Updating the primary role administrator

The default user for Cloud APM is apmadmin, and the default realm is customRealm. By default apmadmin is also the primary role administrator. When you configure LDAP to authenticate Cloud APM console users, you must change the primary role administrator from apmadmin to a LDAP user.

1. Navigate to the install_dir/wlp/usr/servers/server1/cscs/conf directory and create a file called cscsRoleAdmin.new.
   Do not edit or remove the cscsRoleAdmin.conf file directly. Any change should be done by creating a cscsRoleAdmin.new file.
2. Add a new default user to cscsRoleAdmin.new using syntax similar to the following (contact your LDAP administrator for the exact syntax):

   user:SampleLdapADRealm/CN=testuser,CN=users,dc=adtest,dc=mycity,dc=mycompany,dc=com 

   where:

   SampleLdapADRealm

   This is the realm name for your registry. Replace SampleLdapADRealm with the realm name from the registry configuration file (basicRegistry.xml or ldapRegistry.xml)

   CN=testuser,CN=users,dc=adtest,dc=mycity,dc=mycompany,dc=com

   Replace CN=testuser,CN=users,dc=adtest,dc=mycity,dc=mycompany,dc=com with the user that is being designated the primary role administrator. The primary role administrator user has authorization to perform all actions in the Cloud APM console including assigning other users or user groups to roles.

   When you are switching from basic registry to LDAP, the primary role administrator must log into the Cloud APM console after this procedure is complete and assign roles to other LDAP users so that they are authorized to access the Cloud APM console.

   Specify the user's distinguished name exactly as it is defined in the LDAP directory. The best practice is to specify a different user distinguished name from the bindDN user specified in the ldapRegistry.xml file.

   Note: The realm name and user name are case sensitive.
3. Save the cscsRoleAdmin.new file.
4. Update the install_dir/wlp/usr/servers/apmui/server-oauth2-tai.xml file to add the user from step 2:
   1. Find the properties line, <properties, and its closing tag, />.
   2. Add a new line before the /> closing tag with the following content: systemUser="testuser LDAP distinguished name" where testuser matches the user string from step 2, for example: systemUser="CN=testuser,CN=users,dc=adtest,dc=mycity,dc=mycompany,dc=com"
      Note: Do not include the user: prefix or realm name that was specified in step 2.
   3. Confirm that the /> closing tag was not deleted, then save and close the file.
5. Update the install_dir/wlp/usr/shared/config/oauthVariables-onprem.xml file and set the value of the oauthRealm attribute to the value of the realm property in the install_dir/wlp/usr/shared/config/ldapRegistry.xml file.
6. Restart the Cloud APM server by using the following command in the /user/bin/ directory:

   apm restart_all

7. To verify that you have successfully changed the primary role administrator, attempt to log in with your new Role Administrator user account.
   • If you can log in successfully, you have successfully changed the primary role administrator account. Go to the Role Based Access Control page to assign other LDAP users to roles so that they are authorized to log in to the Cloud APM console. For more information, see the Working with roles, users, and permissions topic (Working with roles, users, and permissions.
   • If you receive the message "You do not have permission to view this application. If you require access to the application, please send the URL that you are attempting to access to your monitoring system administrator", see Troubleshooting changing the primary role administrator.