Setting up

After you install , the setup program guides you through the initial configuration.

Before you begin

Complete the installation.
Obtain the link to the setup program and the login credentials that you need to complete the setup process in different places and from different ways, depending on the method used for installation.
Enable login for self-signed certificates.
If you are using self-signed certificates in a development or test environment, you must manually enable login by using either of the following methods:
- Download the certificates from the cluster and add them to your local certificate manager.
- In your browser, go to the API URL: https://api./ and then accept the certificate security risks. After you accept the risks, an AIUC01999E error is displayed. This message is expected. You can now continue with the setup process.

Procedure

Log in to the setup program by using the superuser credentials that were created by the installer.
https://admin./initialsetup
Important: Treat the superuser account the same way that you treat the root account on your servers and use it only for the initial setup. As part of the setup, you create a default administrator user account that has access to the administrative interface. Use this administrative account to add and manage users, deploy applications, and more.
Complete the following steps to configure the dependencies.

Important: The setup configurations are set at the System scope. For more information about configuration scopes, see Configure .
Configure .
is used as the data dictionary for and its applications. It is also used as the default user registry.
The following information is required:

Hostname and port

You can configure one or more hostname and port combinations.

Authentication mechanism

Specify the mechanism that is used to authenticate when it connects to . Select the closest match to the mechanism that is configured for your cluster. For example, if your cluster uses the SCRAM-SHA-256 mechanism, select DEFAULT (SCRAM).

Auth db

Enter the config database.

login credentials

At a minimum, the administrator needs table creation privileges.

Note: The verification might take up to a minute. The configuration cannot be modified after the verification is complete. is a prerequisite for . Changing the configuration requires careful coordination and possible data migration to avoid service outages. System administrators can change the configuration in the console. For assistance with changing the configuration, contact your representative.

For more information, see Installing on-premises.
Upload a CA certificate.
If the service uses the transport layer security (TLS) communication protocol and is not secured with a certificate that is issued by a well-known certificate authority (CA), then provide the certificate of the CA that issued the service's certificate. Because the CA might use intermediate CAs, you can provide more than one certificate.
For each certificate that you provide, the following details are displayed:
- The name of the certificate issuer.
- The name of the subject, such as the organization, that the certificate is issued to.
- The start and end dates of the certificate's validity period. If the validity of any certificate that you provide expires soon, a warning message appears.
You can automatically retrieve or manually add certificates.

Important: If your cluster uses self-signed CA certificates that you must retrieve or add a certificate.
- Automatically retrieving certificates
  In the certificates section, click Retrieve. If the connection credentials that you specify are correct, all CA certificates that are configured on the server are automatically retrieved and displayed.
  
  These certificates are not validated. You must verify that only the correct certificates are retrieved and remove any unexpected certificates.
  
  After you retrieve certificates, you can manually add more certificates.
- Manually adding certificates
  In the certificates section, click Add manually and specify the following values for each certificate that you want to add:
  
  Alias
  
  An alphanumeric identifier that is in the range 3—50 characters long.
  
  Certificate content
  
  The content of a certificate file in either the X.509 or PEM formats.
For more information, see Configuring certificate authority certificates.
Configure User Data Services.
The User Data Services (UDS) collect, transform, and transmit product usage data, user behavior, and feature interaction data. The User Data Services is built with open source operators (Crunchy PostgreSQL), IBM Event Streams. It includes APIs to collect usage data and enforce user-level consent for tracking usage.

For more information about UDS, see : User Data Services (UDS).
Note: User Data Services (UDS) replaces the Behavior Analytics Service (BAS).
1. Enter the following information to configure UDS for :
  - URL - This is the UDS URL endpoint.To find it, go to you OpenShift console, switch to ibm-common-services project, then Networking > Routes. Copy the URL displayed under Location column for the uds-endpoint route.
    
    Example: https://uds-endpoint-ibm-common-services.<your-cluster-domain>
  - API Key - This is the UDS API Key credential. To find it,go to you OpenShift console, switch to ibm-common-services project, then Workloads > Secrets > Search and select the secret named uds-api-key. Under Data section, copy the apikey value.
    
