The Content Platform Engine application server uses the directory
service bind account (cpe_service_user) to bind to the directory server. You must
change the bind user credentials in the FileNet® domain
before you change the credentials in the directory server. If you do not, the FileNet system might become unrecoverable.
About this task
If a directory service group is assigned as a GCD administrator, ensure the existing and new user
accounts are active in the directory service used by the FileNet domain.
If the GCD administrator was not assigned with a group and the directory service bind user and
the user account for the GCD administrator are the same, you must first create a group that includes
both the existing and new user in that group. The new group must then be added as a GCD
administrator using the procedure in the topic Add or remove a GCD administrator.
These preparation steps are necessary because there must always be at least one GCD
administrator. For more information about the user or group to use as the GCD administrator, see the
entry for GCD administrator
(gcd_admin).
The gcd_admin credentials are stored in the Global Configuration Database (GCD) and can be
updated through the IBM Administration Console for Content Platform Engine. When you update these
credentials in the administration console, consider the following points:
- A maximum of ten minutes is needed to propagate the credentials update to all servers in a
cluster.
- No restart of the Content Platform Engine service is needed.
If a new GCD administrator was assigned, complete the remainder of this procedure using the newly
assigned user account.
Procedure
To change the Content Platform Engine bind user
password:
- Find the directory server user name in Administration Console for Content Platform Engine.
- Log in to Administration Console for Content Platform Engine as GCD administrator
gcd_admin.
- Click the domain, and then click the Directory Configuration
tab.
- Select the row that represents the configuration parameters that point to the LDAP
location where the bind user credentials must be changed.
- When the Directory Configuration
property sheet opens, view the value for the directory server user name.
- Do not change anything yet. Leave the dialog box open while you complete step 2, step 3, and step 5.
- Find the directory service user account:
Deployment Type |
Steps |
Container |
- Locate the value for the directory service user account by viewing the value of the
ldapUsername in the secret given to the operator to use when the system was deployed. The
secret name can be found by examination of the custom resource YAML file that was used to deploy
into the K8s cluster and noting the value of the
ldap_configuration.lc_bind_secret
parameter. The value must be the same value as you viewed in step 1.d.
- Do not change anything yet. Leave the console open while you complete step 3.
|
Traditional application server |
- Log in to your application server console and locate the value for the directory service user
account. The value must be the same value as you viewed in step 1.d.
- Go to the authentication provider window that contains the ID and password for the directory
service user account.
- WebLogic: Find the value of the Principal field in the Authentication
Provider for the WebLogic domain that contains Content Platform Engine.
- WebSphere: Find the bind user account in the Profile that contains
Content Platform Engine.
- Do not change anything yet. Leave the console open while you complete step 3.
|
- Change the password on your directory server.
- Log in to your directory server.
- Go to the location that contains the account for the directory service bind
user.
- Change the password.
- Save and apply.
- Change the directory server account password on Administration Console for Content Platform Engine.
- Return to Administration Console for Content Platform Engine.
- Change the password of the directory server account that you viewed in step 1.d.
The new password must be the same password
as in step
3.c.
- Save your changes.
- Change the password for your deployment but do not
restart.
Deployment Type |
Steps |
Container |
- Change the user name and password of the directory service user account, also known as the bind
account, by modifying the ldapUsername and ldapPassword values in the secret. The new password must
be the same password as in step 3.c.
- Save and apply.
|
Traditional application server |
- Return to your application server console.
- Change the password of the directory service user account (also known as the bind account). The
new password must be the same password as in step 3.c.
- Save and apply.
|
- Restart the deployment.
Deployment type |
Steps |
Container |
The deployment automatically restarts after the operator detects the changes to the secret. No
manual restart of the deployment is necessary.
The pod terminations and creation might take several minutes. You can monitor the status of your
pods by using the command line:
kubectl get pods -w -n <namespace>
|
Traditional application server |
Restart the application server. |
What to do next
If additional Content Platform Engine administrator accounts are the same as the directory
service bind user account, those must be changed after the Content Platform Engine is restarted and
ready for service. As the same account was used, the new password must be the same password as in
step
3.c. For more information, see these topics:
If other applications, such as IBM Content Navigator, use the object store administrator account
to connect to the FileNet P8 domain, review the documentation for those other applications to
determine what the impact of the changes described here might be.