IBM Cloud Orchestrator, Version 2.5

Changing the various passwords

Change the password for several different types of users in the IBM® Cloud Orchestrator environment.

Note:
  • During installation and upgrade, IBM Cloud Orchestrator passwords can contain only the following characters:
    a-z A-Z 0-9 ! ( ) - . _ ` ~ @
    Restriction: The passwords cannot contain spaces.
  • If you use external database support, contact your database administrator to change the password according to the external IBM DB2® configuration.
  • For information about how to change OpenStack passwords, see the documentation for your chosen OpenStack product; for example, see Changing passwords and secrets in the IBM Cloud Manager with OpenStack documentation.

Changing the bpm_admin and tw_admin passwords

The bpm_admin and tw_admin users are required by Business Process Manager for internal operations.

To change the bpm_admin password, complete the following steps:
  1. Log in to WebSphere® Application Server:
    https://$ico_server:9043/ibm/console/logon.jsp
  2. Expand Users and Groups, and click Manage Users.
  3. Select bpm_admin.
  4. In the User Properties panel, set the password, confirm it, and click Apply.
  5. On the IBM Cloud Orchestrator Server, change the configuration files as follows:
    1. Back up the configuration files:
      • /opt/ibm/ico/BPM/v8.5/profiles/DmgrProfile/properties/soap.client.props
      • /opt/ibm/ico/BPM/v8.5/profiles/Node1Profile/properties/soap.client.props
    2. Edit each of the soap.client.props files that are listed in step 5.a to find the com.ibm.SOAP.loginUserid=bpm_admin entry, and update the associated com.ibm.SOAP.loginPassword entry to specify the new password as plain text:
      com.ibm.SOAP.loginUserid=bpm_admin            
com.ibm.SOAP.loginPassword=new_bpm_admin_password
    3. Encrypt the password, by running the following commands:
      • /opt/ibm/ico/BPM/v8.5/bin/PropFilePasswordEncoder.sh 
/opt/ibm/ico/BPM/v8.5/profiles/DmgrProfile/properties/soap.client.props  
com.ibm.SOAP.loginPassword
      • /opt/ibm/ico/BPM/v8.5/bin/PropFilePasswordEncoder.sh 
/opt/ibm/ico/BPM/v8.5/profiles/Node1Profile/properties/soap.client.props  
com.ibm.SOAP.loginPassword
  6. Follow the additional configuration steps that are described in Changing IBM Business Process Manager passwords in the IBM Business Process Manager Knowledge Center.

To change the password of the tw_admin user, complete the same procedure as described for the bpm_admin user, but omit step 5 and step 6. Do not modify any soap.client.props files.

Changing the db2inst1 password

The db2inst1 password must be changed in the operating system where the IBM DB2 instance is installed, as follows:

  1. Log in to the IBM Cloud Orchestrator Server as the root user.
  2. Change the operating system password for the IBM DB2 database user db2inst1 by running the following command. After the command, you must enter the new password.
    passwd db2inst1

Changing the bpmuser password

The bpmuser user is the IBM DB2 user for Business Process Manager.

The bpmuser password must be changed in the operating system where the IBM DB2 instance is installed, and in the WebSphere Application Server console that is used by Business Process Manager.

  1. Update the bpmuser password in the operating system, as follows:
    1. Log in to the IBM Cloud Orchestrator Server as the root user.
    2. Change the operating-system password for the bpmuser database user:
      passwd bpmuser
  2. Update the password in WebSphere Application Server, as follows:
    1. Log in to the Business Process Manager WebSphere Application Server console as the bpm_admin user: 
      https://$ico_server:9043/ibm/console/logon.jsp
    2. Select Resources.
    3. Select JDBC.
    4. Select Data sources and click BPM Business Space data source.
    5. Click the option JAAS - J2C authentication data.
    6. Click BPM_DB_ALIAS, and insert the new password. Click Apply to validate the change.
    7. Repeat step 2.f for the CMN_DB_ALIAS and PDW_DB_ALIAS values.
    8. When prompted to save your changes, click Save directly to the master configuration.
    9. Test the DB connection by clicking Test connection and selecting BPM Business Space data source.
    10. Restart Business Process Manager.

    If you get errors while synchronizing the changes, log out and log in again, and try to modify the password again.

    For more information about updating passwords in WebSphere Application Server, see Updating the data source authentication alias.

Changing the IBM HTTP Server keystore password

The IBM HTTP Server keystore password is used for managing certificates. To replace the existing certificate, see Replacing the existing certificates. To change the password, perform the following procedure:
  1. Log in to the IBM Cloud Orchestrator Server as root.
  2. Change the keystore password:
    cd /opt/ibm/ico/HTTPServer/bin
./gskcmd -keydb -changepw -db key.kdb -new_pw <new_password> -pw <old_password>
Parent topic: Strengthening security