Disabling OpenID Connect authentication for the Cloud APM console

Edit online

You must disable the OpenID Connect authentication for the Cloud APM console before you can enable single sign-on (SSO) between Cloud APM and another IBM product that requires LTPA for SSO.

Although OIDC is no longer used for UI authentication after you complete this procedure, the RESTful APIs continue to rely on OIDC. The RESTful APIs do not interfere with SSO (see Exploring the APIs).

Procedure

Complete these steps to disable OIDC authentication for the Cloud APM console.

  1. Stop all servers with the command apm stop_all.
    For more information, see Starting, stopping, and checking the status of server components.
  2. If LDAP is already configured for Cloud APM, you must temporarily modify the commonRegistry.xml file at install_dir/wlp/usr/shared/config/ to include basicRegistry.xml instead of ldapRegistry.xml:
    1. Comment out the line that refers to the LDAP registry file as follows: 
      <!--include optional="false" location="${shared.config.dir}/ldapRegistry.xml"/-->
    2. Remove the comment tags from the line that refers to the basic registry file as follows: 
      <include optional="false" location="${shared.config.dir}/basicRegistry.xml"/>
  3. Change the value of the oauthRealm attribute in the install_dir/wlp/usr/shared/config/oauthVariables-onprem.xml file to match the value of the realm attribute in the basicRegistry.xml file.
  4. Edit the install_dir/wlp/usr/servers/apmui/server-oauth2-tai.xml file to temporarily remove the systemUser property, complete these steps:
    1. Make a backup copy of the install_dir/wlp/usr/servers/apmui/server-oauth2-tai.xml file.
    2. Open the install_dir/wlp/usr/servers/apmui/server-oauth2-tai.xml file and search for the line that begins with <properties. Delete the systemUser property.
  5. Edit the install_dir/wlp/usr/servers/apmui/server.xml file and comment out this line as follows: 
    <!--include optional="true" location="server-relying-party.xml"/-->
  6. Edit the install_dir/wlp/usr/servers/apmui/server-itportal.xml file to change the following line: 
     <application type="eba" id="Blaze" name="Blaze"
    location="${server.config.dir}/apps/com.ibm.tivoli.blaze_2.3.0.7.eba">

    Change the line as shown in the following code:

     <application type="eba" id="Blaze" name="Blaze"
      location="${server.config.dir}/apps/com.ibm.tivoli.blaze_2.3.0.7.ltpasso.eba">
  7. Edit the install_dir/wlp/usr/servers/uviews/server.xml file and comment out this line as follows: 
    <!--include optional="true" location="server-relying-party.xml"/-->
    You must use the exact format that is shown here to comment out the include statement for the server-relying-party.xml file.
  8. Run the following command with the correct password for the apmadmin user:

    install_dir/ccm/configureConsole_ltpasso.sh apmadmin password

    The default password is apmpass.

  9. If you disabled LDAP in step 2, re-enable the LDAP registry in the commonRegistry.xml file:
    1. Comment out the line that refers to the basic registry as follows: 
      <!--include optional="false" location="${shared.config.dir}/basicRegistry.xml"/-->
    2. Remove the comment tags from the line that refers to the LDAP registry file as follows: 
      <include optional="false" location="${shared.config.dir}/ldapRegistry.xml"/>
  10. If you changed the value of the oauthRealm attribute in step 3, update it to match the value of the realm attribute in the ldapRegistry.xml file.
  11. If you removed the systemUser property in step 4, replace the current install_dir/wlp/usr/servers/apmui/server-oauth2-tai.xml file with the backup file that you created in step 4a.
  12. Start all servers with the command apm restart_all.
    For more information, see Starting, stopping, and checking the status of server components.

Results

OpenID Connect authentication for the Cloud APM console is now disabled.