Configuring IBM Software Hub to use the embedded LDAP integration

When you install IBM® Software Hub, it is automatically configured to use the LDAP integration provided by the IBM Cloud Pak foundational services Identity Management Service. However, you can configure IBM Software Hub to use the embedded LDAP integration.

Who needs to complete this task?
To complete this task, you must be either:
  • A cluster administrator
  • An instance administrator
When do you need to complete this task?
The embedded LDAP integration is deprecated. Complete this task only if you are not ready to adopt the recommended LDAP integration provided by the Identity Management Service.

For example, if you install a new instance of IBM Software Hub and you have an existing instance of IBM Software Hub at an older version, you can complete this task so that you can use the same authentication method for both instances.

Before you begin

Best practice: You can run the commands in this task exactly as written if you set up environment variables. For instructions, see Setting up installation environment variables.

Ensure that you source the environment variables before you run the commands in this task.

Procedure

  1. Log in to Red Hat® OpenShift® Container Platform as a user with sufficient permissions to complete the task. 
    ${OC_LOGIN}
    Remember: OC_LOGIN is an alias for the oc login command.
  2. Set the CPD_ROUTE environment variable: 
    export CPD_ROUTE=$(oc get route cpd -n ${PROJECT_CPD_INST_OPERANDS} -o jsonpath={".spec.host"})
  3. Add the zen_native_auth flag to the product-configmap ConfigMap: 
    oc patch cm product-configmap \
--namespace=${PROJECT_CPD_INST_OPERANDS} \
--type=merge \
--patch '{"data": {"zen_native_auth": "enabled"}}'
  4. Restart the usermgmt pods: 
    oc rollout restart deployment usermgmt \
--namespace=${PROJECT_CPD_INST_OPERANDS}
  5. Restart the zen-core pods: 
    oc rollout restart deployment zen-core \
--namespace=${PROJECT_CPD_INST_OPERANDS}
  6. Set the ADMIN_PASSWORD environment variable to the default password for the admin user: 
    ADMIN_PASSWORD=$(oc get secret admin-user-details -n=${PROJECT_CPD_INST_OPERANDS} -o 'jsonpath={.data.initial_admin_password}' | base64 -d)
  7. Set the AUTH_TOKEN environment variable to the authorization token for the admin user: 
    AUTH_TOKEN=$(curl -k -H "username: admin" -H "password: ${ADMIN_PASSWORD}" https://${CPD_ROUTE}/v1/preauth/validateAuth 2> /dev/null | jq -r '.accessToken')
  8. Set the CPADMIN_PASSWORD environment variable to a new password for the cpadmin user: 
    CPADMIN_PASSWORD=<new-password>
  9. Set CPADMIN_PASSWORD as the password for the cpadmin user: 
    curl --insecure --location --request PUT "https://${CPD_ROUTE}/api/v1/usermgmt/v1/user/cpadmin" \
--header "Content-Type: application/json" \
--header "Authorization: Bearer ${AUTH_TOKEN}" \
--data @- << EOF
{
  "username": "cpadmin",
  "authenticator": "default",
  "password": "${CPADMIN_PASSWORD}"
}
EOF
  10. Confirm that you can log in to IBM Software Hub as cpadmin with the password that you specified for CPADMIN_PASSWORD.
  11. Unset the following sensitive environment variables:
    1. Unset the ADMIN_PASSWORD environment variable: 
      unset ADMIN_PASSWORD
    2. Unset the AUTH_TOKEN environment variable: 
      unset AUTH_TOKEN
    3. Unset the CPADMIN_PASSWORD environment variable: 
      unset CPADMIN_PASSWORD
  12. If you have any services with a dependency on Db2U, you must update all db2u instances to use the new authentication method.
    Services with a dependency on Db2U
    • Data Virtualization
    • Db2
    • Db2 Big SQL
    • Db2 Warehouse
    • OpenPages
    1. Run the following command to add the ZEN_NATIVE_AUTH: "true" parameter to the db2u-product-cm ConfigMap: 
      cat << EOF | oc apply -f -
apiVersion: v1
data:
  ZEN_NATIVE_AUTH: "true"
kind: ConfigMap
metadata:
  name: db2u-product-cm
  namespace: ${PROJECT_CPD_INST_OPERATORS}
EOF
    2. Restart all of the db2u head and data pods in the operands project: 
      oc delete pods \
-n ${PROJECT_CPD_INST_OPERANDS} \
-l type=engine
    3. Get the name of a db2u engine pod: 
      oc get pods \
-n ${PROJECT_CPD_INST_OPERANDS} \
-l type=engine
    4. Execute into one of the db2u engine pods: 
      oc exec -it <Db2 engine pod> \
-n ${PROJECT_CPD_INST_OPERANDS} bash

      Replace <Db2 engine pod> with the name of a pod on your cluster.

    5. Confirm that ZEN_NATIVE_AUTH is set to true: 
      env | grep ZEN_NATIVE_AUTH

What to do next

After you configure IBM Software Hub to use the embedded LDAP integration, you must connect to your LDAP server. For more information, see Connecting to your identity provider.