Changing the password for db2inst1, bpm_admin, and tw_admin

Content

• Changing the db2inst1 password
• Changing the bpm_admin and tw_admin passwords

Changing the db2inst1 password

The db2inst1 and ksdb password must be changed in the operating system where the DB2 instance is installed and in the OpenStack configuration files.

Remember that db2inst1 is used for OpenStack and Workload Deployer database connections.

1. Change the db2inst1 and ksdb passwords in the operating system where DB2 is located. To change them, log on the system as root, type each of the following commands followed by their passwords:
• passwd db2inst1
• passwd ksdb
  
  
2. Log in as root to all region servers. Change the Openstack password for the database user IDs that are used by glance, nova, cinder and smartcloud to access the database. To find out the user IDs, use the following command:
   egrep "gle|sce|cir|noa" /etc/passwd
   
   
   Result:
   gle20918:x:498:498::/home/gle20918:/bin/bash
   noa20918:x:497:497::/home/noa20918:/bin/bash
   sce20918:x:496:496::/home/sce20918:/bin/bash
   cir20918:x:494:494::/home/cir20918:/bin/bash
   
   
   Note: The trailing numbers for the user IDs will differ for each installation and must be adapted accordingly.
   
   
   Change password for all user IDs listed.
   
   
   passwd gle20918
   newpassw0rd
   
   
   passwd cir20918
   newpassw0rd
   
   
   passwd sec20918
   newpassw0rd
   
   
   passwd noa20918
   newpassw0rd
   
   
3. Update the DB2-related password in the OpenStack configuration file. Complete the following substeps:
1. Update the keystone configuration file on Central Server 2. To find the keystone configuration file, use the following command:
   grep -Fnr connection /etc/keystone/keystone.conf
   
   
   Example result:
   28:connection = W0lCTTp2MV12b3pfcW9fZm46Ly94ZnFvOmNuZmZqMGVxQDE3Mi4xOS41LjE2MDo1MDAwMC9iY3JhZmducA==
   
   
2. Decode the DB2 connect information. Based on the previous substep, use the following command:
   openstack-obfuscate -u W0lCTTp2MV12b3pfcW9fZm46Ly94ZnFvOmNuZmZqMGVxQDE3Mi4xOS41LjE2MDo1MDAwMC9iY3JhZmducA==
   
   
   Example result:
   ibm_db_sa://ksdb:passw0rd@172.19.5.160:50000/openstac
   
   
3. Encrypt the DB2 connect information with the new password. Based on the following substeps, use the following command:
   openstack-obfuscate ibm_db_sa://ksdb:newpassw0rd@172.19.5.160:50000/openstac
   
   
   Example result:
   W0lCTTp2MV12b3pfcW9fZm46Ly94ZnFvOmFyamNuZmZqMGVxQDE3Mi4xOS41LjE2MDo1MDAwMC9iY3JhZmducA==
   
   
4. Update the /etc/keystone/keystone.conf file by using the new obfuscated string in line starting with "connection=" and comment out the previous active line
   
   
   For example, change the following line of code:
   connection = W0lCTTp2MV12b3pfcW9fZm46Ly94ZnFvOmNuZmZqMGVxQDE3Mi4xOS41LjE2MDo1MDAwMC9iY3JhZmducA==
   
   
   Change the previous line of code to the following code:
   #connection = W0lCTTp2MV12b3pfcW9fZm46Ly94ZnFvOmNuZmZqMGVxQDE3Mi4xOS41LjE2MDo1MDAwMC9iY3JhZmducA==
   connection = W0lCTTp2MV12b3pfcW9fZm46Ly94ZnFvOmFyamNuZmZqMGVxQDE3Mi4xOS41LjE2MDo1MDAwMC9iY3JhZmducA==
   
   
4. Update the database connection line for the other Openstack services glance, nova and cinder on all of the region servers in the corresponding Openstack configuration files. Complete the following steps:
1. For a non-shared DB2 Region, log into all of the region servers as root. Otherwise, log into the Central Server 1 as root.
   
