Changing IBM Business Process Manager passwords

When you change passwords, make sure to change them at the provider level and for the authentication aliases that are mapped to the RunAs roles for applications provided by IBM® Business Process Manager.

Before you begin

This task uses the updateBPMAliasesAndRunAsRolesPasswords command, which is run using the AdminTask object of the wsadmin scripting client. To run the command, the following prerequisites must be met:
  • The command must be run on the deployment manager node.
  • If the deployment manager is stopped, use the wsadmin -conntype none option to run the command in disconnected mode.
  • If the deployment manager is running, you must connect with a user ID that has WebSphere Application Server configurator privileges. Do not use the wsadmin -conntype none option.

Start the wsadmin scripting client from the deployment_manager_profile/bin directory. The updateBPMAliasesAndRunAsRolesPasswords command does not write to a log file, but the wsadmin scripting client always writes a profile_root/logs/wsadmin.traceout log file where you will find exception stack traces and other information.

About this task

When you change the password for a user, user IDs that are mapped to RunAs user roles also must be updated.

IBM Business Process Manager provides the following applications that contain users that are mapped to the RunAs roles:

  • For Express, Standard, and Advanced deployment environments:
    • IBM_BPM_PerformanceDW_supportDeploymentTarget
    • IBM_BPM_Teamworks_applicationDeploymentTarget
  • For Advanced and AdvancedOnly deployment environments:
    • BPEContainer__applicationDeploymentTarget
    • TaskContainer__applicationDeploymentTarget

Where the suffix is either the application cluster or the stand-alone server (for the IBM Business Process Manager Express and IBM Integration Designer Unit Test Environment (UTE)), and the support cluster or stand-alone server: _clusterName or _nodeName_serverName.

Note: The updateBPMAliasesAndRunAsRolesPasswords command cannot be used to change passwords for the IBM BPM CellAdmin security role that was specified as the default administrative account during installation or for custom applications that are not provided by IBM BPM.

Procedure

You can change passwords for any user that is stored in the file registry, including the CellAdmin security role (as long as the CellAdmin user is still the same primary administrative account that was specified as the default when IBM BPM was installed). To change passwords, complete the following steps:

  1. Go to the external security provider and change the password for the user at the provider level. The following steps use WebSphere® Application Server as the provider:
    1. Change the password in the WebSphere Application Server file registry by logging into the WebSphere Application Server admin console.
    2. Click Users and Groups > Manage Users.
    3. Select the user and enter the new password in the Password field on the General tab.
    4. Click Apply and then click OK.
    5. Save the changes.
    6. If you changed the password for the CellAdmin user, verify the new password by attempting to log into the WebSphere admin console as the CellAdmin user.

The user for the CellAdmin role is also stored in an authentication alias, which by default is named CellAdminAlias. If the BPMConfig command was used to create the IBM BPM profiles, the default name of the authentication alias may have been changed by using the bpm.cell.authenticationAlias.1.name property. If the manageprofiles command was used to create the IBM BPM profiles, the default name of the authentication alias may have been changed by using the optional -adminAliasName parameter.

If you want to change the CellAdminAlias user, ensure that the new user has the appropriate roles as described in the topic IBM Business Process Manager roles.

To change the password for the CellAdmin user that is stored in the authentication alias, complete the following steps:

  1. In the WebSphere admin console, select Security > Global Security > Java Authentication and Authorization Service > J2C Authentication Data > cell_admin_alias, then change the password to be the same as the password that you specified for the CellAdmin user in the previous step.
  2. Verify the new password by starting the deployment manager and then running the following command: 
    BPMConfig -validate -profile dmgrProfileName -de deName -outputDir _validate
    If the password was not set correctly, the BPMConfig command will fail to connect to the deployment manager.

If you changed the CellAdmin user password, you generally do not need to complete any additional steps, such as running the updateBPMAliasesAndRunAsRolesPasswords command to synchronize the passwords. However, if the factory default settings were changed and the CellAdmin user is now referenced by IBM BPM applications, you need to run the updateBPMAliasesAndRunAsRolesPasswords command by completing the steps below. Similarly, if you changed the password for another user that is used by IBM BPM authentication aliases or RunAs roles for IBM BPM applications, you need to run the updateBPMAliasesAndRunAsRolesPasswords command by completing the following steps.

  1. In an ND environment, stop the deployment manager. (In a stand-alone environment like IBM BPM Express or the IBM Integration Designer unit test environment, stop the app server.)
  2. In the deployment manager profile bin folder (or in the AppServer profile bin folder for IBM Business Process Manager Express or the Integration Designer unit test environment), run the updateBPMAliasesAndRunAsRolesPasswords wsadmin command to synchronize passwords for authentication aliases or application RunAs roles.
    The following example shows the command for a 3-cluster Advanced deployment environment.
    dmgr_profile_root/bin>wsadmin -conntype NONE -lang jython

wsadmin>AdminTask.updateBPMAliasesAndRunAsRolesPasswords( [ '-userName', user_name, '-password', new_password ] ) 
Processing: IBM_BPM_PerformanceDW_SupportCluster
Processing: IBM_BPM_Teamworks_AppCluster
Processing: BPEContainer_AppCluster
Processing: TaskContainer_AppCluster

wsadmin>AdminConfig.save()
    The following example shows the command for a single-cluster Standard deployment environment.
    dmgr_profile_root/bin>wsadmin -conntype NONE -lang jython

wsadmin>AdminTask.updateBPMAliasesAndRunAsRolesPasswords( [ '-userName', user_name, '-password', new_password ] ) 
Processing: IBM_BPM_PerformanceDW_SingleCluster
Processing: IBM_BPM_Teamworks_SingleCluster

wsadmin>AdminConfig.save()

    Additional information about the command is found in the topic "updateBPMAliasesAndRunAsRolesPasswords command."

    Linux Unix Important: On Linux, UNIX, or AIX® platforms, run the updateBPMAliasesAndRunAsRolesPasswords wsadmin command as the current owner of the BPM installation folder and files.
  3. In an ND environment, start the deployment manager and synchronize your changes on the other nodes. (In a stand-alone environment like IBM BPM Express or the IBM Integration Designer unit test environment, start the app server.)
  4. In an ND environment, restart the application cluster members and support cluster members.
Parent topic: Changing IBM Business Process Manager and database passwords
Related reference:
updateBPMAliasesAndRunAsRolesPasswords command
Related information:
Starting and stopping the server
Using wsadmin commands to customize the Process Server settings used to connect to Process Center