{ Community }
  • Academy
  • Docs
  • Developers
  • Resources
    • Community Articles
    • Apigee on GitHub
    • Code Samples
    • Videos & eBooks
    • Accelerator Methodology
  • Support
  • Ask a Question
  • Spaces
    • Product Announcements
    • General
    • Edge/API Management
    • Developer Portal (Drupal-based)
    • Developer Portal (Integrated)
    • API Design
    • APIM on Istio
    • Extensions
    • Business of APIs
    • Academy/Certification
    • Adapter for Envoy
    • Analytics
    • Events
    • Hybrid
    • Integration (AWS, PCF, Etc.)
    • Microgateway
    • Monetization
    • Private Cloud Deployment
    • 日本語コミュニティ
    • Insights
    • IoT Apigee Link
    • BaaS/Usergrid
    • BaaS Transition/Migration
    • Apigee-127
    • New Customers
    • Topics
    • Questions
    • Articles
    • Ideas
    • Leaderboard
    • Badges
  • Log in
  • Sign up

Get answers, ideas, and support from the Apigee Community

  • Home /
  • General /
avatar image
2

​Troubleshooting Checklist for Private Cloud Management Server  

  • Export to PDF
cocoandjan created · Jul 22, 2016 at 03:23 AM · 445 Views · edited · Aug 01, 2016 at 04:06 AM

Intro

Management Server issues typically manifest itself as login problems which may have been triggered by a Private Cloud migration, reinstallation, bugs, or changes done during maintanence.

Checklist

Products: Private Cloud (applies specifically to 15.07 or 16.0x)

Get the following info from the customer:

  • Customer topology (ie. how many nodes and what Apigee components are installed in these nodes
  • What changed that may have introduced the problem?
  • Are they able to run management API calls? and as which user and roles?
  • Specifically what error are they seeing in the UI or management server system.log.

UI Login Problems - Apigee OpenLDAP Setup

What to do...
  • Check if the sysadmin user can run any management API calls, test with:

curl -v -u sysadmin@email.comhttp://{MS}:8080/v1/servers

If Management call doesn’t work:
  • Check the sysadmin password

The credentials should be the sysadmin user and password that is in Apigee OpenLDAP.

  • If the sysadmin users password needs to be changed, check here.
  • Check if the user is in Apigee OpenLDAP look for the user where “dn: cn=sysadmin,ou=userroles,ou=global,dc=apigee,dc=com” and see if the users uid is a roleOccupant in the ldap.txt output:

ldapsearch -w <ldap_password> -D "cn=manager,dc=apigee,dc=com" -b "dc=apigee,dc=com" -LLL -h localhost -p 10389 > ldap.txt

  • If there is a second sysadmin user to run API calls, check the users userroles for authorization to run the API call:

curl -v -u sysadmin@email.comhttp://{MS}:8080/v1/users/<user@email.com>/userroles

If Management calls work:
  • Check the UI’s configuration

Check the value for apigee.mgmt.credential and apigee.analytics.credential has been properly encrypted by EncryptUtil tool. They values for these properties need to be the same on all UI servers.

  • 15.07: /opt/apigee4/conf/ui/apigee.conf
  • 16.0x and newer: /opt/apigee/customer/application/ui.properties
  • Check UI logs:
    • 15.07: /opt/apigee4/var/log/apigee/ui/start.out and /opt/apigee4/share/ui/logs/application.log
    • 16.0x and newer: /opt/apigee/var/log/edge-ui/edge-ui.log
  • EncryptUtil tool usage here.

  • UI Login Problems - Externalized Auth Setup

    What to do...
    • Check the sysadmin users credentials. The credentials to use should be the sysadmin user and the users external auth password. They should be able to check these if the user credentials work fine with any other SSO client applications that is being used with their Corporate LDAP server.
    If a management API call does not work:

    Test management calls with a sysadmin user and with orgadmin users.

    • Check Externalized Auth configuration

    15.07: /opt/apigee4/conf/apigee/management-server/security.properties

    16.0x: /opt/apigee/customer/application/management-server.properties

    • If External LDAP is non-SSL, you can check the LDAP calls by collect tcpdump:

    tcpdump -s0 -i any port 10389 or 389 -XXvvv -w /tmp/ldap.cap

    • Check management logs:

    15.07: /opt/apigee4/var/log/apigee/management-server/logs/system.log

    16.0x or newer:

    /opt/apigee/var/log/edge-management-server/system.log

    If management API calls are working:

    That means that externalized auth setup for management server is working, there may be a problem with the credentials being used for the UI only.

    • Check the UI’s configuration

    Check the value for apigee.mgmt.credential and apigee.analytics.credential has been properly encrypted by EncryptUtil tool. They values for these properties need to be the same on all UI servers.

    • 15.07: /opt/apigee4/conf/ui/apigee.conf
    • 16.0x and newer: /opt/apigee/customer/application/ui.properties
  • Check UI logs:
    • 15.07: /opt/apigee4/var/log/apigee/ui/start.out and /opt/apigee4/share/ui/logs/application.log
    • 16.0x and newer: /opt/apigee/var/log/edge-ui/edge-ui.log
  • Run a management call to check if the user has sysadmin credentials.
  • curl -v -u sysadmin@email.comhttp://{MS}:8080/v1/userroles/sysadmin/users

    If the user needs to be made a sysadmin, run:

    curl -v -u sysadmin@email.com -X POST http://{MS}:8080/v1/userroles/sysadmin/users

    • Check if they encrypted the sysadmin user into the ui.properties by using:

    16.0x or newer:/opt/apigee/apigee-setup/bin/setup.sh -p ui -f configFile

    (also check if configFile has the correct sysadmin user credentials that are being used by the externalized LDAP)

    15.07:

    EncryptUtil tool usage here.


