Topic
9 replies Latest Post - ‏2012-05-29T18:48:50Z by rossdavibm
PamG
PamG
11 Posts
ACCEPTED ANSWER

Pinned topic how to add the hslt cloud group?

‏2012-05-22T21:47:36Z |
I have ISCP 2.1 beta drop 5 installed and running. I am trying to add the HSLT cloud group but have not yet been successful. I am using the webservice ip address and have tried with a couple of different HSLT users with admin privileges but every time get the message that
either the user does not exist on the HSLT backend or it has no access ids with admistrative privileges in teh admininstrative group associated. I thought this might mean the userid needs to be a member of a group, so I tried that but it didn't help. I tried using the userid and I also tried using the access id but neither has worked for me. Is there something that I am missing? Thanks,
Updated on 2012-05-29T18:48:50Z at 2012-05-29T18:48:50Z by rossdavibm
  • DJSchaefer
    DJSchaefer
    17 Posts
    ACCEPTED ANSWER

    Re: how to add the hslt cloud group?

    ‏2012-05-23T10:25:40Z  in response to PamG
    Hi Pam,

    I am not on drop 5 yet, but I got it to work on an earlier drop with the following settings:

    Hostname: IP address of the webservice VM
    User: adminuser
    Password: default password for that user

    The adminuser has the role "Admin" and is in the admingroup of HSLT.
    The resulting URL that I see that is userd for the connect is:
    http://<webservice-IP>:8090

    But maybe something in drop 5 changed that this doesn't work anymore?
  • GiuseppeFioretti
    GiuseppeFioretti
    3 Posts
    ACCEPTED ANSWER

    Re: how to add the hslt cloud group?

    ‏2012-05-24T10:56:41Z  in response to PamG
    The requirements for an SCP user to create an HSLT cloud group are the following:

    1. Exist also in HSLT user registry (same user name and password). This is of course implicitly satisfied if SCP and HSLT are using the same LDAP (manual configuration in beta 6)
    2. Be registered into HSLT with at least one access id with admin role and in the built-in admingroup

    We have found a defect that prevents cbadmin (that by default satisfies all the requirements above) to register HSLT cloud groups. You can overcome this issue through creating another user with the same characteristics. This means:

    1. Create the user into the SCP UI and give it cloud admin rights
    2. Using the HSLT CLI, create and register the same user into HSLT
    3. If SCP and HSLT aere sharing the same LDAP, in step 2 only register the user
    4. Using the HSLT, give the access id of the user admin role and add it to the admingroup

    At this time, you can log into SCP UI using this new user and create the HSLT cloud group with its credentials (you need to enter its user name, not the access id you registered through the HSLT CLI).
    • rossdavibm
      rossdavibm
      25 Posts
      ACCEPTED ANSWER

      Re: how to add the hslt cloud group?

      ‏2012-05-24T15:05:32Z  in response to GiuseppeFioretti
      Thanks for the input, Giuseppe. I am working with Pam on this, and have a few more observations. My efforts are actually based on drop6, so if that introduces variables, keep this in mind.

      #1: We know the that the environment is sharing LDAP: In the SCP Admin console, the cbadmin user is listed.
      #2: When you create a user ID and set the access ID to be 'admin', the user ID is assigned to the 'default_admin_role' group only. This is of note, because in the IWD interface, when you are registering the cloud (attempting to, anyway), the dialog would not close, with the error: "Error registering the cloud group: the user does not exist in the hslt manager or the user has no access ID in the administrative group and with administrative role...." Interestingly, if you modify the access ID to have BOTH the default_admin_role AND default_user_role, you do not get this error.

      BEFORE: iaas-describe-accesses-by-user
      u61163 | iwdadmin | default_admin_role | admingroup | .... | normal | vm_service

      Issue the command: iaas-modify-access -a u61163 -r default_admin_role,default_user_role

      u61163 | iwdadmin | default_admin_role,default_user_role | admingroup | .... | normal | vm_service

      At this point, I could complete the 'register cloud dialog' and it would be listed. HOWEVER, it still does NOT work. Status 'unable to connect to HSLT'.

