Updating Db2 password for a Multi-Master cluster manually

You can perform manual steps to update the Db2 password in a cluster.

Before you begin

Ensure that you know the existing password that you want to change.

About this task

You must be the database instance owner on AIX or Linux systems, or the Local Administrator on Windows systems. The login password for the Db2 Administrator user ID and the Db2 data source password that is used by WebSphere Application Server Liberty must be the same. When you change one, you must change the other.

You must ensure that the Db2 username and password must be same on all the masters of IBM Security Guardium Key Lifecycle Manager Multi-Master cluster.

Procedure

  1. Update the Db2 password.
    1. Open a REST client.
    2. Obtain an authorization token by using the Login REST Service.
      For example, you can send the following HTTP request:
      POST https://localhost:port/SKLM/rest/v1/ckms/login
      Content-Type: application/json
      Accept : application/json
      {"userid" : "admin1", "password" : "pswd"}
    3. Update the Db2 password by using the following REST request. Pass the authorization token that you obtained in step b.
      curl -X POST -H "accept: application/json"   -H "Authorization: SKLMAuth userAuthId=a085cac8-ac89-4ac6-bccc-a20be43d1a41"   -H "Content-Type: application/json"   -d {  "newDb2Password": "Master@7540"} https://hostname:port/SKLM/rest/v1/ckms/config/nodes/updateDB2PasswordForThisInstance
  2. Stop WebSphere Liberty on all master servers of the Multi-Master cluster. To do so, complete these steps:
    1. Go to the WAS_HOME\bin directory.
      Windows
      C:\Program Files\IBM\WebSphere\Liberty\bin
      Linux®
      /opt/IBM/WebSphere/Liberty/bin
    2. Run the following commands to stop the server.
      Windows
      stopServer.bat WAS_HOME
      Linux
      ./stopServer.sh

      For the definition of WAS_HOME, see Definitions for HOME and other directory variables.

  3. Stop agent service on all IBM Security Guardium Key Lifecycle Manager master servers.
    To do so, complete these steps:
    1. Go to the SKLM_INSTALL_HOME\agent directory.
      Windows
      C:\Program Files\IBM\GKLMV421\agent
      Linux
      /opt/IBM/GKLMV421/agent
    2. Stop the agent service by running the following command.
      Windows
      stopAgent.bat WAS_HOME

      For example,

      stopAgent.bat "C:\Program Files\IBM\WebSphere\Liberty"
      Linux
      ./stopAgent.sh WAS_HOME

      For example,

      ./stopAgent.sh /opt/IBM/WebSphere/Liberty

    For the definition of SKLM_INSTALL_HOME and WAS_HOME, see Definitions for HOME and other directory variables.

  4. Stop Db2 HADR on IBM Security Guardium Key Lifecycle Manager primary master server with primary database.
    Windows
    1. Click Start > IBM DB2 klmdb42 (Default) > DB2 Command Window - Administrator.
    2. Run the following command:
      db2 stop hadr on database KLMDB42
    Linux
    1. In a terminal window, type the following command to change the DB2 instance owner.
      su - KLMDB42
    2. Run the following command:
      db2 stop hadr on database KLMDB42
  5. Deactivate standby database on IBM Security Guardium Key Lifecycle Manager standby master by running the following command.
    db2 deactivate db KLMDB42
  6. Stop Db2 HADR on IBM Security Guardium Key Lifecycle Manager standby master with standby database by running the following command.
    db2 stop hadr on database KLMDB42
  7. Change the Db2 password at the operating system level.
    Complete the steps given in the following topics:
    Windows

    Updating Db2 password on a Windows system

    Linux

    Updating Db2 password on a Linux or AIX system

  8. Update the newly changed Db2 password in the datasource.xml file on all IBM Security Guardium Key Lifecycle Manager master servers.
    Ensure that you encrypt the password by using the securityUtility script. Use custom encoding on each master server. The securityUtility file is present in the WAS_HOME/bin folder.

    Run the following command to encrypt the password:

    Windows
    securityUtility encode --encoding=custom PASSWORD_STRING
    Linux
    ./securityUtility encode --encoding=custom PASSWORD_STRING

    Where, PASSWORD_STRING is the updated Db2 password.

    Update the encrypted Db2 password in the datasource.xml file. Location of the datasource.xml file:
    Windows
    WAS_HOME\usr\servers\gklm42server
    Linux
    WAS_HOME/usr/servers/gklm42server

    For the definition of WAS_HOME, see Definitions for HOME and other directory variables.

  9. Start Db2 HADR on all the standby master servers by using the following command.
    db2 start hadr on database KLMDB42 as standby
  10. Start Db2 HADR on the primary master server by using the following command.
    db2 start hadr on database KLMDB42 as primary
  11. Start WebSphere Application Server Liberty on all the master servers.
    Run the following command:
    Windows
    cd WAS_HOME\bin
    startServer.bat WAS_HOME
    AIX or Linux
    cd WAS_HOME/bin
    ./startServer.sh

    For the definition of WAS_HOME, see Definitions for HOME and other directory variables.