   
2. Find the configuration files and replace the DB2 connection information with the new password. Use the following command:
   grep -Fnr sql_connection /etc
   
   
   Example result:
   /etc/nova/nova.conf:70:sql_connection= W0lCTTp2MV12b3pfcW9fZm46Ly9hYm4yMDkxODpjbmZmajBlcUAxNzIuMTkuNS4xNjQ6NTAwMDAvYmNyYWZnbnA=
   /etc/nova/nova.conf:142:smartcloud_sql_connection = W0lCTTp2MV12b3pfcW9fZm46Ly9mcHIyMDkxODpjbmZmajBlcUAxNzIuMTkuNS4xNjQ6NTAwMDAvYmNyYWZnbnA=
   /etc/nova/smartcloud.conf:48:smartcloud_sql_connection=W0lCTTp2MV12b3pfcW9fZm46Ly9mcHIyMDkxODpjbmZmajBlcUAxNzIuMTkuNS4xNjQ6NTAwMDAvYmNyYWZnbnA=
   /etc/cinder/cinder.conf:17:sql_connection =  W0lCTTp2MV12b3pfcW9fZm46Ly9wdmUyMDkxODpjbmZmajBlcUAxNzIuMTkuNS4xNjQ6NTAwMDAvYmNyYWZnbnA=
   /etc/glance/glance-registry.conf:27:sql_connection = W0lCTTp2MV12b3pfcW9fZm46Ly90eXIyMDkxODpjbmZmajBlcUAxNzIuMTkuNS4xNjQ6NTAwMDAvYmNyYWZnbnA=
   /etc/glance/glance-api.conf:32:sql_connection = W0lCTTp2MV12b3pfcW9fZm46Ly90eXIyMDkxODpjbmZmajBlcUAxNzIuMTkuNS4xNjQ6NTAwMDAvYmNyYWZnbnA=
   
   
   Note: VMware regions list two extra lines for the smartcloud_sql_connection in the smartcloud.conf and in nova.conf files. These lines do not exist in the KVM Regions.
   
   
3. Go through all of the connections, unobfuscate all of them, obfuscate them again with the new password, and edit the sql_connection line in corresponding .conf file.
   
   
   Note: Do not reuse any obfuscated connection strings from other connection strings that were created previously.
   
   
   An example for the nova.conf file:
   openstack-obfuscate -u W0lCTTp2MV12b3pfcW9fZm46Ly9hYm4yMDkxODpjbmZmajBlcUAxNzIuMTkuNS4xNjQ6NTAwMDAvYmNyYWZnbnA=ibm_db_sa://noa20918:passw0rd@172.19.5.164:50000/openstac
   
   
   Use the new password and obfuscate the string again.
   openstack-obfuscate ibm_db_sa://noa20918:newpassw0rd@172.19.5.164:50000/openstac
   W0lCTTp2MV12b3pfcW9fZm46Ly9hYm4yMDkxODphcmpjbmZmajBlcUAxNzIuMTkuNS4xNjQ6NTAwMDAvYmNyYWZnbnA=
   
   
   Update the /etc/nova/nova.conf file by using the new obfuscated string in line starting with sql_connection= and comment out the previously used line.
   
   
   Change the following line of code:
   sql_connection= W0lCTTp2MV12b3pfcW9fZm46Ly9hYm4yMDkxODpjbmZmajBlcUAxNzIuMTkuNS4xNjQ6NTAwMDAvYmNyYWZnbnA=
   
   
   Change the previous line of code to the following code:
   #sql_connection= W0lCTTp2MV12b3pfcW9fZm46Ly9hYm4yMDkxODpjbmZmajBlcUAxNzIuMTkuNS4xNjQ6NTAwMDAvYmNyYWZnbnA=
   sql_connection= W0lCTTp2MV12b3pfcW9fZm46Ly9hYm4yMDkxODphcmpjbmZmajBlcUAxNzIuMTkuNS4xNjQ6NTAwMDAvYmNyYWZnbnA=
   
