Upgrading User Management Services

In 21.0.3, User Management Services (UMS) are being replaced by IBM Cloud Pak foundational services Identity Access Management (IAM) SSO, Zen, SCIM, and Business Teams Service (BTS).

About this task

  • All Cloud Pak for Business Automation components that have been using UMS SSO in previous releases will be configured automatically to use single sign-on with IBM Cloud Pak foundational services IAM SSO and Zen JWT. User Management Service SSO is removed. Non-browser clients that obtained tokens from UMS SSO need to be updated to use the same flows with IAM SSO. For more information, see OIDC Registration APIs. IAM tokens can be exchanged for Zen JWT to get access through the new front door:
    zentoken=$(curl -sk "$zenhost/v1/preauth/validateAuth" -H "username:$username" -H "iam-token: $iamaccesstoken" | jq -r .accessToken)
  • All Cloud Pak for Business Automation components that have been using UMS SCIM in previous releases will be configured automatically to use the IAM SCIM that is provided by IBM Cloud Pak foundational services.
  • All teams that were created in previous versions in UMS Teams will be moved automatically to the new Business Teams Service (BTS) database. Previous utilization of the configuration parameter ums_configuration.teamserver.admingroup to determine which users can administer teams are replaced by assigning a Zen permission to a role. For more information, see  Business Teams Service: Assigning permission to manage teams.
Important: To ensure a successful migration, the previous datasource_configuration.dc_ums_datasource configuration must remain in the Custom Resource file when upgrading, for example:
  datasource_configuration:
    dc_ums_datasource:
      dc_ums_oauth_type: "postgresql"
      dc_ums_oauth_host: "postgre1.mycompany.com"
      dc_ums_oauth_port: "5432"
      dc_ums_oauth_name: "umsdb1"
      dc_ums_oauth_ssl: false
      dc_ums_oauth_driverfiles: "postgresql-42.2.18.jar"
      dc_ums_teamserver_type: "postgresql"
      dc_ums_teamserver_host: "postgre1.mycompany.com"
      dc_ums_teamserver_port: "5432"
      dc_ums_teamserver_name: "umsdb1"
      dc_ums_teamserver_ssl: false
      dc_ums_teamserver_driverfiles: "postgresql-42.2.18.jar"

Procedure

  1. If you previosuly specified images in the ums_configuration section of the custom resource file, remove the old tags.
  2. Optional: You can configure the migration_debug, migration_droptables and migration_test parameters in the ums_configuraton.teamserver section of the Custom Resource file. For example: 
    ums_configuration:
    # configuration for teamserver pods
    teamserver:
      replica_count: 2
      resources:
        limits:
          cpu: 500m
          memory: 512Mi
        requests:
          cpu: 200m
          memory: 256Mi
      autoscaling:
        enabled: true
        minReplicas: 2
        maxReplicas: 5
        targetAverageUtilization: 98
      custom_xml:
      logs:
        traceSpecification: "*=info"
      # optional, default false: enable debug output for Teamserver-to-BTS migration
      migration_debug: false
      # optional, default false: drop tables in BTS database before Teamserver-to-BTS migration
      migration_droptables: false
      # optional, default false: execute Teamserver-to-BTS migration regardless of Teamserver uninstall
      migration_test: false

What to do next

Make sure you updated the shared configuration parameters. For more information, see Checking the version, deployment type, and profile.

Continue to configure the other capabilities that are in your CR file, and make sure that you complete the last step Validating the YAML in your custom resource file before you apply the CR to the operator.