Installing on a system using an external directory service

Edit online
If the system where you plan to install the Cloud APM server with a local Db2® server is using an external LDAP directory service to authenticate users who log into the Cloud APM server such as your root user and your Db2 users, you must create local Db2 users before you install the Cloud APM server.

Before you begin

Although this procedure is generally applicable to any directory service and access protocol, the following steps cover an external directory service in use with LDAP. It is possible that your chosen directory service and access protocol are not recognized by Db2 and the Cloud APM server installation software. In such a scenario, when you try to manage resources in this directory service, an error is returned because you are not authorized to complete these tasks. The steps that differ depending on directory service type are emphasized in this procedure but they are not documented.

About this task

Complete the following steps to:
  • Temporarily disable LDAP authentication for the Cloud APM server.
  • Create local Db2 users and groups.
  • Configure the Db2 users and passwords in the install.properties file used for the Cloud APM server installation.
  • Re-enable LDAP authentication.
  • Install the Cloud APM server.
  • Configure the LDAP security plug-in on the local Db2 server.
  • Update itmuser and Db2 instance user passwords if these passwords are configured in your external directory service that is being used with LDAP.
  • Install a local Db2 server for use with LDAP for user authentication.
Note: The Cloud APM server installation does not configure the local Db2 server to use the LDAP security plug-in. After you install the Cloud APM server, you must configure the LDAP security plug-in on the local Db2 server.

Procedure

  1. Enter the following command and save the output for later reference: 
    id user_name
    where user_name is itmuser, db2apm, db2fenc1, or dasusr1. See the following sample output:
    # id itmuser
uid=1188800003(itmuser) gid=1188800003(itmuser) groups=1188800003(itmuser)
# id db2apm
uid=1188800004(db2apm) gid=1188800004(db2apm) groups=1188800004(db2apm)
# id db2fenc1
uid=1188800005(db2fenc1) gid=1188800005(db2fenc1) groups=1188800005(db2fenc1)
# id dasusr1
uid=1188800006(dasusr1) gid=1188800006(dasusr1) groups=1188800006(dasusr1)
    Important: The message id: <username>: No such user indicates that the user is not defined in the LDAP directory. If none of the users are defined in the LDAP directory, skip the remaining steps. If a subset of the others are defined in the LDAP directory then only perform the remaining steps for the users that are in the LDAP directory.
  2. Disable the LDAP authentication service by entering the following command: 
    service sssd stop
    The command to run for this step might differ depending on your chosen directory service.
  3. Perform an SSSD cache cleanup for the users that you identified in step 1.
    For example: 
    sss_cache -u itmuser
sss_cache -u db2apm 
sss_cache -u db2fenc1 
sss_cache -u dasusr1
    This step might differ depending on your chosen directory service.
  4. Create new groups and users on your local system for the users that you identified in step 1. Reuse the group names and group IDs, and user names and user IDs from the output of the id command in step 1. Use the same passwords that were specified in the LDAP directory. 
    groupadd -g 1188800003 itmuser 
useradd -u 1188800003 -g 1188800003 itmuser 
passwd itmuser 

groupadd -g 1188800004 db2apm 
useradd -u 1188800004 -g 1188800004 db2apm 
passwd db2apm 

groupadd -g 1188800005 db2fenc1
useradd -u 1188800005 -g 1188800005 db2fenc1
passwd db2fenc1

groupadd -g 1188800006 dasusr1
useradd -u 1188800006 -g 1188800006 dasusr1
passwd dasusr1
  5. Update the passwords in the install_image/install.properties file for the users that you identified in step 1. Use the same passwords that were specified in LDAP directory.
    For example:
    db2apm.password=db2Usrpasswd@08
itmuser.password=db2Usrpasswd@08
db2fenc1.password=db2Usrpasswd@08
dasusr1.password=db2Usrpasswd@08
  6. Update the group names in the install_image/files/db2wse.rsp file for the users that you identified in step 1. No property exists for the itmuser user.
    1. Update the apm.GROUP_NAME property with the name of the primary group of the db2apm user.
      For example: apm.GROUP_NAME = db2apm
    2. Update the apm.FENCED_GROUP_NAME property with the name of the primary group of the db2fenc1 user.
      For example: apm.FENCED_GROUP_NAME = db2fenc1
    3. Update the DAS_GROUP_NAME property with the name of the primary group of the dasusr1 user.
      For example: DAS_GROUP_NAME = dasusr1
  7. Enable the LDAP authentication service by entering the following command: 
    service sssd start
    The command to run for this step might differ depending on your chosen directory service.
  8. Install the Cloud APM server and choose the option to install the default Db2 server. For instructions, see Downloading and installing the server.
  9. Configure the LDAP security plug-in on the local Db2 server. For instructions, see LDAP-based authentication and group lookup support.
    This step might differ depending on your chosen directory service.

Results

The Cloud APM server is installed on a computer system or VM where LDAP is used for user authentication and a local Db2 server is used.

What to do next

Verify that data from your agents is displaying in the Cloud APM console. If you are not logged in, follow the instructions in Starting the Cloud APM console.