When you change passwords, make sure to change them at the provider level and for the
authentication aliases that are mapped to the RunAs roles for applications provided by IBM® Business Process Manager.
Before you begin
This task uses the
updateBPMAliasesAndRunAsRolesPasswords command,
which is run using the AdminTask object of the wsadmin scripting client.
To run the command, the following prerequisites must be met:
- The command must be run on the deployment manager node.
- If the deployment manager is stopped, use the wsadmin
-conntype none option to run the command in disconnected
mode.
- If the deployment manager is running, you must connect with a
user ID that has WebSphere Application Server configurator privileges.
Do not use the wsadmin -conntype none option.
Start the wsadmin scripting client from the deployment_manager_profile/bin directory.
The updateBPMAliasesAndRunAsRolesPasswords command
does not write to a log file, but the wsadmin scripting client always
writes a profile_root/logs/wsadmin.traceout log
file where you will find exception stack traces and other information.
About this task
When you change the password for a user, user IDs that
are mapped to RunAs user roles also must be updated.
IBM Business Process Manager provides
the following applications that contain users that are mapped to the
RunAs roles:
- For Express, Standard, and Advanced deployment environments:
- IBM_BPM_PerformanceDW_supportDeploymentTarget
- IBM_BPM_Teamworks_applicationDeploymentTarget
- For Advanced and AdvancedOnly deployment environments:
- BPEContainer__applicationDeploymentTarget
- TaskContainer__applicationDeploymentTarget
Where the suffix is either the application cluster or the stand-alone server (for the IBM Business
Process Manager Express and IBM Integration
Designer Unit Test Environment (UTE)), and the
support cluster or stand-alone server: _clusterName or
_nodeName_serverName.
Note: The updateBPMAliasesAndRunAsRolesPasswords command
cannot be used to change passwords for the IBM BPM CellAdmin security
role that was specified as the default administrative account during
installation or for custom applications that are not provided by IBM
BPM.
Procedure
You can change passwords for any user that is stored in the file registry, including the
CellAdmin security role (as long as the CellAdmin user is still the same primary administrative
account that was specified as the default when IBM BPM was installed). To change passwords, complete
the following steps:
- Go to the external security provider and change the password for the user at the provider
level. The following steps use WebSphere® Application
Server as the
provider:
- Change the password in the WebSphere Application
Server file
registry by logging into the WebSphere Application
Server admin
console.
- Click .
- Select the user and enter the new password in the Password field on the
General tab.
- Click Apply and then click OK.
- Save the changes.
- If you changed the password for the CellAdmin user, verify the new password by attempting to log
into the WebSphere admin console as the CellAdmin user.
The user for the CellAdmin role is also stored in an authentication alias, which by default is
named CellAdminAlias. If the BPMConfig command was used to create the IBM BPM
profiles, the default name of the authentication alias may have been changed by using the
bpm.cell.authenticationAlias.1.name property. If the
manageprofiles command was used to create the IBM BPM profiles, the default name
of the authentication alias may have been changed by using the optional
-adminAliasName parameter. To change the password for the CellAdmin user that
is stored in the authentication alias, complete the following steps:
- In the WebSphere admin console, select Security > Global Security > Java
Authentication and Authorization Service > J2C Authentication Data >
cell_admin_alias, then change the password to be the same as the
password that you specified for the CellAdmin user in the previous step.
- Verify the new password by starting the deployment manager and then running the following
command:
BPMConfig -validate -profile dmgrProfileName -de deName -outputDir _validate
If
the password was not set correctly, the BPMConfig command will fail to connect
to the deployment manager.
If you changed the CellAdmin user password, you generally do not need to complete any
additional steps, such as running the updateBPMAliasesAndRunAsRolesPasswords
command to synchronize the passwords. However, if the factory default settings were changed and the
CellAdmin user is now referenced by IBM BPM applications, you need to run the
updateBPMAliasesAndRunAsRolesPasswords command by completing the steps below.
Similarly, if you changed the password for another user that is used by IBM BPM authentication
aliases or RunAs roles for IBM BPM applications, you need to run the
updateBPMAliasesAndRunAsRolesPasswords command by completing the following
steps.
- In an ND environment, stop the deployment manager. (In a stand-alone environment like IBM BPM
Express or the IBM Integration Designer unit test environment, stop the app server.)
- In the deployment manager profile bin folder (or in the AppServer profile
bin folder for IBM Business
Process Manager Express or the Integration Designer unit test environment), run the
updateBPMAliasesAndRunAsRolesPasswords wsadmin command to synchronize passwords
for authentication aliases or application RunAs roles.
The following example shows the command for a 3-cluster Advanced deployment
environment.
dmgr_profile_root/bin>wsadmin -conntype NONE -lang jython
wsadmin>AdminTask.updateBPMAliasesAndRunAsRolesPasswords( [ '-userName', user_name, '-password', new_password ] )
Processing: IBM_BPM_PerformanceDW_SupportCluster
Processing: IBM_BPM_Teamworks_AppCluster
Processing: BPEContainer_AppCluster
Processing: TaskContainer_AppCluster
wsadmin>AdminConfig.save()
The following example shows the command for a single-cluster Standard deployment
environment.
dmgr_profile_root/bin>wsadmin -conntype NONE -lang jython
wsadmin>AdminTask.updateBPMAliasesAndRunAsRolesPasswords( [ '-userName', user_name, '-password', new_password ] )
Processing: IBM_BPM_PerformanceDW_SingleCluster
Processing: IBM_BPM_Teamworks_SingleCluster
wsadmin>AdminConfig.save()
Additional information about the command is found in the topic
"updateBPMAliasesAndRunAsRolesPasswords command."
Important: On Linux, UNIX, or AIX® platforms, run the
updateBPMAliasesAndRunAsRolesPasswords wsadmin
command as the current owner of the BPM installation folder and files.
- In an ND environment, start the deployment manager and
synchronize your changes on the other nodes. (In a stand-alone environment
like IBM BPM Express or the IBM Integration Designer unit test environment,
start the app server.)
- In an ND environment, restart the application cluster members
and support cluster members.