Update directory service bind user credentials

You must change the bind user credentials in the FileNet® domain before you change the credentials in the directory server. If you do not, the FileNet system might become unrecoverable.

About this task

The Content Platform Engine does not implement its own authentication module to access the directory service. Instead, it uses the Java™ 2 Enterprise Edition (Java EE) application server's authentication mechanism. To update the bind user credentials for the authentication providers that your application server supports, see the documentation for your chosen application server type.

If a directory service group is assigned as a GCD administrator, ensure the existing and new user accounts are active in the directory service used by the FileNet domain.

If the GCD administrator was not assigned with a group and the directory service bind user and the user account for the GCD administrator are the same, you must first create a group that includes both the existing and new user in that group. The new group must then be added as a GCD administrator using the procedure in the topic Add or remove a GCD administrator.

These preparation steps are necessary because there must always be at least one GCD administrator. For more information about the user or group to use as the GCD administrator, see the entry for GCD administrator (gcd_admin).

The gcd_admin credentials are stored in the Global Configuration Database (GCD) and can be updated through the IBM Administration Console for Content Platform Engine. When you update these credentials in the administration console, consider the following points:

  • A maximum of ten minutes is needed to propagate the credentials update to all servers in a cluster.
  • No restart of the Content Platform Engine service is needed.

If a new GCD administrator was assigned, complete the remainder of this procedure using the newly assigned user account.

An LDAP-based directory service uses an LDAP bind to authenticate against the LDAP directory. However, the SCIM directory service uses the HTTP basic authentication or the Bearer Token Authentication (BTA) depending on what the SCIM directory supports.

Choose one of the following tasks, depending on the type of authentication used with the directory service:

Updating bind user credentials for a directory service using basic authentication

You can update the bind user credentials for directory services that use basic authentication.

Procedure

To change the Content Platform Engine bind user password for your directory service:

  1. Find the directory server bind credentials in Administration Console for Content Platform Engine.
    1. Log in to Administration Console for Content Platform Engine as GCD administrator gcd_admin.
    2. Click the domain, and then click the Directory Configuration tab.
    3. Select the row that represents the configuration parameters that point to the directory service location where the bind user credentials must be changed.
    4. When the Directory Configuration property sheet opens, view the value for the directory server credentials.
    5. Do not change anything yet. Leave the dialog box open while you complete step 2, step 3, and step 5.
  2. Locate the value for the directory service user account:
    Deployment Type Steps
    Container using LDAP
    1. Locate the value for the directory service user account by viewing the value of the ldapUsername in the secret given to the operator to use when the system was deployed. The secret name can be found by examination of the custom resource YAML file that was used to deploy into the K8s cluster and noting the value of the ldap_configuration.lc_bind_secret parameter.

      The value must be the same value as you viewed in step 1.d.

    2. Do not change anything yet. Leave the console open while you complete step 3.
    Container using SCIM
    1. Locate the value for the directory service user account by viewing the value of the scimUsername in the secret given to the operator to use when the system was deployed. The secret name can be found by examination of the custom resource YAML file that was used to deploy into the K8s cluster and noting the value of the scim_configuration.scim_secret_name parameter.

      The value must be the same value as you viewed in step 1.d.

      If scim_configuration.scim_secret_name is not specified in the custom resource, then the default secret name is ibm-scim-secret.

