Updating the primary role administrator

The default user for Cloud APM is apmadmin, and the default realm is customRealm. By default apmadmin is also the primary role administrator. When you configure LDAP to authenticate Cloud APM console users, you must change the primary role administrator from apmadmin to a LDAP user.

About this task

The primary role administrator is responsible for assigning other Cloud APM console users to roles by using the Role Based Access Control page. The primary role administrator username and password are also used when backing up and restoring data for the Cloud APM server. You might need to change the primary role administrator for one of the following reasons:
  • You are changing user authentication from basic registry to LDAP or you are switching to a different LDAP registry.
  • You want to use a different LDAP user as the primary role administrator.
  • You want to use a different realm name name for the user registry.

If you are using basic registry, you cannot change the primary role administrator from apmadmin to another user. This is because Cloud APM procedures, such as backup and restore, assume apmadmin is the primary role administrator when the basic registry is configured. If you are switching from LDAP back to the basic registry, then see this topic (Switching from LDAP back to basicRegistry ) for details on changing the primary role administrator back to the apmadmin user.

Procedure

  1. Navigate to the install_dir/wlp/usr/servers/server1/cscs/conf directory and create a file called cscsRoleAdmin.new.
    Do not edit or remove the cscsRoleAdmin.conf file directly. Any change should be done by creating a cscsRoleAdmin.new file.
  2. Add a new default user to cscsRoleAdmin.new using syntax similar to the following (contact your LDAP administrator for the exact syntax):
    user:SampleLdapADRealm/CN=testuser,CN=users,dc=adtest,dc=mycity,dc=mycompany,dc=com 
    where:
    SampleLdapADRealm
    This is the realm name for your registry. Replace SampleLdapADRealm with the realm name from the registry configuration file (basicRegistry.xml or ldapRegistry.xml)
    CN=testuser,CN=users,dc=adtest,dc=mycity,dc=mycompany,dc=com
    Replace CN=testuser,CN=users,dc=adtest,dc=mycity,dc=mycompany,dc=com with the user that is being designated the primary role administrator. The primary role administrator user has authorization to perform all actions in the Cloud APM console including assigning other users or user groups to roles.
    When you are switching from basic registry to LDAP, the primary role administrator must log into the Cloud APM console after this procedure is complete and assign roles to other LDAP users so that they are authorized to access the Cloud APM console.
    Specify the user's distinguished name exactly as it is defined in the LDAP directory. The best practice is to specify a different user distinguished name from the bindDN user specified in the ldapRegistry.xml file.
    Note: The realm name and user name are case sensitive.
  3. Save the cscsRoleAdmin.new file.
  4. Update the install_dir/wlp/usr/servers/apmui/server-oauth2-tai.xml file to add the user from step 2:
    1. Find the properties line, <properties, and its closing tag, />.
    2. Add a new line before the /> closing tag with the following content: systemUser="testuser LDAP distinguished name" where testuser matches the user string from step 2, for example: systemUser="CN=testuser,CN=users,dc=adtest,dc=mycity,dc=mycompany,dc=com"
      Note: Do not include the user: prefix or realm name that was specified in step 2.
    3. Confirm that the /> closing tag was not deleted, then save and close the file.
  5. Update the install_dir/wlp/usr/shared/config/oauthVariables-onprem.xml file and set the value of the oauthRealm attribute to the value of the realm property in the install_dir/wlp/usr/shared/config/ldapRegistry.xml file.
  6. Restart the Cloud APM server by using the following command in the /user/bin/ directory:
    apm restart_all
  7. To verify that you have successfully changed the primary role administrator, attempt to log in with your new Role Administrator user account.
    • If you can log in successfully, you have successfully changed the primary role administrator account. Go to the Role Based Access Control page to assign other LDAP users to roles so that they are authorized to log in to the Cloud APM console. For more information, see the Working with roles, users, and permissions topic (Working with roles, users, and permissions.
    • If you receive the message "You do not have permission to view this application. If you require access to the application, please send the URL that you are attempting to access to your monitoring system administrator", see Troubleshooting changing the primary role administrator.

Results

The Cloud APM integration with your LDAP server is now complete.