UMS parameters
Provide appropriate values for the User Management Services (UMS) configuration parameters. These are
specified in the section ums_configuration
.
Most configuration parameters are optional, only two parameters are required:
ums_configuration.images.ums.repository
: The repository from where the UMS image is pulled.ums_configuration.images.ums.tag
: The UMS image tag.
Parameter | Description | Default/Example values | Required |
---|---|---|---|
existing_claim_name |
The name of the Persistent Volume Claim for JDBC drivers and custom binaries. | No | |
existing_claim_name_logstore |
The existing PVC for UMS logs, FFDC and access logs. | No | |
use_custom_jdbc_drivers |
If you are not using Db2®, set this to
true so that the JDBC driver is read from the PV set as
existing_claim_name . |
The default value is false . |
No |
dedicated_pods |
Specifies whether the UMS capabilities each run in dedicated pods. To run the UMS
capabilities sso , scim , and teamserver in
separate pods, use the value true . To run all UMS capabilities in one pod, use the
value false . |
In an enterprise deployment the default value is true . In a demo deployment,
the default value is false . |
No |
pod_disruption_budget.min_available
|
Specifies the minimum number of pods that are available for the pod disruption budget. | The default value is 1 |
|
replica_count |
The number of pod replicas running by default. | The default value is 2 . |
No |
backwards_compatibility_routes |
From 21.0.2, UMS uses the following pattern for host
names: If
you are upgrading and want routes to be created for backwards compatibility using the previously
defined host names and certificates, set this to true . The old hostname pattern
was:
|
The default value is false . |
No |
service_type |
The type to expose the service as, for example, Route for external access or
NodePort for internal tests.
|
The default value is Route . |
No |
iam.delegation_enabled |
Specifies whether authentication is delegated to the Common Services Identity Access Management (IAM). | On OCP and ROKS, the default value is true . Otherwise, the default is
false . |
No |
iam.namespace |
The namespace where IAM is installed. | The default value is ibm-common-services . |
No |
hostname |
The name of the host where the User Management Service will run. | If not specified, hostname is generated from
shared_configuration.sc_deployment_hostname_suffix . |
No |
port |
The port that will be used to access the User Management Service, for example, 443 when using SSL. | The default value is 443 . |
No |
images.ums.repository |
The repository from where the UMS image is pulled. |
|
Yes |
images.ums.tag |
The UMS image tag. |
|
No |
admin_secret_name |
The name of the secret that was generated for the UMS secret and database secret. | If not specified, the secret ibm-dba-ums-secret must be created. |
No |
external_tls_secret_name |
Enables SSL with an existing certificate for the ums-route route. If this is
set this is used rather than using
shared_configuration.external_tls_certificate_secret . |
If this is not set, the default is to use shared_configuration.
external_tls_certificate_secret , but if that is also not set, then no external TLS
certificate is used. |
No |
external_tls_ca_secret_name |
Certificate Authority (CA) used to sign the external TLS secret. If you don't want to provide a CA to sign the external TLS certificate, leave this empty, then . | The default is not to use a CA to sign the external TLS certificate. | No |
external_tls_teams_secret_name |
A secret that specifies the TLS certificate that represents the hostname or a common hostname
suffix of the ums-teams-route route that your clients will use to connect to UMS.
If this is set this is used rather than using
shared_configuration.external_tls_certificate_secret . |
If this is not set, the default is to use shared_configuration.
external_tls_certificate_secret , but if that is also not set, then no external TLS
certificate is used. |
No |
external_tls_scim_secret_name |
A secret that specifies the TLS certificate that represents the hostname or a common hostname
suffix of the ums-scim-route route that your clients will use to connect to UMS. If
this is set this is used rather than using
shared_configuration.external_tls_certificate_secret . |
If this is not set, the default is to use shared_configuration.
external_tls_certificate_secret , but if that is also not set, then no external TLS
certificate is used. |
No |
external_tls_sso_secret_name |
A secret that specifies the TLS certificate that represents the hostname or a common hostname
suffix of the ums-sso-route route that your clients will use to connect to UMS. If
this is set this is used rather than using
shared_configuration.external_tls_certificate_secret . |
If this is not set, the default is to use shared_configuration.
external_tls_certificate_secret , but if that is also not set, then no external TLS
certificate is used. |
No |
oauth.client_manager_group |
The full DN of an LDAP group that is authorized to manage OIDC clients, in addition to the primary admin from the admin secret. | No | |
oauth.token_manager_group |
The full DN of an LDAP group that is authorized to manage tokens, in addition to the primary admin from the admin secret. | No | |
oauth.access_token_lifetime |
The lifetime of OAuth access_tokens. | The default value is 7200s . |
No |
oauth.app_token_lifetime |
The lifetime of app-tokens. | The default value is 366d . |
No |
oauth.app_password_lifetime |
The lifetime of app-passwords. | The default value is 366d . |
No |
oauth.app_token_or_password_limit |
The maximum number of app-tokens or app-passwords per client. | The default value is 100 . |
No |
oauth.client_secret_encoding |
The encoding / encryption when storing client secrets in the OAuth database. | The default value is xor for compatibility. Recommended value is
PBKDF2WithHmacSHA512 . |
No |
custom_secret_name |
The name of the existing secret for sensitive Liberty configuration, specified in XML format. | No | |
For UMS resources , autoscaling ,
custom_xml , and logs.trace_specification :
|
Kubernetes controls resources such as CPU and memory using requests and limits mechanisms.
Requests are what the container is guaranteed to get. Limits make sure a container never goes above
a certain value. A limit value cannot be lower than the corresponding request value. If you are
not using dedicated pods for UMS capabilities ( If you are using dedicated pods for UMS capabilities
( |
The default values are listed in the following rows. | No |
|
The maximum CPU limit. | The default value is 500m . |
No |
|
The maximum memory limit. | The default value is 512Mi . |
No |
|
The minimum CPU. | The default value is 200m . |
No |
|
The minimum memory. | The default value is 256Mi . |
No |
|
If true , pods are automatically scaled within the specified range. |
The default value is true . |
No |
|
The minimum number of replicas for autoscaling. | The default value is 2 . |
No |
|
The maximum number of replicas for autoscaling. | The default value is 5 . |
No |
|
The average CPU utilization for autoscaling. When the average utilization exceeds this target, then new pods are created. | The default value is 98 . |
No |
use_custom_binaries |
Specify if any custom binaries are used. | The default value is false . |
No |
custom_secret_name |
The name of the existing secret for sensitive Liberty configuration, specified in XML format. | No | |
|
Custom configuration settings (optional, multi-line value). For LDAP configuration use
spec.ldap_configuration parameters. |
No | |
logs.console_format |
The format of the UMS logs console. | The default value is json . |
No |
logs.console_log_level |
The log level for the UMS logs console. | The default value is INFO . |
No |
logs.console_source |
UMS logs console source. | The default value is message,trace,accessLog,ffdc,audit . |
No |
logs.trace_format |
The format of the UMS logs trace. | The default value is ENHANCED . |
No |
logs.max_files |
The maximum number of log files to use. | The default value is 2 . |
No |
logs.max_file_size |
The maximum size of the log files in MB. | The default value is 20 . |
No |
|
The UMS logs trace specification. | The default value is *=info . |
No |
teamserver.admingroup |
The full DN of an LDAP group that is authorized to administer UMS Teams. |
|
No |