You must disable the OpenID Connect authentication for the Performance Management console before you can enable single sign-on (SSO)
between Performance Management and another IBM product
that requires LTPA for SSO.
Although OIDC is no longer used for UI
authentication after you complete this procedure, the RESTful APIs continue to rely on OIDC. The
RESTful APIs do not interfere with SSO (see Exploring the APIs).
Procedure
Complete the following steps to disable OIDC authentication for the Performance Management console.
- Stop all servers with the command apm stop_all. For more information, see Starting, stopping, and checking the status of server components.
- If LDAP is already configured for Performance Management, you must temporarily modify the
commonRegistry.xml file at install_dir/wlp/usr/shared/config/ to include
basicRegistry.xml instead of ldapRegistry.xml. Complete
the following steps:
- Comment out the line that refers to the LDAP registry file as follows:
<!--include optional="false" location="${shared.config.dir}/ldapRegistry.xml"/-->
- Remove the comment tags from the line that refers to the basic registry file as follows:
<include optional="false" location="${shared.config.dir}/basicRegistry.xml"/>
- Change the value of the oauthRealm attribute in the
install_dir/wlp/usr/shared/config/oauthVariables-onprem.xml file to match the
value of the realm attribute in the basicRegistry.xml file.
- Edit the server.xml file at install_dir/wlp/usr/servers/apmui/ to comment
out the line that refers to server-relying-party.xml as follows:
<!--include optional="true" location="server-relying-party.xml"/-->
- Edit the following line in the server-itportal.xml file at
install_dir/wlp/usr/servers/apmui/:
<application type="eba" id="Blaze" name="Blaze"
location="${server.config.dir}/apps/com.ibm.tivoli.blaze_2.3.0.7.eba">
Change the line as shown:
<application type="eba" id="Blaze" name="Blaze"
location="${server.config.dir}/apps/com.ibm.tivoli.blaze_2.3.0.7.ltpasso.eba">
- Run the following command with the correct password for the apmadmin
user.
install_dir/ccm/configureConsole_ltpasso.sh
apmadmin
<password>
The default <password> is apmpass.
- If you disabled LDAP in step 2, re-enable the LDAP registry in the
commonRegistry.xml file by completing the following steps:
- Comment out the line that refers to the basic registry as follows:
<!--include optional="false" location="${shared.config.dir}/basicRegistry.xml"/-->
- Remove the comment tags from the line that refers to the LDAP registry file as follows:
<include optional="false" location="${shared.config.dir}/ldapRegistry.xml"/>
- If you changed the value of the oauthRealm attribute in step 3, update it to match the value of the
realm attribute in the ldapRegistry.xml file.
- Start all servers with the command apm restart_all. For more information, see Starting, stopping, and checking the status of server components.
Results
OpenID Connect authentication for the
Performance Management console is now disabled.