Installing password security update

Following instructions are applicable only for an Administrator user. Running the resetPasswords.sh script resets passwords for all the users in a given company that are not enabled for LDAP (except the password for the user running the command), produces an XML file showing the changes, and optionally sends an email to each user with the login instructions. Passwords for users that are enabled for LDAP are not changed, and such users are not affected by the command.

Fix Pack 3

Before you begin

Complete the following steps:

Take the backup of the database, or at least the table TSEC_SCU_USER (alias SCU).

Run the following commands.

cd $TOP/bin/migration
unzip resetPassword.zip
cd $TOP/bin/migration/resetPassword

Using the following command, provide execute permission to the resetPasswords.sh file.
```
chmod 755 resetPasswords.sh
```
Before you run the resetPasswords.sh file, ensure that you set the $JAVA_RT environment variable. To set the variable, run the compat.sh file by using the following command.
```
$TOP/bin/compat.sh
```
If the ResetPasswords.class file does not exist, the javac command is used to create the ResetPasswords.class file. You must ensure that the environment variable $JAVA_HOME contains a copy of $JAVA_HOME/bin/javac whose version is compatible with the installed version of IBM® Product Master.
In the Persona-based UI, when you create a user, do not use colon : in the username.

Procedure

Enter the following command:
```
cd $TOP/bin/migration
```
Run the resetPasswords.sh script with the following parameters.
```
./resetPasswords.sh [option] Admin adminpw company output-file
```
Where,

option]

If you do not specify any value, the resetPasswords.sh script generates the output-file, changes passwords, and sends email to each user.

[option]= --dry-run or -d

Generates the output-file only (does not change password or send any email).

[option]= --no-email or -n

Generates the output-file and changes password only (does not send any email).

Admin

The username of the administrator.

adminpw

The password of the administrator.
Note: The resetPasswords.sh script does not change administrator password.

company

The company code.

output-file

The full path name of the output file with an XML extension.
Check the generated output-file. The file contains all the usernames for a specified company (except administrator), the corresponding new passwords, and the corresponding email addresses.
1. If you have used -n option, you need to send each user an email with the instructions mentioned in the What to do next section.
2. For other users, share the information by appropriate method. You can also use output-file to write your own script to transmit the information.
Required: Delete following files in the $TOP/bin/migration directory:
- resetPasswords.sh
- ResetAdminPW.class
- ResetPasswords.class
- resetPasswordsEmailTemplate.txt
- resetPassword.html
Optional:As a best practice,
- You should change the Administrator's password because this script can allow a malicious user to overwrite the Administrator's password.
- If you have edited the resetPasswordsEmailTemplate.txt file, you might want to save a copy of the file before deleting it, in case you have to repeat this procedure.
Optional:To configure automatic mails,
1. You need to edit the content of the resetPasswordsEmailTemplate.text file.
```
<Email_subject>
----
In order to repair a security vulnerability, your password for IBM Product Manager has been reset.
The next time you log in, please do so using the following password:
xxxxxxxx
and then immediately change your password.
If you wish, you may change your password to the password you used before it was reset.
```
  Attention: Do not edit the delimiter ---- and password xxxxxxxx placeholders. The password placeholder gets replaced at the run time by the password of the user to whom the email is being sent.
2. Set the following two properties in the common.properties file:
```
smtp_address
from_address
```
Importing data that was exported from an older Product Master version into existing or new company results in adding new users. You should run the reset password utility to change the passwords according to the new policy. Else you can also change the user passwords from the Admin UI using the administrator access.
Note: The reset password utility changes the password of all the users in the given company.

What to do next

As a user who got an email with new password, log in to the Product Master with your username and the new password. You can change your password to anything you want, including the password you used before.