Cannot log in to the console after reinstallation of foundational services
After you uninstall IBM Cloud Pak foundational services and reinstall them on the same cluster, you cannot log in to the console with the default admin credentials.
Symptoms
You might see the following error:
CWOAU0038E: The client could not be verified. Either the client ID: t19ph7yimexir00h517actss98zbrg0m or client secret is incorrect.
Cause
After you uninstall the foundational services, if all the resources are not properly cleaned, reinstallation on the same cluster fails.
The cause of the failure might be either or both of the following reasons:
- There is a mismatch of the
client_id
andclient_secret
values in the cluster, which causes the console login to fail. - The IM jobs are not completed or are completed with errors.
Resolving the problem
To resolve the issue, correct the client_id
and client_secret
values and restart all IM jobs.
-
Log in to your boot node with the
oc login
command. -
Check whether the
ibm-im-operator
pod is running.oc -n <your-foundational-services-namespace> get pods | grep ibm-iam-operator
-
Check whether all the auth pods are running without any errors. If you see errors, check the logs and resolve the issue.
oc -n <your-foundational-services-namespace> get pods | grep auth
-
Check the
client_id
andclient_secret
values in theplatform-oidc-credentials
secret and in theregistration-json
configmap.-
Check the values in the
platform-oidc-credentials
secret:oc -n <your-foundational-services-namespace> get secret platform-oidc-credentials -o "jsonpath={.data.WLP_CLIENT_ID}" | base64 --decode oc -n <your-foundational-services-namespace> get secret platform-oidc-credentials -o "jsonpath={.data.WLP_CLIENT_SECRET}" | base64 --decode
-
Check the values in the
registration-json
configmap:oc -n <your-foundational-services-namespace> get cm registration-json -o "jsonpath={.data['platform-oidc-registration\.json']}" > platform-oidc-registration.json cat platform-oidc-registration.json
-
-
If the values in the secret and configmap do not match, update the values in the
registration-json
configmap with the values from theplatform-oidc-credentials
secret. To edit the configmap, run the following command:oc -n <your-foundational-services-namespace> edit cm registration-json
Replace the
client_id
andclient_secret
values, and save and exit the configmap. -
Restart the following IM job.
oc -n <your-foundational-services-namespace> delete job oidc-client-registration
-
Wait for some time and check the job status.
oc -n <your-foundational-services-namespace> get jobs
The status should show as
Completed
. -
Restart the
common-web-ui
pods so that theclient_id
andclient_secret
get the correct values from theplatform-oidc-credentials
secret.-
Get the
common-web-ui
pod name.oc -n <your-foundational-services-namespace> get pods | grep common-web-ui
-
Delete the pod.
oc -n <your-foundational-services-namespace> delete <common-web-ui-pod-name>
-
-
Wait for sometime until the
common-web-ui
andmanagement-ingress
pods show theRunning
status. You can check the status by running the following command:oc -n <your-foundational-services-namespace> get pods | grep -e common-web-ui
After the pods are running, you can log in to the console with the default cpadmin credentials.