    2. Do not change anything yet. Leave the console open while you complete step 3.
    Traditional application server
    1. Log in to your application server console and locate the value for the directory service user account. The value must be the same value as you viewed in step 1.d.
    2. Go to the authentication provider window that contains the ID and password for the directory service user account.
      • WebLogic: Find the value of the Principal field in the Authentication Provider for the WebLogic domain that contains Content Platform Engine.
      • WebSphere: Find the bind user account in the Profile that contains Content Platform Engine.
    3. Do not change anything yet. Leave the console open while you complete step 3.
  3. Change the password on your directory server.
    1. Log in to your directory server.
    2. Go to the location that contains the account for the directory service bind user.
    3. Change the password.
    4. Save and apply.
  4. Change the directory server account password on Administration Console for Content Platform Engine.
    1. Return to Administration Console for Content Platform Engine.
    2. Change the password of the directory server account that you viewed in step 1.d.
      The new password must be the same password as in step 3.c.
    3. Save your changes.
      The Content Platform Engine attempts to connect to the directory service to verify the new credentials. If the credentials are incorrect, you get an error when you save the changes. Verify the credentials and try again until it succeeds.
  5. Change the password for your deployment but do not restart.
    Deployment Type Steps
    Container using LDAP
    1. Change the user name and password of the directory service user account, also known as the bind account, by modifying the ldapUsername and ldapPassword values in the secret. The new password must be the same password as in step 3.c.
    2. Save and apply.
    Container using SCIM
    1. Change the user name and password of the directory service user account, also known as the bind account, by modifying the scimUsername and scimPassword values in the secret. The new password must be the same password as in step 3.c.
    2. Save and apply.
    Traditional application server
    1. Return to your application server console.
    2. Change the password of the directory service user account (also known as the bind account). The new password must be the same password as in step 3.c.
    3. Save and apply.
  6. Restart the deployment.
    Deployment type Steps
    Container

    The deployment automatically restarts after the operator detects the changes to the secret. No manual restart of the deployment is necessary.

    The pod terminations and creation might take several minutes. You can monitor the status of your pods by using the command line:

    kubectl get pods -w -n <namespace>
    Traditional application server Restart the application server.

What to do next

If additional Content Platform Engine administrator accounts are the same as the directory service bind user account, those must be changed after the Content Platform Engine is restarted and ready for service. As the same account was used, the new password must be the same password as in step 3.c. For more information, see these topics:

If other applications, such as IBM Content Navigator, use the object store administrator account to connect to the FileNet P8 domain, review the documentation for those other applications to determine what the impact of the changes described here might be.

Updating bind user credentials for directory services using bearer token authentication

You can update the bind user credentials for SCIM directory services that use bearer token authentication.

About this task

The Content Platform Engine examines the SCIM Authentication URL property and determines whether basic or bearer token authentication is used. The SCIM Authentication URL property is the OAuth token endpoint that is used with the client_credentials grant to obtain an OAuth token and is required for bearer token authentication. If the property is populated, then bearer token authentication is used. Otherwise, the Content Platform Engine assumes that basic authentication is used.

Procedure

To change the Content Platform Engine client_id and client_secret for your directory service:

  1. Using the SCIM interface, obtain a new client_id and client_secret from your Identity provider.
  2. Find the directory server bind credentials in Administration Console for Content Platform Engine.
    1. Log in to Administration Console for Content Platform Engine as GCD administrator gcd_admin.
    2. Click the domain, and then click the Directory Configuration tab.
    3. Select the row that represents the configuration parameters that point to the directory service location where the bind user credentials must be changed.
    4. When the Directory Configuration property sheet opens, view the value for the directory server credentials.
    5. Do not change anything yet. Leave the dialog box open while you complete step 3.
  3. Update the client_id and client_secret in the Content Platform Engine SCIM directory configuration.
    For more information, see the topic Overview (SCIM Directory).
    The Content Platform Engine attempts to connect to the directory service to verify the new credentials. If the credentials are incorrect, you get an error when you save the changes. Verify the client_id and client_secret values and try again until it succeeds.
  4. Restart the deployment.
    Deployment type Steps
    Container

    The deployment automatically restarts after the operator detects the changes to the secret. No manual restart of the deployment is necessary.

    The pod terminations and creation might take several minutes. You can monitor the status of your pods by using the command line:

    kubectl get pods -w -n <namespace>
    Traditional application server Restart the application server.
  5. For container deployments, update the value for ibm-scim-secret.
    In container deployments, the directory service provider credentials are also stored in a secret called ibm-scim-secret. After you change the credentials in the P8 domain directory service provider configuration, make sure that you update the ibm-scim-secret in your Kubernetes namespace where the FNCM container is deployed with the new values. For more information, see the topic Managing secrets for SCIM providers.