Regenerating runtime passwords
The administrator password and the password manager encryption key are important credentials that you use to secure webMethods runtimes. Each runtime uses a unique set of passwords to maintain security and control access.
Before you begin
About this task
An administrator password and password manager encryption key protect the runtime in different ways. The administrator password is used to authenticate and log in to the runtime environment with full administrative privileges. It grants access to server configuration, package deployment, service monitoring, user and role management, and security settings.
Password manager encryption keys are used internally by the runtime environment to encrypt and decrypt outbound passwords. These credentials are stored for accessing external systems, such as databases, remote servers, and messaging systems. They are used to secure sensitive configuration data, and safely store and retrieve encrypted credentials. The Password manager encryption key is not used for login or UI access and is initialized automatically during runtime startup and credential resolution processes.
Each runtime has a unique administrator password and password manager encryption key for improving security and reducing the risk of unauthorized access. The administrator password is stored in the credentials vault for the runtime. Each replica provides a separate isolated credentials vault. The password manager encryption key is encrypted and stored locally, and can be regenerated through the control plane when needed.
You can regenerate the passwords regardless of the runtime state.
- The administrator password and password manager encryption key are not applicable to runtimes that were registered before version 11.2.3.
- The administrator password and the password manager encryption key do not apply to platform-managed runtimes.
- Passwords are configured at the runtime level, not at the replica level. In multi-replica environments, all replicas use the same password settings that are defined at the runtime level.
- Do not change passwords directly on self-managed runtime replicas. Such changes do not synchronize with the control plane. The control plane continues to display the password it originally generated for the runtime, which is shared across all associated replicas. Currently local password changes on a self-managed runtime are not synchronized with the control plane.
- The control plane maintains a single password per runtime to ensure consistency across all replicas. Changing the password on an individual replica can cause inconsistencies. To restore consistency, regenerate the password from the control plane.
- When the runtime is in a nonready state, such as Unknown, the administrator password and the password manager encryption key are view-only and cannot be regenerated. This restriction also applies to multi-replica environments in partially ready states, such as when two out of three replicas are ready (2/3 ready).
- In the event of a security incident, if one user resets the password, another authorized user can retrieve the password from the Security tab.
Procedure
-
From IBM webMethods Hybrid Integration, click
.
The Integration runtime management page is displayed.
- On the runtime card, click .
- On the runtime page, click Security.
- Click the corresponding Regenerate password button to update the
administrator password or password manager encryption key. The password is regenerated and you cannot edit the current password. After a password is regenerated, the system verifies whether the new password is successfully synchronized across all replicas that are associated with the runtime. If the synchronization fails, the previous password remains in use, and a notification is displayed to inform the user of the failure.
- Click Close.