Resolving duplicate users before upgrade on Cloud Pak for Integration
If you are upgrading API Connect in Cloud Pak for Integration and the API Connect pre-upgrade check indicates duplicate user accounts in the registry, resolve them before you proceed with the upgrade.
Before you begin
This task applies only when you are upgrading API Connect in Cloud Pak for Integration from 2023.2 (or earlier) to 16.1 (or later). Be sure to run the pre-upgrade check as explained in Pre-upgrade preparation and checks on OpenShift to determine whether duplicate user records exist in your deployment.
About this task
Cloud Pak for Integration uses Keycloak as an OIDC provider to authenticate users instead of IAM (Identity and Access Management). Due to differences in how Keycloak and IAM treat usernames, you might need to manually delete duplicate user accounts to ensure that users can log in after the upgrade. Review the following scenarios to determine whether you need to manually delete any user accounts.
In a user registry, each user is uniquely identified by their username. If a registry allows for
case-sensitive usernames, then two user records with matching usernames that use different cases
(for example, Alice
and ALICE
) can exist and they point to two
different users. If the registry is case-insensitive, then Alice
and
ALICE
point to the same user.
If the user registry that is backing IAM supports case-sensitive usernames, then IAM uses the
case of the username from that registry. For example, if IAM is backed by an LDAP directory that
contains ALICE
as the username, then IAM also uses ALICE
as the
username.
Keycloak supports only lowercase letters for usernames, so ALICE
from the LDAP
directory is stored with the preferred_name
alice
in Keycloak.
ALICE
is the username in the LDAP directory and was used by IAM before
the API Connect upgrade, then API Connect might contain either alice
or
ALICE
in its database after the upgrade, depending on how that user logged in to
API Connect after the upgrade:- If the user logged in using the Automation UI in Cloud Pak for Integration, then API Connect created a
lowercase username (
alice
). - If the user logged in using the API Connect toolkit, or an invitation from API Connect, then API Connect created a
username that matches the case that was used in the underlying registry
(
ALICE
).
It is possible that two user records now exist for the same user because one might be in lowercase letters and the other might be in uppercase or mixed-case letters. To determine whether duplicate user records exist and then resolve them, complete the following steps.