   
   Repeat this step for all of the files and locations that were identified in substep b.
   (nova.conf, smartcloud.conf, cinder.conf, glance-registry.conf and glance-api.conf files)
   
   
4. Run the following command to verify that all of the files were changed and check whether two lines now exist per connection:
   grep -Fnr sql_connection /etc
   
   
   The following command results should show that the old connections are commented out and the new connection information exists:
   /etc/nova/nova.conf:70:#sql_connection=W0lCTTp2MV12b3pfcW9fZm46Ly9hYm4yMDkxODpjbmZmajBlcUAxNzIuMTkuNS4xNjQ6NTAwMDAvYmNyYWZnbnA=
   /etc/nova/nova.conf:71:sql_connection=W0lCTTp2MV12b3pfcW9fZm46Ly9hYm4yMDkxODphcmpjbmZmajBlcUAxNzIuMTkuNS4xNjQ6NTAwMDAvYmNyYWZnbnA=
   /etc/nova/nova.conf:143:#smartcloud_sql_connection = W0lCTTp2MV12b3pfcW9fZm46Ly9mcHIyMDkxODpjbmZmajBlcUAxNzIuMTkuNS4xNjQ6NTAwMDAvYmNyYWZnbnA=
   /etc/nova/nova.conf:144:smartcloud_sql_connection = W0lCTTp2MV12b3pfcW9fZm46Ly9mcHIyMDkxODphcmpjbmZmajBlcUAxNzIuMTkuNS4xNjQ6NTAwMDAvYmNyYWZnbnA=
   /etc/nova/smartcloud.conf:48:#smartcloud_sql_connection=W0lCTTp2MV12b3pfcW9fZm46Ly9mcHIyMDkxODpjbmZmajBlcUAxNzIuMTkuNS4xNjQ6NTAwMDAvYmNyYWZnbnA=
   /etc/nova/smartcloud.conf:49:smartcloud_sql_connection=W0lCTTp2MV12b3pfcW9fZm46Ly9mcHIyMDkxODphcmpjbmZmajBlcUAxNzIuMTkuNS4xNjQ6NTAwMDAvYmNyYWZnbnA=
   /etc/cinder/cinder.conf:17:#sql_connection =  W0lCTTp2MV12b3pfcW9fZm46Ly9wdmUyMDkxODpjbmZmajBlcUAxNzIuMTkuNS4xNjQ6NTAwMDAvYmNyYWZnbnA=
   /etc/cinder/cinder.conf:18:sql_connection = W0lCTTp2MV12b3pfcW9fZm46Ly9wdmUyMDkxODphcmpjbmZmajBlcUAxNzIuMTkuNS4xNjQ6NTAwMDAvYmNyYWZnbnA=
   /etc/glance/glance-registry.conf:27:#sql_connection = W0lCTTp2MV12b3pfcW9fZm46Ly90eXIyMDkxODpjbmZmajBlcUAxNzIuMTkuNS4xNjQ6NTAwMDAvYmNyYWZnbnA=
   /etc/glance/glance-registry.conf:28:sql_connection = W0lCTTp2MV12b3pfcW9fZm46Ly90eXIyMDkxODphcmpjbmZmajBlcUAxNzIuMTkuNS4xNjQ6NTAwMDAvYmNyYWZnbnA=
   /etc/glance/glance-api.conf:32:#sql_connection = W0lCTTp2MV12b3pfcW9fZm46Ly90eXIyMDkxODpjbmZmajBlcUAxNzIuMTkuNS4xNjQ6NTAwMDAvYmNyYWZnbnA=
   /etc/glance/glance-api.conf:33:sql_connection = W0lCTTp2MV12b3pfcW9fZm46Ly90eXIyMDkxODphcmpjbmZmajBlcUAxNzIuMTkuNS4xNjQ6NTAwMDAvYmNyYWZnbnA=
   
