Update directory service bind user credentials

The Content Platform Engine application server uses the directory service bind account (cpe_service_user) to bind to the directory server. You must change the bind user credentials in the FileNet® domain before you change the credentials in the directory server. If you do not, the FileNet system might become unrecoverable.

About this task

If a directory service group is assigned as a GCD administrator, ensure the existing and new user accounts are active in the directory service used by the FileNet domain.

If the GCD administrator was not assigned with a group and the directory service bind user and the user account for the GCD administrator are the same, you must first create a group that includes both the existing and new user in that group. The new group must then be added as a GCD administrator using the procedure in the topic Add or remove a GCD administrator.

These preparation steps are necessary because there must always be at least one GCD administrator. For more information about the user or group to use as the GCD administrator, see the entry for GCD administrator (gcd_admin).

The gcd_admin credentials are stored in the Global Configuration Database (GCD) and can be updated through the IBM Administration Console for Content Platform Engine. When you update these credentials in the administration console, consider the following points:

  • A maximum of ten minutes is needed to propagate the credentials update to all servers in a cluster.
  • No restart of the Content Platform Engine service is needed.

If a new GCD administrator was assigned, complete the remainder of this procedure using the newly assigned user account.

Procedure

To change the Content Platform Engine bind user password:

  1. Find the directory server user name in Administration Console for Content Platform Engine.
    1. Log in to Administration Console for Content Platform Engine as GCD administrator gcd_admin.
    2. Click the domain, and then click the Directory Configuration tab.
    3. Select the row that represents the configuration parameters that point to the LDAP location where the bind user credentials must be changed.
    4. When the Directory Configuration property sheet opens, view the value for the directory server user name.
    5. Do not change anything yet. Leave the dialog box open while you complete step 2, step 3, and step 5.
  2. Find the directory service user account:
    Deployment Type Steps
    Container
    1. Locate the value for the directory service user account by viewing the value of the ldapUsername in the secret given to the operator to use when the system was deployed. The secret name can be found by examination of the custom resource YAML file that was used to deploy into the K8s cluster and noting the value of the ldap_configuration.lc_bind_secret parameter.

      The value must be the same value as you viewed in step 1.d.

    2. Do not change anything yet. Leave the console open while you complete step 3.
    Traditional application server
    1. Log in to your application server console and locate the value for the directory service user account. The value must be the same value as you viewed in step 1.d.
    2. Go to the authentication provider window that contains the ID and password for the directory service user account.
      • WebLogic: Find the value of the Principal field in the Authentication Provider for the WebLogic domain that contains Content Platform Engine.
      • WebSphere: Find the bind user account in the Profile that contains Content Platform Engine.
    3. Do not change anything yet. Leave the console open while you complete step 3.
  3. Change the password on your directory server.
    1. Log in to your directory server.
    2. Go to the location that contains the account for the directory service bind user.
    3. Change the password.
    4. Save and apply.
  4. Change the directory server account password on Administration Console for Content Platform Engine.
    1. Return to Administration Console for Content Platform Engine.
    2. Change the password of the directory server account that you viewed in step 1.d.
      The new password must be the same password as in step 3.c.
    3. Save your changes.
  5. Change the password for your deployment but do not restart.
    Deployment Type Steps
    Container
    1. Change the user name and password of the directory service user account, also known as the bind account, by modifying the ldapUsername and ldapPassword values in the secret. The new password must be the same password as in step 3.c.
    2. Save and apply.
    Traditional application server
    1. Return to your application server console.
    2. Change the password of the directory service user account (also known as the bind account). The new password must be the same password as in step 3.c.
    3. Save and apply.
  6. Restart the deployment.
    Deployment type Steps
    Container

    The deployment automatically restarts after the operator detects the changes to the secret. No manual restart of the deployment is necessary.

    The pod terminations and creation might take several minutes. You can monitor the status of your pods by using the command line:

    kubectl get pods -w -n <namespace>
    Traditional application server Restart the application server.

What to do next

If additional Content Platform Engine administrator accounts are the same as the directory service bind user account, those must be changed after the Content Platform Engine is restarted and ready for service. As the same account was used, the new password must be the same password as in step 3.c. For more information, see these topics:

If other applications, such as IBM Content Navigator, use the object store administrator account to connect to the FileNet P8 domain, review the documentation for those other applications to determine what the impact of the changes described here might be.