UMS parameters

Provide appropriate values for the User Management Services (UMS) configuration parameters. These are specified in the section ums_configuration.

Most configuration parameters are optional, only two parameters are required:
  • ums_configuration.images.ums.repository: The repository from where the UMS image is pulled.
  • ums_configuration.images.ums.tag: The UMS image tag.
Table 1. UMS configuration parameters for the ums_configuration section
Parameter Description Default/Example values Required
existing_claim_name The name of the Persistent Volume Claim for JDBC drivers and custom binaries.   No      
existing_claim_name_logstore The existing PVC for UMS logs, FFDC and access logs.   No
use_custom_jdbc_drivers If you are not using Db2®, set this to true so that the JDBC driver is read from the PV set as existing_claim_name. The default value is false. No
dedicated_pods Specifies whether the UMS capabilities each run in dedicated pods. To run the UMS capabilities sso, scim, and teamserver in separate pods, use the value true. To run all UMS capabilities in one pod, use the value false. In an enterprise deployment the default value is true. In a demo deployment, the default value is false. No
pod_disruption_budget.min_available
  • If you are not using dedicated pods locate the parameter in the ums_configuration section.
  • If you are using dedicated pods you must specify the parameter for each UMS capability's pod separately within the ums_configuration, for example:
    • ums_configuration.sso.pod_disruption_budget.min_available
    • ums_configuration.scim.pod_disruption_budget.min_available
    • ums_configuration.teamserver.pod_disruption_budget.min_available
 Specifies the minimum number of pods that are available for the pod disruption budget. The default value is 1  
replica_count The number of pod replicas running by default. The default value is 2. No
backwards_compatibility_routes From 21.0.2, UMS uses the following pattern for host names:
ums-<suffix>
ums-sso-<suffix>
ums-teams-<suffix>
ums-profiles-<suffix>
If you are upgrading and want routes to be created for backwards compatibility using the previously defined host names and certificates, set this to true. The old hostname pattern was:
ums.<suffix>
ums-sso.<suffix>
ums-teams.<suffix>
ums-profiles.<suffix>
 The default value is false. No
service_type The type to expose the service as, for example, Route for external access or NodePort for internal tests. The default value is Route. No
iam.delegation_enabled Specifies whether authentication is delegated to the Common Services Identity Access Management (IAM). On OCP and ROKS, the default value is true. Otherwise, the default is false. No
iam.namespace The namespace where IAM is installed. The default value is ibm-common-services. No
hostname The name of the host where the User Management Service will run. If not specified, hostname is generated from shared_configuration.sc_deployment_hostname_suffix. No
port The port that will be used to access the User Management Service, for example, 443 when using SSL. The default value is 443. No
images.ums.repository The repository from where the UMS image is pulled.
  • If the repository sc_image_repository is available, it is used as the default.
  • Otherwise, cp.icr.io/cp/cp4a/ums/ums is used as the default value.
 Yes
images.ums.tag The UMS image tag.
  • If the repository sc_image_repository is available, it is used as the default.
  • Otherwise, if the current repository in not cp.icr.io, the current version is used as the default, for example 21.0.2.
  • Otherwise, if the repository cp.icr.io is used, the image digest is used as the default value.
 No
admin_secret_name The name of the secret that was generated for the UMS secret and database secret. If not specified, the secret ibm-dba-ums-secret must be created. No
external_tls_secret_name Enables SSL with an existing certificate for the ums-route route. If this is set this is used rather than using shared_configuration.external_tls_certificate_secret. If this is not set, the default is to use shared_configuration. external_tls_certificate_secret, but if that is also not set, then no external TLS certificate is used. No
external_tls_ca_secret_name Certificate Authority (CA) used to sign the external TLS secret. If you don't want to provide a CA to sign the external TLS certificate, leave this empty, then . The default is not to use a CA to sign the external TLS certificate. No
external_tls_teams_secret_name A secret that specifies the TLS certificate that represents the hostname or a common hostname suffix of the ums-teams-route route that your clients will use to connect to UMS. If this is set this is used rather than using shared_configuration.external_tls_certificate_secret. If this is not set, the default is to use shared_configuration. external_tls_certificate_secret, but if that is also not set, then no external TLS certificate is used. No
external_tls_scim_secret_name A secret that specifies the TLS certificate that represents the hostname or a common hostname suffix of the ums-scim-route route that your clients will use to connect to UMS. If this is set this is used rather than using shared_configuration.external_tls_certificate_secret. If this is not set, the default is to use shared_configuration. external_tls_certificate_secret, but if that is also not set, then no external TLS certificate is used. No
external_tls_sso_secret_name A secret that specifies the TLS certificate that represents the hostname or a common hostname suffix of the ums-sso-route route that your clients will use to connect to UMS. If this is set this is used rather than using shared_configuration.external_tls_certificate_secret. If this is not set, the default is to use shared_configuration. external_tls_certificate_secret, but if that is also not set, then no external TLS certificate is used. No
oauth.client_manager_group The full DN of an LDAP group that is authorized to manage OIDC clients, in addition to the primary admin from the admin secret.   No
oauth.token_manager_group The full DN of an LDAP group that is authorized to manage tokens, in addition to the primary admin from the admin secret.   No
oauth.access_token_lifetime The lifetime of OAuth access_tokens. The default value is 7200s. No
oauth.app_token_lifetime The lifetime of app-tokens. The default value is 366d. No
oauth.app_password_lifetime The lifetime of app-passwords. The default value is 366d. No
oauth.app_token_or_password_limit The maximum number of app-tokens or app-passwords per client. The default value is 100. No
oauth.client_secret_encoding The encoding / encryption when storing client secrets in the OAuth database. The default value is xor for compatibility. Recommended value is PBKDF2WithHmacSHA512. No
custom_secret_name The name of the existing secret for sensitive Liberty configuration, specified in XML format.   No
For UMS resources, autoscaling, custom_xml, and logs.trace_specification:
  • If you are not using dedicated pods locate them in the ums_configuration section.
  • If you are using dedicated pods you must specify each UMS capability's pod separately within the ums_configuration, for example:
    • ums_configuration.sso
    • ums_configuration.scim
    • ums_configuration.teamserver
 Kubernetes controls resources such as CPU and memory using requests and limits mechanisms. Requests are what the container is guaranteed to get. Limits make sure a container never goes above a certain value. A limit value cannot be lower than the corresponding request value.

