Known issues in foundational services

Get a quick overview of the known issues for the available foundational services.

Table 1. Known issues
Service
Description More information
IM Client registration failure in Platform UI console while upgrading foundational services version 3.22 or version 3.23 to foundational services version 4.x.x. This limitation is planned to be fixed in an upcoming release. Until then, to work around the issue, see Client registration failure in Platform UI console.
IM Login failure in Platform UI console while upgrading foundational services version 3.22 or version 3.23 to foundational services version 4.x.x. This limitation is planned to be fixed in an upcoming release. Until then, to work around the issue, see Intermittent login failure in Platform UI console.
IM In foundational services version 3.23 and later, the username in the group is displayed as undefined undefined when you list the users in the group in Platform UI console by using Azure SCIM integration or SAML without LDAP configuration. It is a known limitation. Currently, no workaround is available.
IM In foundational services version 3.23, Okta user cannot log out in the Platform UI once that user login to Okta as SAML IdP (Identity provider). It happens because the Okta user might be logging out from the Cloud Pak only, not from Okta. As a result, the Okta user still resides in the cookie of your browser and the Cloud Pak cannot log out the Okta user. You need to log out from Okta to delete the cookie from your browser. Once you log out from the Okta, you can login with new user or the same user with new session.
IM While login into Platform UI console by using SAML option, login page is displayed twice. It means, once you provide the login details, instead of displaying the home page of the console, the login page is displayed again. However, the second time you don't need to provide the details in the login page, you just need to click Login and the home page of the console will be displayed. It is a known limitation. Currently, no workaround is available.
IM Before you register the OIDC clients by using IdP V3 API, you need to login into third party ID provider. And, then you can register the OIDC clients in the application. While registering, you use application url as cp-console url and redirect URL as https://<cp-console-url>/ibm/api/social-login/redirect/<name of the oidc>. However, you might face issue while opening the cp-console browser. When you click the configured ID provider name, you might not be redirected to the authentication page of that IdP. To troubleshoot the issue, see OIDC registration fails to update.
IM LDAP user names are case-sensitive. You must use the name exactly the way it is configured in your LDAP directory.
IM SAML user with Platform UI administrator permission only has viewer role set in IM. You must assign roles individually to SAML users in IM.
IM The OpenShift group does not synchronize when a user is added or removed from an LDAP group. An OpenShift group is created when you add the LDAP group to teams. When a user is added or removed from an LDAP group at the LDAP server side, the OpenShift group does not update by any process or thread in IM. To resolve this issue, delete and re-add the LDAP group to teams to recreate the OpenShift group with the latest members.
IM The OpenShift users are not removed when you remove them from the LDAP group. An OpenShift group is created when you add the LDAP group to teams. An OpenShift user is created when you add an LDAP user to teams, or when this LDAP user logs in to the IBM Cloud Pak console. When a user is removed from an LDAP group at the LDAP server side, the OpenShift group does not update by any process or thread in IM. An OpenShift user or group is deleted only if this user or group is deleted from teams. To resolve this issue, delete and re-add the LDAP group to teams to recreate the OpenShift group with the latest members, and manually delete the OpenShift user. To delete the user, use the following command: oc delete user <user_id>.
IM The SAML and LDAP authentication types are displayed in the cp-console login page when you migrate IM from version 3.x to 4.x with the configuration of SAML with LDAP dependency using V2 API. To resolve the issue, update the Identity Provider (IdP) for SAML with LDAP dependency with V3 API schema elements. For more information, see SAML with LDAP dependency using V2 API does not work correctly.
IM The SAML identity provider is removed from the SAML configuration when you upgrade from OCP version 4.10 to 4.12 To resolve the issue, complete the following steps:
1. Delete the auth pods.
oc delete pod -n ibm-common-services -l k8s-app=auth-idp
oc delete pod -n ibm-common-services -l k8s-app=auth-pap
oc delete pod -n ibm-common-services -l k8s-app=auth-pdp
4. Verify the pod status.
oc get pod -n ibm-common-services | egrep 'NAME|auth-idp|auth-pap|auth-pdp
IM IM access token API (/idprovider/v1/auth/identitytoken) fails when you upgrade IBM Cloud Pak for Data version 4.7.4 to 5.0.0. The following error is displayed in the log when you generate IM access token:
Failed to get access token, Liberty error: {\"error_description\":\"CWWKS1406E: The token request had an invalid client credential. The request URI was \\/oidc\\/endpoint\\/OP\\/token.\",\"error\":\"invalid_client\"}"
To resolve the IM access token issue, run the following command to restart the oidc-client-registration job:
oc -n <your-foundational-services-namespace> delete job oidc-client-registration
IM You cannot onboard OpenShift user group to IM as the groups property of the user.openshift.io API is deprecated. For more information, see User [user.openshift.io/v1]. You can add the individual users manually and provide access to each user instead of managing the access as groups.
IM Unable to login to cp-console or cpd using LDAP authentication. The ClassCastException error is displayed if the ObjectClass or ObjectCategory attribute is not defined in the Liberty XML file. From foundational services v4.6.3, IM supports the LDAP Entity type configuration for LDAP User and Group entities to define the ObjectClass or ObjectCategory attributes automatically in the Liberty XML file. For more information, see Unable to login to cp-console or cpd using LDAP authentication.
