Onboarding a new admin for Cloud Pak for Integration

Use the API Connect toolkit CLI to create a new admin account for use with Cloud Pak for Integration.

About this task

If you changed the local admin account for Cloud Pak for Integration, you must create a new admin user in API Connect to ensure that the new Cloud Pak for Integration admin can log in to API Connect with the Common Services User Registry.

Procedure

  1. Download and install the API Connect toolkit CLI and credentials file as explained in Installing the toolkit.
  2. Log in to the toolkit CLI.

    Logging in to the toolkit CLI requires the endpoint URL for your API Connect management server. In Cloud Pak for Integration, the URL indicates the location of the management server within the Cloud Pak for Integration deployment.

    1. Determine the URL to the API Connect management server by running the following command:
      oc -n APIC_namespace get mgmt APIC_instance -o jsonpath="{.status.zenRoute}" && echo ""
      The response looks like the following example URL:
      
      apic-mgmt-admin-apic.deve-cip-hlag-8e86d3798137c73f524cf9-0000.eu-de.containers.appdomain.cloud
    2. Log in to the API Connect toolkit CLI by running the following command:
      apic -s API_Connect_URL login -u admin -p <password> -r admin/default-idp-1

      where API_Connect_URL is the URL of the management server in your API Connect instance.

  3. Create a new admin account by completing the following steps.

    Use the toolkit CLI to create an admin account in the Common Services User Registry and then add the new admin to the API Connect administrator role.

    1. Create a YAML file called newCp4iAdmin.yaml with the following information for the new admin account.
      username: <new_cp4i_admin_username>
      first_name: CP4I
      last_name: Administrator
    2. Create the CP4i admin account by running the following command:
      apic -s API_Connect_URL users:create -o admin --user-registry common-services newCp4iAdmin.yaml
    3. Verify that the account was created by running the following command:
      apic -s API_Connect_URL users:get -o admin --user-registry common-services <new_cp4i_admin_username> --output -
    4. Get the new admin account's URL by running the following command:
      apic -s API_Connect_URL users:list -o admin --user-registry common-services | grep <new_cp4i_admin_username> | awk '{print $4}'
    5. Get the URL of the API Connect administrator role by running the following command:
      apic -s API_Connect_URL roles:list --scope org -o admin | grep -w administrator | grep -v topology | awk '{print $2}'
    6. Create a YAML file called newcp4iadminmember.yaml with the following content:
      name: <new_cp4i_admin_username>
      user:
        url: <user_URL>
      role_urls:
        - <role_URL>
    7. Use the newcp4iadminmember.yaml file to add the new admin as a member of the API Connect instance's admin organization.

      Create the new member by running the following command:

      apic -s API_Connect_URL members:create --scope org -o admin newcp4iadminmember.yaml
    8. Verify that the new admin account works by using it to log in to the Cloud Manager interface in your API Connect instance.
  4. Remove the old Cloud Pak for Integration admin user from API Connect.

    After you verify that the new Cloud Pak for Integration admin can log into the API Connect Cloud Manager interface, delete the previous Cloud Pak for Integration admin account.

    1. Remove the previous admin from the membership of the API Connect admin organization by running the following command:
      apic -s API_Connect_URL members:delete --scope org -o admin cs-admin

      When you initially deployed API Connect as a component of Cloud Pak for Integration, the admin username was admin and the member in the API Connect admin organization was cs-admin. If the cs-admin member does not exist in the admin organization, then the Cloud Pak for Integration admin user was changed after deployment. In this case, the member uses the same name as admin account's user name. Delete the member with that name:

      apic -s API_Connect_URL members:delete --scope org -o admin <old_cp4i_admin_username>
    2. Delete the previous Cloud Pack for Integration admin user account from the Common Services User Registry by running the following command:
      apic -s API_Connect_URL users:delete -o admin --user-registry common-services <old_cp4i_admin_username>