    Example: k2wnQY...
  - Email - Enter a contact email address to use for User Data Services communication. The email address does not have to match an existing user.
  - Given Name - Enter the given name of the owner of the provided contact email address that is used for User Data Services communication.
  - Surname - Enter the surname of the owner of the provided contact email address that is used for User Data Services communication.
  - Certificates - Enter the chain of SSL certificates for your User Data Services. In order to retrieve the certificates, you can click the Retrieve button (under Certificates section) while configuring UDS into . The UDS certificates to configure in will vary accordingly to the cloud service provider's cluster that is hosting your UDS installation.
  Note for UDS installations hosted in IBM Cloud clusters: If your UDS instance is installed in an IBM Cloud cluster, you will need to manually input the certificates for UDS configuration into , instead of using the Retrieve feature available in . IBM Cloud hosted services uses Let's Encrypt certificates chain, therefore you need to include both the intermediate and root certificates for Let's Encrypt.
2. Click Add to add the intermediate of the certificate chain.
3. Enter an alias. Example: udscertpart1.
4. Enter the Certificate content. Here you will include the Let's Encrypt R3 intermediate certificate, issued to US, Let's Encrypt, R3. You can find the certificate content here. Example:
```
-----BEGIN CERTIFICATE-----
MIIF5jCCBM6gAwIBAgISA0Y...
-----END CERTIFICATE-----
```
5. Click Confirm. The first part of this certificate should have valid dates and look like the following example:
```
Issued to: US, Let's Encrypt, R3 
Issued by: US, Internet Security Research Group, ISRG Root X1 
Valid from: Thu Sep 03 2020
Valid to: Mon Sep 15 2025


This is the intermediate certificate which is required for the SSL connection to UDS endpoint.
```
6. Click Add to add the root of the certificate chain.
7. Enter an alias. Example: udscertpart2.
8. Enter the Certificate content. Here you will include the ISRG Root X1 cross-signed certificate, issued to US, Internet Security Research Group, ISRG Root X1. You can find the certificate content here. Example:
```
-----BEGIN CERTIFICATE-----
MIIFazCCA1OgAw...
-----END CERTIFICATE-----
```
9. Click Confirm. The second part of this certificate should have valid dates and look like the following example:
```
Issued to: US, Internet Security Research Group, ISRG Root X1 
Issued by: US, Internet Security Research Group, ISRG Root X1 
Valid from: Thu Jun 04 2015
Valid to: Mon Jun 04 2035


This is the root certificate which is required for the SSL connection to UDS endpoint.
```
10. Save the UDS configuration.
11. Now, wait for the UDS configuration to reconcile, this process might take up to 10 minutes. The configuration will be successfully completed when the configuration status is set to Ready. Example:
```
Configuration Ready - UDS configuration was successfully verified
```
Configure the
The (SLS) stores and manages the license.

Each instance can be connected to a unique SLS instance. Two or more instances can also share an SLS and the corresponding license file.

Enter the following SLS information to configure :
- URL - The URL for the SLS server.
- Registration key Enter the SLS registration key.
Depending on your environment, the SLS configuration might take 10 minutes or more to complete.

Optional: Upload your license key file.

If the that you configured for use with includes a valid license file, you do not need to upload a license file. You can continue with the next configuration step.

To activate , you must provide your license key from the License Key Center. The login information is provided in the license Key Center welcome letter. For more help on licensing, see the IBM Support - Licensing page.

Log in to the license Key Center.
Select your company name.
Select the IBM AppPoints product line.
Select the ... license key name.
Select the product or sales order for which to create the license key.
Enter the number of keys to generate. These correspond to the AppPoints that are allocated to the license key.

Provide the license server parameters.

Use the parameters that are displayed in the Advanced settings > license key section of the setup program, or provide the following parameters:

Parameter	Value
Configuration	Single License Server
Host ID Type	Ethernet address
Host ID	The host ID that was generated when you installed the (SLS). To display this ID, connect to your and run the following command: `oc -n <sls_project_namespace> get licenseservice sls` For example, if the namespace of the SLS project is `mas-sls-dev5`, run the following command: `oc -n mas-sls-dev5 get licenseservice sls` In the command output, the host ID is displayed in the `LICENSEID` column.
Hostname	A hostname of your choice, for example: `sls-mas`
Port	27000

Download the key and then upload it to the setup program.

Create the workspace.
The workspace is a unique collection of configuration settings for your instance of . Enter the following information to create your workspace:
- Workspace ID
  The workspace ID forms part of the URL, for example:
  
  https://.home.
  
  Note: The workspace ID must be 3 - 12 characters in length, and can contain only lowercase letters and numbers. The first character must be a letter.
- Workspace display name
  The display name is shown in your user interface.
Review the setup configuration.

Your setup is now complete. Verify that all configuration settings are done and then click Finish to complete the setup.

What to do next

After the setup is complete, you can start to use your environment by going to the administration or the navigator page:

https://admin.
https://.home.

As the superuser, you can now continue configuring your environment to suite your enterprise needs:

Configure authentication
supports local user authentication by and authentication by using LDAP or SAML.
Configure LDAP user registry synchronization
User registry synchronization simplifies user management by synchronizing users and groups between an LDAP server and your local user registry.
Create administrator user accounts
The initial superuser account is used to complete the setup. You can add application administrator users or system administrator users for day-to-day administrative tasks.
Getting started
With the setup completed, your users can log in and start to use .