   
5. Restart all Openstack services on Central Server 1. See the following commands:
   /iaas/scorchestrator/SCOrchestrator.py --stop -p openstack
   /iaas/scorchestrator/SCOrchestrator.py --start -p openstack
   
   
5. Change the db2inst1 password on IBM Workload Deployer using the following steps:
1. Log into Central Server 4 as the root user and create a new password. For example:
   echo "password=newpassw0rd" > /tmp/password
   
   
   /opt/ibm/BPM/v8.5/bin/PropFilePasswordEncoder.sh /tmp/password password
   
   
   cat /tmp/password
   password={xor}MTooLz4sLChvLTs=
   
   
2. Log into Central Server 3 as the root user.
   
   
3. Back up the /etc/rc.d/init.d/iwd-env file on Central Server 3.
   
   
4. Run the following command on Central Server 3:
   service iwd setdb2host $DB2_HOST_ADDRESS $DB2_HOST_PORT $DB2_USER $DB2_PASS
   
   
   For example:
   service iwd setdb2host 172.19.5.160 50000 db2inst1 newpassw0rd
   
   
5. Comment out the DB2_PASS parameter line in the /etc/rc.d/init.d/iwd-env file that contains the previously used password and add a new line with the new password.
   
   
   Note: The DB2_PASS value must be an encrypted password for the DB2 user, dbinst1, as it was generated in substep a.
   
   
   For example:
   export JAVA_HOME='/opt/ibm/java-i386-60/jre'
   export DB2_HOST_ADDRESS='172.19.5.160'
   export DB2_HOST_PORT='50000'
   export DB2_USER='db2inst1'
   export IS_DERBY_DISABLED=true
   #export DB2_PASS='<xor>Lz4sLChvLTs='
   export DB2_PASS='<xor>MTooLz4sLChvLTs='
   
   
6. Restart Central Server 3.
   
   
7. Restart IBM SmartCloud Orchestrator on Central Server 1 by running the following commands:
   /iaas/scorchestrator/SCOrchestrator.py --stop
   /iaas/scorchestrator/SCOrchestrator.py --start

Changing the bpm_admin and tw_admin passwords

To change the bpm_admin password, complete the following steps through WebSphere Application Server:

1. Log into https://$central-server4:9043/ibm/console/logon.jsp
   
2. Select Users and Groups.
   
   
3. Select bpm_admin.
   
   
4. In the User Properties panel, set the password, confirm it, and click Apply.
   
   
5. On Central Server 4, create a backup copy of the following files:
• /opt/ibm/BPM/v8.5/profiles/deployment_manager_profile/properties/soap.client.props
• /opt/ibm/BPM/v8.5/profiles/node_1_profile/properties/soap.client.props
  
  
6. Edit each of the soap.client.props files listed are listed in the previous step. Find the com.ibm.SOAP.loginUserid=bpm_admin entry and update the associated com.ibm.SOAP.loginPassword entry to specify the new password as plain text.
   
   
   For example:
   com.ibm.SOAP.loginUserid=bpm_admin
   com.ibm.SOAP.loginPassword=<type the new bpm_admin password here>
   
   
7. Encrypt the password by running the following two commands:
• /opt/ibm/BPM/v8.5/bin/PropFilePasswordEncoder.sh /opt/ibm/BPM/v8.5/profiles/deployment_manager_profile/properties/soap.client.props com.ibm.SOAP.loginPassword
• /opt/ibm/BPM/v8.5/bin/PropFilePasswordEncoder.sh
  /opt/ibm/BPM/v8.5/profiles/node_1_profile/properties/soap.client.props  
  com.ibm.SOAP.loginPassword
  
  
8. Follow the additional configuration steps that are described in the IBM Business Process Manager documentation.