Content Platform Engine, Version 5.2

Change Bootstrap admin password

This procedure describes how to change the password for the Content Platform Engine system user (also known as the bootstrap administrator, or cpe_bootstrap_admin). The credentials for this account are entered during Content Platform Engine configuration. Configuration Manager places this user name and its password into the Content Platform Engine bootstrap file. When Content Platform Engine starts up, it uses the account and password to authenticate against the user registry defined in the application server.

About this task

Here are the characteristics of the cpe_bootstrap_admin account:

It must reside in Content Platform Engine's configured LDAP directory server.
Configuration Manager's Configure Bootstrap Properties task places it in the Content Platform Engine's bootstrap file. In this location cpe_bootstrap_admin is called the Content Platform Engine system user.
During the initial P8 Domain creation and configuration, it is automatically added to the Administration Console for Content Platform Engine's domain security property sheet as the default GCD admin user (gcd_admin). After initial P8 domain configuration, it is a best practice to replace it with a different gcd_admin account.
Many installations will also enter this account into Configuration Manager's Configure LDAP task as the Directory Service User account (sometimes known as the bind user, or cpe_service_user), the account that Content Platform Engine's application server uses to bind to the directory server. The Configure LDAP task places the account into the application server's authentication configuration location.
This account is sometimes also used as the LDAP bind user during P8 Domain creation, by entering the account name and password in the Directory Server User Name field in the Directory Configuration property sheet.

Changing cpe_bootstrap_admin's password in the directory server means that you must at the same time change it in these locations. If you do not, the bootstrap file will not be able to authenticate to the LDAP and Content Platform Engine will not be able to start. You can also lock yourself out from Administration Console for Content Platform Engine. Follow this procedure carefully to avoid this scenario.

This procedure requires access to the Content Platform Engine location, to the application server console, and to the directory server. Because of the relative complexity of this procedure, unless there is an overriding reason to change the password of this important account, you can consider exempting the Content Platform Engine system user account from your password change policy if this still meets your security requirements.

Note: Some steps below will be different for installations using JBoss, as JBoss does not have an administrative console or the need to log in as an administrator.

Procedure

To change the Content Platform Engine system user password:

Backup the Engine-##.ear file.
where:
ws

denotes WebSphere

wl

denotes WebLogic

jb

denotes JBoss

You can then revert to last good known EAR file in case changing the password fails.
On the server containing Content Platform Engine, start the Configuration Manager.
1. Load the Configuration Manager profile that describes your installation.
2. Click Configuration Bootstrap Properties. Do not change anything yet. The Bootstrap user password is the field you will change later in this procedure.
3. Leave this window open while doing the following steps.
Log in to Administration Console for Content Platform Engine as GCD administrator gcd_admin.
1. Click the domain, and then click the Directory Configuration tab
2. Select the row that represents the configuration parameters pointing to the LDAP location that the Content Platform Engine system user belongs to.
3. When the Directory Configuration property sheet opens, view the value for the Directory Server User Name.
  - If this account is the same as the Content Platform Engine system user (cpe_bootstrap_admin) identified in step 2, then continue with the next step.
  - If it is different, then continue but skip the steps that deal with changing the Directory Server User Name (that is, Steps 5, 7, 8.
4. Do not change anything yet. Leave the dialog box open while doing the remaining steps.
(WebLogic and WebSphere) Log in to your application server console and search all the user registries for the Content Platform Engine system user. Verify that the Content Platform Engine system user is defined in the directory server where the password change will take place. This is to ensure that the application server is indeed using the directory server for authentication, and not some other custom authentication provider (WebLogic) or user registry repository (WebSphere).
Locate the value for the Directory Server User Name. This should be the same value as described in step 3d.
1. Navigate to the authentication provider panel containing the ID and password for the Directory Service User account.
  - WebLogic: this will be the value of the Principal field in the Authentication Provider for the WebLogic domain containing Content Platform Engine.
  - WebSphere: this will be the bind user account in the Profile containing Content Platform Engine.
  - JBoss: the Directory Service User account is contained in the login-config.xml file.
2. Do not change anything yet. Leave the console open while doing the remaining steps.
Log in to your directory server.
1. Navigate to the location containing the account for the Content Platform Engine system user.
2. Change its password.
3. Save and apply.
Return to your application server console.
1. Change the password of the Directory Service user account (also known as the bind account) to the new password .
2. Save and apply.
3. Do not restart the application server until instructed to do so below.
Return to Administration Console for Content Platform Engine.
1. Change the Directory Server Name password to the new password.
2. Close and save.
Return to the window containing Configuration Manager.
1. In the Configure Bootstrap Properties task, set the Bootstrap Operation property to Modify Existing.
2. Confirm that the Bootstrapped EAR file property contains the path to the bootstrap file you need to edit.
3. Change the Bootstrap user password. Use Configuration Manager's features to save and run the task.
4. Run Configuration Manager's Deploy Application.
Restart the application server.
Verify the change by logging on to Administration Console for Content Platform Engine as a GCD administrator (gcd_admin) and performing a user and group look up. See Modify an object's security for one way to do this.