If the system where you plan to install the Cloud
APM server with a local Db2® server is using an external LDAP directory service to
authenticate users who log into the Cloud
APM server
such as your root user and your Db2 users, you
must create local Db2 users before you install
the Cloud APM server.
Before you begin
Although this procedure is generally applicable to any directory service and access
protocol, the following steps cover an external directory service in use with LDAP. It is possible
that your chosen directory service and access protocol are not recognized by Db2 and the Cloud
APM server installation software. In such a scenario, when
you try to manage resources in this directory service, an error is returned because you are not
authorized to complete these tasks. The steps that differ depending on directory service type are
emphasized in this procedure but they are not documented.
About this task
Complete the following steps to:
- Temporarily disable LDAP authentication for the Cloud
APM server.
- Create local Db2 users and groups.
- Configure the Db2 users and passwords in the
install.properties file used for the Cloud
APM server installation.
- Re-enable LDAP authentication.
- Install the Cloud
APM server.
- Configure the LDAP security plug-in on the local Db2 server.
- Update itmuser and Db2 instance user
passwords if these passwords are configured in your external directory service that is being used
with LDAP.
- Install a local Db2 server for use with LDAP
for user authentication.
Note: The Cloud
APM server installation does not configure the local Db2 server to use the LDAP security plug-in. After you install the Cloud
APM server, you must configure the LDAP security plug-in on the local Db2 server.
Procedure
-
Enter the following command and save the output for later reference:
id user_name
where
user_name is
itmuser
,
db2apm
,
db2fenc1
, or
dasusr1
. See the following sample
output:
# id itmuser
uid=1188800003(itmuser) gid=1188800003(itmuser) groups=1188800003(itmuser)
# id db2apm
uid=1188800004(db2apm) gid=1188800004(db2apm) groups=1188800004(db2apm)
# id db2fenc1
uid=1188800005(db2fenc1) gid=1188800005(db2fenc1) groups=1188800005(db2fenc1)
# id dasusr1
uid=1188800006(dasusr1) gid=1188800006(dasusr1) groups=1188800006(dasusr1)
Important: The message id: <username>: No such user
indicates that the
user is not defined in the LDAP directory. If none of the users are defined in the LDAP directory,
skip the remaining steps. If a subset of the others are defined in the LDAP directory then only
perform the remaining steps for the users that are in the LDAP directory.
-
Disable the LDAP authentication service by entering the following command:
service sssd stop
The command to run for this step might differ depending on your chosen directory service.
-
Perform an SSSD cache cleanup for the users that you identified in step 1.
For example:
sss_cache -u itmuser
sss_cache -u db2apm
sss_cache -u db2fenc1
sss_cache -u dasusr1
This
step might differ depending on your chosen directory service.
-
Create new groups and users on your local system for the users that you identified in step 1.
Reuse the group names and group IDs, and user names and user IDs from the output of the
id
command in step 1. Use the same passwords that were specified in the LDAP
directory.
groupadd -g 1188800003 itmuser
useradd -u 1188800003 -g 1188800003 itmuser
passwd itmuser
groupadd -g 1188800004 db2apm
useradd -u 1188800004 -g 1188800004 db2apm
passwd db2apm
groupadd -g 1188800005 db2fenc1
useradd -u 1188800005 -g 1188800005 db2fenc1
passwd db2fenc1
groupadd -g 1188800006 dasusr1
useradd -u 1188800006 -g 1188800006 dasusr1
passwd dasusr1
-
Update the passwords in the
install_image/install.properties file for the users that you
identified in step 1. Use the same passwords that were specified in LDAP directory.
For
example:
db2apm.password=db2Usrpasswd@08
itmuser.password=db2Usrpasswd@08
db2fenc1.password=db2Usrpasswd@08
dasusr1.password=db2Usrpasswd@08
-
Update the group names in the install_image/files/db2wse.rsp file for the
users that you identified in step 1. No property exists for the
itmuser
user.
-
Update the apm.GROUP_NAME property with the name of the primary group of
the db2apm user.
For example: apm.GROUP_NAME = db2apm
-
Update the apm.FENCED_GROUP_NAME property with the name of the primary
group of the db2fenc1 user.
For example: apm.FENCED_GROUP_NAME = db2fenc1
-
Update the DAS_GROUP_NAME property with the name of the primary group of
the dasusr1 user.
For example: DAS_GROUP_NAME = dasusr1
-
Enable the LDAP authentication service by entering the following command:
service sssd start
The command to run for this step might differ depending on your chosen directory service.
-
Install the Cloud
APM server and choose the option to install the default Db2 server. For instructions, see Downloading and installing the server.
-
Configure the LDAP security plug-in on the local Db2 server. For instructions, see LDAP-based authentication and group lookup support.
This step might differ depending on your chosen directory service.
Results
The Cloud
APM server is installed on a computer system or VM where LDAP is used for user authentication and a local Db2 server is used.
What to do next
Verify that data from your agents is displaying in the Cloud APM console. If you are not logged in, follow the instructions in Starting the Cloud APM console.