2012

IBM

Manoj Khilnani

Managing P8 LDAP and

DB passwords in a
dynamic environment
Process to modify the P8 System LDAP and DB
passwords

Abstract: FileNet P8 is a very complex system with many different components, technologies and databases.
The management of the system requires understanding of multiple products and the integration between these
products and P8 components. The P8 system requires accounts to authenticate with other products. These
accounts are stored in different types of repositories and require separate processes to manage the accounts.
This article covers all aspects of the P8 product involved in the password modification. The article discusses
the LDAP and DB password changes and how to manage the P8 system while performing these changes.

About the author: Manoj Khilnani is a Senior Managing Consultant working with IBM Software
Services for Federal (ISSF). He is a certified IT Specialist and FileNet Consultant. He has 16 years of
software development life-cycle experience. In the last few years, he has extensively worked on
ECM products such as DB2 Content Manager and FileNet P8. Reach out to him at
mkhilnan@us.ibm.com
 Managing P8 LDAP and DB passwords in a dynamic environment: Process to modify the P8 System LDAP
and DB passwords

Introduction ...................................................................................................................... 3
Explore P8 System ........................................................................................................... 3
P8 System LDAP Users ................................................................................................ 3
P8 System DB Users .................................................................................................... 4
P8 System Architecture ................................................................................................ 4
Verify P8 System Health .............................................................................................. 4
Backup GCD Database ................................................................................................. 5
Modify LDAP Bind Account Password ............................................................................ 5
Figure 1. Modify FEM Directory Configuration........................................................ 6
Figure 2. Modify WebSphere LDAP Server Bind Password...................................... 7
Modify Content Engine Bootstrap LDAP Account Password............................................ 8
Figure 3. Configure Bootstrap properties in Configuration Manager ......................... 9
Modify Process Engine Service LDAP Account Password ............................................. 10
Figure 4. Modify LDAP Password in Process Task Manager .................................. 10
Modify Content Engine Database Account Password ..................................................... 10
Figure 5. Modify DB Password in WebSphere ........................................................ 11
Figure 6. Verify DB Connections ............................................................................ 12
Modify Process Engine Database Account Password ...................................................... 12
Figure 7. Modify DB Password in Process Task Manager ...................................... 13
Modify P8 LDAP Passwords already reset in LDAP ...................................................... 13
Conclusion ..................................................................................................................... 15
Acknowledgements ........................................................................................................ 15
Resources ....................................................................................................................... 15

2
 Managing P8 LDAP and DB passwords in a dynamic environment: Process to modify the P8 System LDAP
and DB passwords

Introduction
FileNet P8 is a very complex system with many different components, technologies and
databases. The management of the system requires an understanding of multiple products
and their integration. FileNet P8 system requires accounts to authenticate with other
products. These accounts are stored in different types of repositories and require separate
processes to modify the passwords.

This article covers all aspects of the product involved in the password modification. The
article discusses the LDAP and DB password changes and how to manage FileNet P8
system while performing these changes.

IMPORTANT NOTE: Because of the relative complexity of this procedure, unless there
is an overriding reason to change the password of this important account, you can consider
exempting the Directory Server bind user account from your password change policy if
this still meets your security requirements.

Note: The article references FileNet P8 v5.1 and WebSphere v7 deployed on Windows
operating system.

Explore P8 System
P8 System LDAP Users
Below is the list of directory server accounts that will require P8 system to be
reconfigured if the password changes.

1. Content Engine bootstrap account (fnadmin): The account details are captured
in the FileNet Configuration Manager Bootstrap section. The details are user in
CEMPBoot.properties file that is archived in the Content Engine EAR file. Any
password changes to the account will require redeployment of the Content Engine
application.

2. Content Engine LDAP bind account (fnldapbind): The account details are
captured in the FileNet Configuration Manager LDAP section and Enterprise
Manager directory configuration wizard. Any password changes to the account
will require the WebSphere and Enterprise Manager to be modified in conjunction
with the LDAP password changes.

The LDAP account for WebSphere is stored in the XML file. The LDAP account
for the Content Engine is stored as a blob object in the GCD database.

3. AE & Forms WebSphere LDAP bind account (fnldapbind): The account

details are captured in the WebSphere Security section. Any password changes to

3
 Managing P8 LDAP and DB passwords in a dynamic environment: Process to modify the P8 System LDAP
and DB passwords

the account will require the WebSphere to be modified in conjunction with the
LDAP password changes.

4. Process Engine Service account (peadmin): The account details are captured in
the Process Task Manager. Any password changes to the account will require the
Process Task Manager to be updated.

Note: P8 system does not store the WebSphere administrative account (wasadmin).
This account is used to login to the WebSphere Admin Console.

Note: The article assumes the WebSphere LDAP bind account (fnldapbind) is
different than the bootstrap account (fnadmin).