    Login issues with Multiple Management Servers being Load Balanced

    What to do...

    NOTE: The application.conf should have a parameter application.secret, which needs to be the same for all UI servers behind a load balancer because the Play server signs a cookie with the secret. This parameter value is used as a salt for encryption of SSL keystore passwords and sysadmin credentials. The application.secret is randomly generated upon install of the management server node and would differ from each management node install.

    • Make sure the value for application.secret is the same on all UI servers.
      • 15.07: /opt/apigee4/conf/ui/application.conf
      • 16.0x: /opt/apigee/customer/application/ui.properties
    • Check the value for apigee.mgmt.credential and apigee.analytics.credential has been properly encrypted by EncryptUtil tool. They values for these properties need to be the same on all UI servers.
      • 15.07: /opt/apigee4/conf/ui/apigee.conf
      • 16.0x: /opt/apigee/customer/application/ui.properties
    • Check if SSL is enabled on the UI, if so the SSL keystore password used for the SSL certificate needs to be encrypted by EncryptUtil. Use the following utility to configure SSL:
      • 15.07: /opt/apigee4/bin/ui-configure-ssl.sh
      • 16.0x: /opt/apigee/apigee-service/bin/apigee-service edge-ui configure-ssl
    • Check if the customer is using Externalized Auth Integration. If so, check if they are using the indirect bind method or the direct bind method.
    • For Externalized Auth: Check the configuration here
      • 15.07: /opt/apigee4/conf/apigee/management-server/security.properties
      • 16.0x: /opt/apigee/customer/application/management-server.properties
    • Check the sysadmin password
      • Externalized Auth: The credentials to use should be the sysadmin user and the users external auth password.
      • Apigee OpenLDAP: The credentials should be the sysadmin user and password that is in Apigee OpenLDAP.
    • Check if the user that is being configured for the UI is a sysadmin by running management API call:

    curl -v -u sysadmin@email.comhttp://{MS}:8080/v1/userroles/sysadmin/users

    If the user needs to be made a sysadmin, run:

    curl -v -u sysadmin@email.com -X POST http://{MS}:8080/v1/userroles/sysadmin/users -H “Content-type: application/x-www-form-url-encoded” -d ‘id=user@email.com’ -Q -v

    • Check if the user is in Apigee OpenLDAP:

    ldapsearch -w <ldap_password> -D "cn=manager,dc=apigee,dc=com" -b "dc=apigee,dc=com" -LLL -h localhost -p 10389 > ldap.txt

    thub.nodes.view.add-new-comment
    Private Cloudmanagement servermanagement uichecklistapigeeks_only
    Add comment Show 1
    10 |5000 characters needed characters left characters exceeded
    ▼
    • Viewable by all users
    • Viewable by Apigeeks only
    • Viewable by the original poster
    • Viewable by moderators
    • Viewable by moderators and the original poster
    • Advanced visibility
    Viewable by all users
    avatar image Christin Brown ♦ · May 16, 2017 at 04:51 PM 0
    Link

    @cocoandjan or @sgilson we should post one for 17.xx

    Article

    Contributors

    avatar image

    Follow this article

    34 People are following this .

    avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image

    Navigation

    ​Troubleshooting Checklist for Private Cloud Management Server

    Related Articles

    How to enable SSL in the Apigee Edge OPDK 4.15.01 UI

    Launched: Teams feature in Apigee Edge OPDK

    How to add/remove Protocols on Apigee VirtualHosts

    How to add request headers to Apigee NGnix access_log

    How to Change org / management server / credentials for Portal : Private Cloud

    Fine-tuning message processor logging levels on Private Cloud

    QPID Rejecting messages with "No Sink found for qualifier MsgQualifier" errors

    Multi-regional Apigee Edge Private Cloud Cassandra advanced topics

    Upgrade failing on MGMT server

    Devops/SRE Tip of the day - Use Ansible-AWX to manage Edge components

    • Products
      • Edge - APIs
      • Insights - Big Data
      • Plans
    • Developers
      • Overview
      • Documentation
    • Resources
      • Overview
      • Blog
      • Apigee Institute
      • Academy
      • Documentation
    • Company
      • Overview
      • Press
      • Customers
      • Partners
      • Team
      • Events
      • Careers
      • Contact Us
    • Support
      • Support Overview
      • Documentation
      • Status
      • Edge Support Portal
      • Privacy Policy
      • Terms & Conditions
    © 2021 Apigee Corp. All rights reserved. - Apigee Community Terms of Use - Powered by AnswerHub
    • Anonymous
    • Sign in
    • Create
    • Ask a question
    • Create an article
    • Post an idea
    • Spaces
    • Product Announcements
    • General
    • Edge/API Management
    • Developer Portal (Drupal-based)
    • Developer Portal (Integrated)
    • API Design
    • APIM on Istio
    • Extensions
    • Business of APIs
    • Academy/Certification
    • Adapter for Envoy
    • Analytics
    • Events
    • Hybrid
    • Integration (AWS, PCF, Etc.)
    • Microgateway
    • Monetization
    • Private Cloud Deployment
    • 日本語コミュニティ
    • Insights
    • IoT Apigee Link
    • BaaS/Usergrid
    • BaaS Transition/Migration
    • Apigee-127
    • New Customers
    • Explore
    • Topics
    • Questions
    • Articles
    • Ideas
    • Badges