pointers would be appreciated. The only 2 groups I have defined in HSLT are admingroup and defaultgroup, both get the same error.