Configuring the OIDC credentials on OpenShift

When you recover API Connect V10.0.x, you must manually update the values for the Management OIDC credentials (client_ID and client_secret) in the Common Services User Registry.

Before you begin

This task is required for all of the 10.0.x releases up to, and including, version 10.0.2 (skip this task for version 10.0.3 and later). The procedure requires you to log in to the Cloud Manager on the new API Connect deployment. Use the Cloud Manager administrator username and password that you saved while preparing for disaster recovery.

About this task

When you deploy API Connect, the OIDC client_ID and client_secret resources are automatically generated and added to the Common Services User Registry. These resources enable single sign-on with the IBM Cloud Pak platform. When you reinstall API Connect as part of disaster recovery, the original versions of those resources are retained but cannot be used. You must update the Common Services User Registry and replace the original values with the values from the new deployment.

Procedure

  1. Retrieve the client_ID and client_secret from the stored secret in API Connect.
    1. Run the following command to retrieve the client_ID:
      oc -n <APIC_namespace> get secret <instance_name>-oidc-client -o jsonpath="{.data.CLIENT_ID}" | base64 -D 
    2. Run the following command to retrieve the client_secret:
      oc -n <APIC_namespace> get secret <instance_name>-oidc-client -o jsonpath="{.data.CLIENT_SECRET}" | base64 -D 
  2. Update the Common Services User Registry with the new values.

    Using the Cloud Manager UI:

    1. In API Connect, open the Cloud Manager interface.
    2. Select the Cloud Manager User Registry.

      You will use the Cloud Manager User Registry to modify settings for the Common Service User Registry.

    3. Log in to the Cloud Manager User Registry using the administrator username and password that you saved while preparing for disaster recovery.
    4. In Cloud Manager, click Resources > User Registries and edit Common Services User Registry.
    5. In the Client information section, paste the client_ID value from step 1 into the Client ID field.
    6. Paste the client_secret value from step 1 into the Client secret field.
    7. Save your changes.

    Using the toolkit CLI:

    1. Run the following command to determine the <mgmt_endpoint_URL> that you will use for accessing the management server:
      oc -n <APIC_namespace> get mgmt <instance_name> -o jsonpath="{.status.zenRoute}" && echo ""
    2. Log in to the management server:
      1. Run the following command to start the login process:
        apic login --server <mgmt_endpoint_URL>
      2. Provide your login credentials:
        • Realm? Type your realm (for example: admin/default-idp-1) and press Enter.

          The realm refers to your identity provider. For information on determining your realm value, see How to determine the identity provider.

        • Username? Type your Cloud Manager administrator username and press Enter.
        • Password? Type the password for your Cloud Manager administrator account and press Enter.
    3. Run the following command to download the Common Service User Registry as a YAML file:
      apic user-registries:get common-services --server <mgmt_endpoint_URL> -o admin --fields name,configuration
    4. Edit the file and update the client_ID and client_secret settings with the values you obtained in step 1.
    5. Save and close the file.
    6. Run the following command to upload the modified file to Cloud Manager:
      apic user-registries:update common-services --server <mgmt_endpoint_URL> -o admin common-services.yaml