IM Zen reconciles multiple times to complete PostgreSQL database migration when you upgrade from foundational services version 3.x to 4.6. To resolve the issue, update the network policy of ibm-iam-operator to enable traffic for the mongo service. For more information, see Zen reconciles multiple times during PostgreSQL database migration.
IM The following error is displayed when you configure SAML with IdP initiated login:
500: The SAML login attempt failed. This failure could indicate that the SAML identity provider has been misconfigured. If this is an IDP initiated SAML provider, verify that the relay state parameter is set.
To resolve the issue, set the relay state in the IdP end. For more information, see SAML login fails when you configure SAML with IdP initiated login.
Installer After you install or upgrade to IBM Cloud Pak foundational services version 4.6 or later while using Postgres cluster as a database, the status of common-service-db Postgres cluster custom resource (CR) is stuck in the Setting up primary state. To resolve the issue, delete the existing common-service-db Postgres cluster CR and re-create it. For more information, see Status of Postgres cluster custom resource is stuck in the Setting up primary state.
Installer The cp-console address is changed after the CS operator is upgraded to v4, but IAM service remains in v3. For more information, see cp-console address is changed after CS operator is upgraded to v4, but IAM service is still in v3
Installer OLM is unable to generate new installation plans for updates or new installations. For more information about the issue and the steps to resolve the issue, see OLM is unable to generate new install plans.
Installer After you upgrade foundational services, you might see some of the operator pods are in Crashloopbackoff status. This is because of an Operator Lifecycle Manager (OLM) known issue. For more information about the issue and the steps to resolve the issue, see Operator upgrade fails - OLM known issue.
Installer - IM When there is an OpenShift user admin it collides with IBM Cloud Pak foundational services default user admin. To resolve the issue, rename the IBM Cloud Pak foundational services default username if an admin username exists in OpenShift. For more information, see Changing the default admin username
Installer When you install or upgrade foundational services, you might see that some of the operators are in a Pending, Unknown, or Can't Update status. This is because of an Operator Lifecycle Manager (OLM) known issue. For more information about the issue and the steps to resolve the issue, see the following topics:
Installer When you install foundational services on Azure environment with Azure storage, foundational services pods do not start. To resolve this issue, get the scc.uid from the installation namespace before creating the custom Azure storage class. For more information, see Using Azure File storage class.
Installer After upgrading an OpenShift cluster to OpenShift version 4.15.x via the OpenShift console, the foundational services operator CSV fails with the following message: install strategy failed: rolebindings.rbac.authorization.k8s.io "ibm-common-service-operator-service-auth-reader". To resolve this issue, see Install strategy fails after upgrading OpenShift to 4.15.x.
ZenService ZenService fails to be in the ready status for postgresql. The following error message is logged in the Zen operator log:
stderr: 'error: no matching resources found'
To resolve the issue, add the instana: True parameter in the ZenService custom resource. For more information, see ZenService fails to be in the ready status for postgresql.
ZenService The zen operator fails when you install or upgrade to Zen version 6.0.4 with the external postgres database. The following error message is displayed in the Zen operator log:
'6.0.4/roles/0010-infra has failed with error: All items completed'
To resolve the issue, you need to update the service resource for the zen-metastore-edb. For more information, see Zen operator fails when you install or upgrade to Zen version 6.0.4.
Cert-manager If there are two cert-managers on your cluster, your Certificates might not be in the ready status. You must uninstall one of the cert-managers. See Problem when you install two different cert-managers.
Cert-manager The self-signed CA certificate that is used by IBM Cloud Pak foundational services and created by the cert-manager service has a duration of 90 days. The CA certificate is refreshed by cert-manager but the leaf certificates that use the CA certificate must be manually refreshed. Recommend that user check the expiration date for the CA certificate and refresh the CA certificate before the expiration date and renew the leaf certificates. The CA certificate duration can also be updated.
Cert-manager Multiple CertificateRequests in the cert-manager block the Certificates to be in the ready status. To resolve the issue, delete the duplicate CertificateRequests. See Multiple CertificateRequest objects block Certificate objects from becoming ready.
License Service Reporter After you upgrade to foundational services version 4.0 or later, the Error 404 - Not found error message is displayed when you select the Licensing menu in the IBM Cloud Pak console. To resolve the issue, remove the ibm-license-service-reporter-bindinfo-ibm-license-service-reporter-zen configmap from the namespace where you deployed the foundational services. For more information, see Retrieving License Service Reporter console route to access the License Service Reporter console directly.
Events operator When upgrading Events operator from previous versions, a Zookeeper pod ends up in a CrashLoopBackOff state. To resolve this problem, see Zookeeper pod hangs in a CrashLoopBackOff state.
Events operator Events operator is periodically printing the following message: Failed to acquire lock during the reconciliation process, and it is timing out. This might indicate that the lock was not properly released due to an error. To resolve the problem, restart the Events operator to release the lock.
Platform UI Upgrade of Platform UI (zen) operand fails. To resolve this problem, see Upgrade of Platform UI (zen) operand fails.
EDB Postgres When you update the deployment profile, for example from starterset to large, the capacity of hardware resources does not automatically update. To resolve this problem, restart the common-service-db pods.