Intro
Management Server issues typically manifest itself as login problems which may have been triggered by a Private Cloud migration, reinstallation, bugs, or changes done during maintanence.
Checklist
Products: Private Cloud (applies specifically to 15.07 or 16.0x)
Get the following info from the customer:
curl -v -u sysadmin@email.comhttp://{MS}:8080/v1/servers
The credentials should be the sysadmin user and password that is in Apigee OpenLDAP.
ldapsearch -w <ldap_password> -D "cn=manager,dc=apigee,dc=com" -b "dc=apigee,dc=com" -LLL -h localhost -p 10389 > ldap.txt
curl -v -u sysadmin@email.comhttp://{MS}:8080/v1/users/<user@email.com>/userroles
Check the value for apigee.mgmt.credential and apigee.analytics.credential has been properly encrypted by EncryptUtil tool. They values for these properties need to be the same on all UI servers.
Test management calls with a sysadmin user and with orgadmin users.
15.07: /opt/apigee4/conf/apigee/management-server/security.properties
16.0x: /opt/apigee/customer/application/management-server.properties
tcpdump -s0 -i any port 10389 or 389 -XXvvv -w /tmp/ldap.cap
15.07: /opt/apigee4/var/log/apigee/management-server/logs/system.log
16.0x or newer:
/opt/apigee/var/log/edge-management-server/system.log
That means that externalized auth setup for management server is working, there may be a problem with the credentials being used for the UI only.
Check the value for apigee.mgmt.credential and apigee.analytics.credential has been properly encrypted by EncryptUtil tool. They values for these properties need to be the same on all UI servers.
If the user needs to be made a sysadmin, run:
curl -v -u sysadmin@email.com -X POST http://{MS}:8080/v1/userroles/sysadmin/users
16.0x or newer:/opt/apigee/apigee-setup/bin/setup.sh -p ui -f configFile
(also check if configFile has the correct sysadmin user credentials that are being used by the externalized LDAP)
15.07:
EncryptUtil tool usage here.
NOTE: The application.conf should have a parameter application.secret, which needs to be the same for all UI servers behind a load balancer because the Play server signs a cookie with the secret. This parameter value is used as a salt for encryption of SSL keystore passwords and sysadmin credentials. The application.secret is randomly generated upon install of the management server node and would differ from each management node install.
curl -v -u sysadmin@email.comhttp://{MS}:8080/v1/userroles/sysadmin/users
If the user needs to be made a sysadmin, run:
curl -v -u sysadmin@email.com -X POST http://{MS}:8080/v1/userroles/sysadmin/users -H “Content-type: application/x-www-form-url-encoded” -d ‘id=user@email.com’ -Q -v
ldapsearch -w <ldap_password> -D "cn=manager,dc=apigee,dc=com" -b "dc=apigee,dc=com" -LLL -h localhost -p 10389 > ldap.txt
@cocoandjan or @sgilson we should post one for 17.xx
How to enable SSL in the Apigee Edge OPDK 4.15.01 UI
Launched: Teams feature in Apigee Edge OPDK
How to add/remove Protocols on Apigee VirtualHosts
How to add request headers to Apigee NGnix access_log
How to Change org / management server / credentials for Portal : Private Cloud
Fine-tuning message processor logging levels on Private Cloud
QPID Rejecting messages with "No Sink found for qualifier MsgQualifier" errors
Multi-regional Apigee Edge Private Cloud Cassandra advanced topics
Upgrade failing on MGMT server
Devops/SRE Tip of the day - Use Ansible-AWX to manage Edge components