If you are not using dedicated pods for UMS capabilities (ums_configuration.dedicated_pods = false) you can specify resources, autoscaling, custom_xml, and logs.trace_specification for ums_configuration.

If you are using dedicated pods for UMS capabilities (ums_configuration.dedicated_pods = true), you can specify resources, autoscaling, custom_xml, and logs.trace_specification for each UMS capability: sso, scim, and teamserver.

 The default values are listed in the following rows. No
  • If you are not using dedicated pods: resources.limits.cpu
  • If you are using dedicated pods:
    • sso.resources.limits.cpu
    • scim.resources.limits.cpu
    • teamserver.resources.limits.cpu
 The maximum CPU limit. The default value is 500m. No
  • If you are not using dedicated pods: resources.limits.memory
  • If you are using dedicated pods:
    • sso.resources.limits.memory
    • scim.resources.limits.memory
    • teamserver.resources.limits.memory
 The maximum memory limit. The default value is 512Mi. No
  • If you are not using dedicated pods: resources.requests.cpu
  • If you are using dedicated pods:
    • sso.resources.requests.cpu
    • scim.resources.requests.cpu
    • teamserver.resources.requests.cpu
 The minimum CPU. The default value is 200m. No
  • If you are not using dedicated pods: resources.requests.memory
  • If you are using dedicated pods:
    • sso.resources.requests.memory
    • scim.resources.requests.memory
    • teamserver.resources.requests.memory
 The minimum memory. The default value is 256Mi. No
  • If you are not using dedicated pods: autoscaling.enabled
  • If you are using dedicated pods:
    • sso.autoscaling.enabled
    • scim.autoscaling.enabled
    • teamserver.autoscaling.enabled
 If true, pods are automatically scaled within the specified range. The default value is true. No
  • If you are not using dedicated pods: autoscaling.min_replicas
  • If you are using dedicated pods:
    • sso.autoscaling.min_replicas
    • scim.autoscaling.min_replicas
    • teamserver.autoscaling.min_replicas
 The minimum number of replicas for autoscaling. The default value is 2. No
  • If you are not using dedicated pods: autoscaling.max_replicas
  • If you are using dedicated pods:
    • sso.autoscaling.max_replicas
    • scim.autoscaling.max_replicas
    • teamserver.autoscaling.max_replicas
 The maximum number of replicas for autoscaling. The default value is 5. No
  • If you are not using dedicated pods: autoscaling.target_average_utilization
  • If you are using dedicated pods:
    • sso.autoscaling.target_average_utilization
    • scim.autoscaling.target_average_utilization
    • teamserver.autoscaling.target_average_utilization
 The average CPU utilization for autoscaling. When the average utilization exceeds this target, then new pods are created. The default value is 98. No
use_custom_binaries Specify if any custom binaries are used. The default value is false. No
custom_secret_name The name of the existing secret for sensitive Liberty configuration, specified in XML format.   No
  • If you are not using dedicated pods: custom_xml
  • If you are using dedicated pods:
    • sso.custom_xml
    • scim.custom_xml
    • teamserver.custom_xml
 Custom configuration settings (optional, multi-line value). For LDAP configuration use spec.ldap_configuration parameters.   No
logs.console_format The format of the UMS logs console. The default value is json. No
logs.console_log_level The log level for the UMS logs console. The default value is INFO. No
logs.console_source UMS logs console source. The default value is message,trace,accessLog,ffdc,audit. No
logs.trace_format The format of the UMS logs trace. The default value is ENHANCED. No
logs.max_files The maximum number of log files to use. The default value is 2. No
logs.max_file_size The maximum size of the log files in MB. The default value is 20. No
  • If you are not using dedicated pods: logs.trace_specification
  • If you are using dedicated pods:
    • sso.logs.trace_specification
    • scim.logs.trace_specification
    • teamserver.logs.trace_specification
 The UMS logs trace specification. The default value is *=info. No
teamserver.admingroup The full DN of an LDAP group that is authorized to administer UMS Teams.
  • For the IBM Automation Document Processing demo pattern, the default is cn=ADPEnvironmentOwners,dc=example,dc=org.
  • For all other demo patterns, the default is cn=TeamsAdmins,dc=example,dc=org.
  • For all enterprise (non-demo) patterns, there is no default.
 No