Updating the Business Automation Workflow deployment after an LDAP password change

After an update to the Lightweight Directory Access Protocol (LDAP) bind user or administrator password, for example, when the password expired, you might need to update the Business Automation Workflow deployment to avoid errors.

Changing the LDAP bind password

Procedure

To change the LDAP bind password in the Business Automation Workflow deployment:

  1. Log in to your LDAP server to update your LDAP bind password.
  2. Access the IAM console to update the LDAP bind password for your existing settings.
    1. Use the following command to get the URL to access <your namepspace>:
      oc get route -n <your namespace> cp-console -o jsonpath=‘{.spec.host}’ 

      The following is a sample output: ‘cp-console.apps.test-q2.os.fyre.ibm.com’. Based on the example output, your console URL would be https://cp-console.apps.test-q2.os.fyre.ibm.com.

      oc get route -n <your namespace> cp-console -o jsonpath=‘{.spec.host}’

      The following is a sample output: ‘cp-console.apps.test-q2.os.fyre.ibm.com’. Based on the example output, your console URL would be https://cp-console.apps.test-q2.os.fyre.ibm.com.

    2. The default username to access the console is admin. To get the default username, run the following command:
      oc -n <your namespace> get secret platform-auth-idp-credentials-o jsonpath='{.data.admin_username}' | base64 -d && echo
    3. To get the password for the default username, run the following command:
      oc -n <your namespace> get secret platform-auth-idp-credentials -o jsonpath='{.data.admin_password}'| base64 -d
    4. Log in to the IAM console to update the LDAP bind password and save your changes.
  3. Edit the LDAP connection:

    Update the LDAP bind password in the secret "ibm-bind-secret" under your namespace.

  4. Wait for the operator to reconcile, and re-create the Content Platform Engine pod.
    Check that the LDAP bind password is updated in the following XML file of the configMaps "icp4adeploy-cpe-config" under your namespace.

Changing the LDAP admin user password

Procedure

To change the LDAP admin user password in the Business Automation Workflow deployment:

  1. Log in to your LDAP server to update your LDAP admin user password.
  2. Log in to the Administration Console for Content Platform Engine by using your LDAP admin user and the updated password (step 1). You can find the login URL from the configMaps "icp4adeploy-cp4ba-access-info" under your namespace.
  3. Open the domain properties page for the FileNet P8 domain.
  4. Update the password for the LDAP admin user as step 1, as shown in the following example.

    Change password example

  5. Continue to update the password in Process Engine Component Manager in the Administration Console for Content Platform Engine. Find your TOS object store, expand Administrative > Workflow System > Isolated Regions, then expand the isolated region that you are using and Component Queues, select the queue and update the password as shown in the following example.

    Example of LDAP admin user password change

  6. Scale down the Cloud Pak for Business Automation operator deployment.
  7. Scale down the following deployments. Wait for Kubernetes (Red Hat OpenShift) to stop the existing pods (the pod terminations might take several minutes). You can monitor the status of your pods by using the Red Hat OpenShift or Kubernetes command "oc get pods -w".
    • Content Platform Engine
    • Navigator
    • Workflow server
  8. Update appLoginPassword with the new password in the secret "ibm-fncm-secret" and "ibm-ban-secret".
  9. Scale up the Cloud Pak for Business Automation operator deployment. Wait for Kubernetes (Red Hat OpenShift) to create the new pods (the pod creation might take several minutes). You can monitor the status of your pods by using the Red Hat OpenShift or Kubernetes command "oc get pods -w".
  10. Go to the Navigator pod by running the command "oc exec -it <navigator_pod> bash". For example, oc exec -it icp4adeploy-navigator-deploy-5669544494-n76ls bash, then delete the file "config.ok" under /opt/ibm/plugins/properties.
  11. Delete the jobs basaut-content-init-job and bas-case-init-job, wait for the operator to reconcile, and create the new jobs.
    1. Get the content-init-job name:
      oc get job | grep content-init-job
    2. Delete the job:
      oc get job <content-init-job-name>
    Delete the case init job:
    1. Get the case-init-job name:
      oc get job | grep case-init-job
    2. Delete the job:
      oc delete job <case-init-job-name>
  12. If you have more than one target object store, re-run Register Project Area or Register Target Environment in the Case administration client for each additional target object store.
  13. Restart IBM® Content Navigator, Content Platform Engine and Business Automation Workflow pods.