The default user for Cloud
APM is
apmadmin, and the default realm is customRealm. By default apmadmin is also the primary role
administrator. When you configure LDAP to authenticate Cloud APM console users, you must change the
primary role administrator from apmadmin to a LDAP user.
About this task
The primary role administrator is responsible for assigning other Cloud
APM console users to roles by using the
Role Based Access Control page. The primary role administrator username and
password are also used when backing up and restoring data for the Cloud
APM server. You might need to change the primary
role administrator for one of the following reasons:
- You are changing user authentication from basic registry to LDAP or you are switching to a
different LDAP registry.
- You want to use a different LDAP user as the primary role administrator.
- You want to use a different realm name name for the user registry.
If you are using basic registry, you cannot change the primary role administrator from
apmadmin to another user. This is because Cloud APM procedures, such as backup and restore, assume
apmadmin is the primary role administrator when the basic registry is configured. If you are
switching from LDAP back to the basic registry, then see this topic (Switching from LDAP back to
basicRegistry ) for details on changing the primary role administrator back to the apmadmin
user.
Procedure
-
Navigate to the install_dir/wlp/usr/servers/server1/cscs/conf directory and create a file called
cscsRoleAdmin.new.
Do not edit or remove the cscsRoleAdmin.conf file directly. Any change
should be done by creating a cscsRoleAdmin.new file.
-
Add a new default user to cscsRoleAdmin.new using syntax similar to the
following (contact your LDAP administrator for the exact syntax):
user:SampleLdapADRealm/CN=testuser,CN=users,dc=adtest,dc=mycity,dc=mycompany,dc=com
where:
SampleLdapADRealm
- This is the realm name for your registry. Replace
SampleLdapADRealm
with the
realm name from the registry configuration file (basicRegistry.xml or
ldapRegistry.xml)
CN=testuser,CN=users,dc=adtest,dc=mycity,dc=mycompany,dc=com
- Replace
CN=testuser,CN=users,dc=adtest,dc=mycity,dc=mycompany,dc=com
with the
user that is being designated the primary role administrator. The primary role administrator user
has authorization to perform all actions in the Cloud
APM console including assigning other users or user
groups to roles.
- When you are switching from basic registry to LDAP, the primary role administrator must log into
the Cloud
APM console after this procedure is
complete and assign roles to other LDAP users so that they are authorized to access the Cloud
APM console.
- Specify the user's distinguished name exactly as it is defined in the LDAP directory. The best
practice is to specify a different user distinguished name from the bindDN user specified in the
ldapRegistry.xml file.
Note: The realm name and user name are case sensitive.
-
Save the cscsRoleAdmin.new file.
-
Update the install_dir/wlp/usr/servers/apmui/server-oauth2-tai.xml file to add the user from step 2:
-
Find the properties line,
<properties
, and its closing tag,
/>
.
-
Add a new line before the
/>
closing tag with the following content:
systemUser="testuser LDAP distinguished name"
where testuser
matches the user string from step 2, for example:
systemUser="CN=testuser,CN=users,dc=adtest,dc=mycity,dc=mycompany,dc=com"
Note: Do not include the user: prefix or realm name that was
specified in step 2.
-
Confirm that the
/>
closing tag was not deleted, then save and close the
file.
-
Update the
install_dir/wlp/usr/shared/config/oauthVariables-onprem.xml file and set the
value of the oauthRealm attribute to the value of the realm
property in the install_dir/wlp/usr/shared/config/ldapRegistry.xml file.
-
Restart the Cloud
APM server by using
the following command in the
/user/bin/ directory:
-
To verify that you have successfully changed the primary role administrator, attempt to log in
with your new Role Administrator user account.
- If you can log in successfully, you have successfully changed the primary role administrator
account. Go to the Role Based Access Control page to assign other LDAP users to roles so that they
are authorized to log in to the Cloud APM console. For more information, see the Working with roles,
users, and permissions topic (Working with roles, users, and
permissions.
- If you receive the message "You do not have permission to view this application. If you require
access to the application, please send the URL that you are attempting to access to your monitoring
system administrator", see Troubleshooting changing the primary
role administrator.
Results
The Cloud
APM integration with your
LDAP server is now complete.