      #3: After unsuccessful registration, the cloud information panel indicates the URL for the cloud as http://<ip>:8090. Shouldn't this port be 5678 (the webservices port?) There is nothing listening on the webservices kernel service VM at 9080

      You mentioned: This is of course implicitly satisfied if SCP and HSLT are using the same LDAP (manual configuration in beta 6) Does this mean that there is further work we need to do with IWD to get both HSLT and IWD using the same LDAP?
      • GiuseppeFioretti
        GiuseppeFioretti
        3 Posts
        ACCEPTED ANSWER

        Re: how to add the hslt cloud group?

        ‏2012-05-24T15:36:00Z  in response to rossdavibm
        Yes, it means you need - after installation - to perform manual steps to make SCP and HSLT (and VIL) use the same LDAP. The SCP installation - in beta 6 - creates cbadmin into the HSLT LDAP, but it is not the same as the SCP LDAP. Unfortunately, we also found that the cbadmin that gets created is someway corrupted, that's why I asked you to create a new user.

        About the second issue you have, you are right, the WS port is 5678, but we do actually enforce that one when we submit the request to register the cloud group.

        So, I really do not know the reason for which SCP is unable to connect to HSLT in your environment. This is an issue we did not face in beta 6 in our test environments, so I guess it is due to some misconfiguration of yours. Unfortunately, I am not the right person to help here. You can try to reproduce the issue and send me the relevant logs.
        • rossdavibm
          rossdavibm
          25 Posts
          ACCEPTED ANSWER

          Re: how to add the hslt cloud group?

          ‏2012-05-24T15:46:19Z  in response to GiuseppeFioretti
          Are you able to provide those 'manual steps' to make the three components use the same LDAP? Or is this something that is to be fixed in the next drop, and if so, how soon can we expect that? This environment is pretty much useless if you can't register a cloud group in SCP, and at this time, the only cloud group we have is the default HSLT.

          I'd love to provide log files - if I could find meaningful ones that might help related to the SCP interface. I cannot figure out what I misconfigured, as I simply ran the standard installation using the GUI installer.
        • PamG
          PamG
          11 Posts
          ACCEPTED ANSWER

          Re: how to add the hslt cloud group?

          ‏2012-05-25T16:45:35Z  in response to GiuseppeFioretti
          Giuseppe,

          Do you know who the right contact would be to help us get past this? We have a number of folks on board to develop SCP 2.1 enablement materials and can't do much until we resolve this issue. Thanks!
          Pam
          • rossella
            rossella
            58 Posts
            ACCEPTED ANSWER

            Re: how to add the hslt cloud group?

            ‏2012-05-28T11:30:01Z  in response to PamG
            Hi!

            Actually you should be ablet to have HSLT, VIL and SCP attached to the same LDAP easily:
            consider HSLT comes with an open LDAP. You can attach VIL to that using WAS console:
            https://<vil hostname>:9043/ibm/console, then go to Security->global security and then click Security Configuration Wizard and provide there the information to access the open ldap included in SCP. Another possibility is to do that at VIL installation time editing install_vil.config
            For SCP, you can do that from the self service UI going into the System tab
            • PamG
              PamG
              11 Posts
              ACCEPTED ANSWER

              Re: how to add the hslt cloud group?

              ‏2012-05-29T18:43:13Z  in response to rossella
              Ok, geting closer on the LDAP I think. Followed the instructions in the open-LDAP configuration guide and configured on SCP as follows:

              JNDI provider URL: ldap://ldap-server;389/
              JNDI base DN (users): ou=user,ou=people,dc=isaac,dc=com
              JNDI base DN (groups): dc=isaac,dc=com
              JNDI security authentication: cn=admin,dc=isaac,dc=com

              when I test the settings, the user test works but the group test gets: The LDAP query test has failed (see trace file for details). I haven't yet found the trace file. I looked at the log and it really doesn't provide additional information. Any pointers would be appreciated. The only 2 groups I have defined in HSLT are admingroup and defaultgroup, both get the same error.
              • rossdavibm
                rossdavibm
                25 Posts
                ACCEPTED ANSWER

                Re: how to add the hslt cloud group?

                ‏2012-05-29T18:48:50Z  in response to PamG
                To further clarify, setting the groups DN to ou=groups,dc=isaac,dc=com also had the same results.