The Directory Service user account and password are normally used in two product components: FileNet Enterprise Manager (FEM), and the application server. A coordinated update procedure should be followed when there is a need to change the user account and/or password. This procedure applies to FileNet Content Engine 5.x and above.
These steps are required to do for IBM FileNet P8 so in 5.1 environment we use FileNet Enterprise Manager (FEM) while in 5.2, You have to use Administration Console for Content Platform Engine (ACCE). Following is the complete step by step procedure to change bootstrap user password cpe 5.1:
- Backup the Engine-##.ear file, where ws denotes WebSphere, wl denote WebLogic, and jb denotes JBoss. You can then revert to last good known EAR file in case changing the password fails.
- On the server containing Content Engine, start the Configuration Manager.
a. Load the Configuration Manager profile that describes your installation.
Path: /opt/IBM/FileNet/ContentEngine/tools/configure/./configmgr_cl gui (To Load Configuration Profile)
b. Click Configuration Bootstrap Properties. Do not change anything yet. The Bootstrap user password is the field you will change later in this procedure.
c. Leave this window open while doing the following steps.
- Log in to Enterprise Manager (FEM) as GCD administrator gcd_admin.
a. In Enterprise Manager, right-click the Root Folder, and then click Properties.
b. Click the Directory Configuration tab.
c. Select the row that represents the configuration parameters pointing to the LDAP location that the Content Engine system user belongs to, and click Edit.
d. When the Modify Directory Configuration dialog box opens, view the value for the Directory Service User account.
4. Locate the value for the Directory Service (AD) User account. This should be the same value as described in step 3d.
a. Navigate to the authentication provider panel containing the ID and password for the Directory Service User account.
WebLogic: this will be the value of the Principal field in the Authentication Provider for the WebLogic domain containing Content Engine.
WebSphere: this will be the bind user account in the Profile containing Content Engine. JBoss: the Directory Service User account is contained in the login-config.xml file.
b. Do not change anything yet. Leave the console open while doing the remaining steps.
5. Log in to your directory server (AD).
a. Navigate to the location containing the account for the Content Engine system user.
b. Change its password.
c. Save and apply.
6. Return to Enterprise Manager Dialog box.
a. Change the Directory Service User’s password to the new password.
b. Click Apply and OK to close the dialog box.
7. Return to the window containing Configuration Manager.
a. In the Configure Bootstrap Properties task, set the Bootstrap Operation property to Modify Existing.
b. Confirm that the Bootstrapped EAR file property contains the path to the bootstrap file you need to edit.
c. Change the Bootstrap user password. Use Configuration Manager’s features to save and run the task.
d. Run Configuration Manager’s Deploy Application.
8. Restart the application server or machine.
9. Verify the change by logging on to Enterprise Manager as a GCD administrator (gcd_admin) and performing a user and group look up.
Open FEM–Edit–Provide New Password in the Password
10. If you are using p8admin to connect to CE, you need to retype the new
password on the Process Engine Process Task Manager (PE PTM) Security
tab and on the AE/XT PTM for component manager (General Tab).
11. To Change password for ICMSupportOperations component properties file
Change these passwords one by one.
11.1 CE_Operations–Advanced Tab–Change Password
11.2 ICM_SupportOperations–Advanced Tab–Change Password
11.3 RM_Operations–Advanced Tab–Change Password
11.4 RM_Workflowutil–Advanced Tab–Change Password
12. If p8admin is used for the JAAS credentials configuration of a component
adaptor, you need to reenter the password.
Path: Login to WorkplaceXT-Tools-Administration-Process Configuration Console-Right Click on PE_1-Connect-Component Queues-Adaptor Tab-Change Password-Commit the Changes.
12.1 CE_Operations-Adaptop Tab-Change Password
12.2 ICM_SupportOperations Adaptop Tab-Change Password
12.3 RM_Operations– Adaptop Tab-Change Password
12.4 RM_Workflowutil– Adaptop Tab-Change Password
12.5 WS_Request– Adaptop Tab-Change Password
13. Reboot the Application Server or machine.
14. Verify the Changes.
Please visit this ibm tech note for details: http://www-01.ibm.com/support/docview.wss?uid=swg21442694.
In case of failure or password change activity unsuccessful, you can revert back as mentioned here:
Connect to GCD schema.
Revert back Active Directory (AD) Bootstrap User Password.
Stop Application Server Services.
select * from FNGCD order by 1;
select LAST_EPOCH_ID from FNGCD where EPOCH_ID=0;
UPDATE FNGCD SET EPOCH_ID=EPOCH_ID * -1 where EPOCH_ID=109;
Note: Change EPOCH_ID value as per your environment.
Note: If your environment is on CPE 5.5.0, IBM Would not allow to change password for bootstrap user account because workflow system unable to start after changing password. For details please review: https://www-01.ibm.com/support/docview.wss?uid=ibm10739669 . In 5.5.1 environment you can easily change bootstrap user’s password using ACCE.
Please advise users – Do not change the password of bootstrap user in CPE 5.5.0.
If the customer has already changed the password, there are two ways to recover:
a) Change the password of the bootstrap user back to original value.
b) Upgrade the CPE 5.5.0 to 5.5.1. In CPE 5.5.1 users is able to change the password of bootstrap users using ACCE.