Before you begin upgrading to IBM Cloud Orchestrator 220.127.116.11, it is imperative that the passwords in the deployment service environment match that of the users in your IBM Cloud Orchestrator environment. The upgrade process will fail if this condition is not met. This blog entry describes how to use a new script, provided with IBM Cloud Orchestrator v18.104.22.168, to ensure that the above condition is met.
Note: If any of the following rules are not met, make appropriate password changes to comply with these rules. This should be done before continuing with the upgrade process.
- Passwords can comprise of the following: [a – z], [A – Z], [0 – 9] and _.
- Passwords of the following users and keystore must be the same:
- The IBM Cloud Orchestrator administrator (admin).
- The OpenStack service users.
- The Business Process Manager DB user (bpmuser).
- The Business Process Manager administrator (bpm_admin).
- IBM HTTP Server keystore (key.kdb).
Note: This password is used for the OrchestratorPassword parameter during the upgrade process. Depending on the template you have used, this password is also used by some other parameters.
- Passwords of the following DB2 users must be the same:
- DB2 administrator (db2das1).
- DB2 fenced user (db2fenc1).
- DB2 instance user (db2inst1).
Note: This password is used for the WorkloadDeployerDBPassword parameter during the upgrade process.
- Located at /opt/<ico_install_2404>/installer/tools on deployment server.
- upgradePre-ReqCheck.sh – used to validate if passwords in the deployment service environment match that of the users in your IBM Cloud Orchestrator environment prior to starting the upgrade. Additionally, this script validates if the passwords comply with the passwords rules mentioned above. In the case of a password mismatch, this script can also be used to update the passwords in the deployment service environment. Note that this script is not used to change passwords in the IBM Cloud Orchestrator environment.
- passwords.sh – used to change passwords in your IBM Cloud Orchestrator environment. This script can only be used in environments where existing passwords comprise of [a – z], [A – Z], [0 – 9] and _.
- Ensure that the ds job-list commands show a list of the deployment jobs, including the job used in the Central Server installation. If any job in the list is in the ERROR status, you must remove it.
- Ensure that the nologin feature is not enabled for users in the IBM Cloud Orchestrator environment by following steps in the Security Hardening Guide.
- Ensure that users in the IBM Cloud Orchestrator environment are unlocked and available for login.
- Log onto deployment server and create a temporary directory such as ~/tools.
- Navigate to /opt/<ico_install_2404>/installer/tools directory and copy its contents to ~/tools.
- If running as a non-root user, ensure that this user has adequate permissions to execute upgradePre-ReqCheck.sh and passwords.sh.
- On deployment server, navigate to the ~/tools folder created under the ‘Prerequisites’ section above.
- Validate root user passwords by running the following command:
./upgradePre-ReqCheck.sh validate rootusers
In the case of a mismatch, you will be prompted for the current password. Enter the current password for the validation to continue.
Once all root users are validated, you will see this message:
- Validate all user passwords by running the following command:
Users with mismatched passwords will be listed at the end of running this command. Update the reported user’s password using step 4 below. Once the password has been updated, return to this step to continue validation.
If all users pass validation, you will see this message:
- Update mismatched passwords into the deployment server by running the following command:
In the case of a mismatch, you will be prompted for the current password as below. Enter the current password for the password update to continue.
- Upgrade the deployment service by following the ‘Upgrading the Deployment Service’ section in the ICO 22.214.171.124 product documentation.
- If the root user password of any IBM Cloud Orchestrator node was changed after the original IBM Cloud Orchestrator installation, update the node registration in the Deployment Service database by following steps in the ‘Replacing passwords for the nodes stored in the Deployment Service database’ section in the ICO 126.96.36.199 product documentation.
- To identify the password parameters used in environment mapping, as they were defined in the deployment job templates, and update them in the deployment service database, follow steps in the ‘Replacing passwords used in environment mapping in the Deployment Service database’ section in the ICO 188.8.131.52 product documentation.
- Log onto primary and secondary Central Server 2 (if ICO was migrated from v2.3 to v2.4, then log onto Central Server 4 instead of Central Server 2).
- On both the servers, verify if you can access the keystore by using the current IBM Cloud Orchestrator admin password by running the following command (on one line):
/opt/IBM/HTTPServer/java/jre/bin/ikeycmd -cert -list -db /opt/IBM/HTTPServer/bin/key.kdb -pw <myICOadminPassword>
- If the keystore is not accessible with the latest password, change the keystore password by running the following command (on one line):
/opt/IBM/HTTPServer/bin/gskcmd -keydb -changepw -db /opt/IBM/HTTPServer/bin/key.kdb -pw <old_password> -new_pw <myICOadminPassword>
where <old_password> is passw0rd if it was not modified from the original installation, and <myICOadminPassword> is the current IBM Cloud Orchestrator password.
- Clean up the files in the /opt/ibm/BPM/ico/tmp directory.
- Run the following command to revalidate all users:
- Remove the upgradePre-ReqCheck.sh-backup working directory and the upgradePre-ReqCheck.sh-log.log file from ~/tools folder.
- Continue with the upgrade steps in the ‘Upgrading the deployed IBM Cloud Orchestrator environment’ section in the ICO 184.108.40.206 product documentation. If upgrading from v2.3.0.x, continue with upgrade steps in the ‘About this task’ section in the ICO 220.127.116.11 product documentation.