P8 System DB Users
Below is the list of database accounts that will require P8 system to be reconfigured if the
password changes.

1. Content Engine database account (cedbadmin): The account is used to access

the GCD and object store databases. The account details are captured as part of the
WebSphere JAAS-J2C authentication data.

2. Process Engine database account (pedbadmin): The account is used to access

the process engine databases. The account details are captured in the Process Task
Manager.

Note: For IBM Case Manager, there is only single combined database and single
database user account.

P8 System Architecture
The article considers the deployment of P8 in a non-HA environment. The P8 components
are installed in its own below VM images.
 Content Engine Server : CE-DEV
 Process Engine Server : PE-DEV
 WorkplaceXT Server : AE-DEV
 Forms Server: FORMS-DEV

Verify P8 System Health

Verify that the system is up and running with the existing users and original passwords.

 Verify the Content Engine is up and running

o http://ce-dev:9080/P8CE/Health
o http://ce-dev:9080/FileNet/Engine

4
 Managing P8 LDAP and DB passwords in a dynamic environment: Process to modify the P8 System LDAP
and DB passwords

 Verify FileNet Enterprise Manager

o Logon to FEM as fnadmin

 Verify the Application Engine is up and running

o Logon to XT (http://ae-dev:9080/WorkplaceXT) as fnadmin

 Verify the Process Engine is up and running

o http://pe-dev:32776/IOR/ping

 Verify the Forms Server is up and running

o http://forms-dev:8085/translator/Translate?Action=toolbelt

Backup GCD Database

All account passwords except GCD can be easily reverted back but Content Engine LDAP
bind account is stored as blob object inside the GCD database. It is best practice to back
the GCD database before modifying the passwords.

Modify LDAP Bind Account Password

Follow the steps below to change the password of the domain account fnldapbind:

1. Launch FileNet Enterprise Manager (FEM) from the server where it is installed
(e.g. DEV: CE-DEV), and login as fnadmin.

2. From the CE server (e.g. DEV: CE-DEV), launch the WAS admin console, and
login as wasadmin.

3. From the AE server (e.g. DEV: AE-DEV), launch the WAS admin console, and
login as wasadmin.

4. From the Forms server (e.g. DEV: FORMS-DEV), launch the WAS admin
console, and login as wasadmin.

Important: Do not close the above applications until later steps are completed
below.

5. Change the password of the domain fnldapbind account on LDAP server

6. Go to FEM on the server (e.g. DEV: CE-DEV), follow the steps below:
a. From the top on the left pane of the window, right-click Enterprise
Manager [] and select Properties.

5
 Managing P8 LDAP and DB passwords in a dynamic environment: Process to modify the P8 System LDAP
and DB passwords

b. Click the Directory Configuration tab, have Active Directory selected,

and click Modify.
c. On the Modify Directory Configuration window, under the General tab,
check Change Password.
d. Specify a new password for ‘fnldapbind’ on Password and Confirm
Password. (Important Note: Verify and type in the new password
correctly)

Figure 1. Modify FEM Directory Configuration

1. Click OK.

Note: At this point you will be presented a dialog box with following
message:
“These changes require the application server to be restarted. Please
restart the application server to incorporate these changes”.

Important: Do not restart any application server until later steps are
completed below.

2. Click OK, and then click OK.

7. Go to the logged-in WAS admin console on the CE server (e.g. DEV: CE-DEV),
follow the steps below:

6
 Managing P8 LDAP and DB passwords in a dynamic environment: Process to modify the P8 System LDAP
and DB passwords

a. Expand Security and click Global Security.

b. Click Configure…
c. On the table for Repositories in the realm, click <LDAP> on the
Repository Identifier column.
d. Specify the new password for ‘fnldapbind’ in the Bind password field.

Figure 2. Modify WebSphere LDAP Server Bind Password

1. Click OK, and then click Save for the change.

2. Remain logged on.

8. Go to the logged-in WAS admin console on the AE server (e.g. DEV: AE-DEV),
follow the same sub-steps described on Step 7 above.

9. Go to the logged-in WAS admin console on the forms server (e.g. DEV: FORMS-
DEV), follow the same sub-steps described on Step 7 above.

10. From the server (e.g. DEV: CE-DEV) where FEM is installed, close FEM.

11. From the CE server (e.g. DEV: CE-DEV), follow the steps below:

a. Logout the WAS admin console.

b. Stop the application server server1.
i. cd c:\IBM\WebSphere\AppServer\profiles\AppSrv01\bin
ii. stopServer server1 –username wasadmin –password
<PASSWORD>
c. Remove the cached subdirectories from the application server temp
directory:
C:\IBM\WebSphere\AppServer\profiles\AppSrv01\temp\
*
d. Remove the cached subdirectories from the application server wstemp
directory:

7
 Managing P8 LDAP and DB passwords in a dynamic environment: Process to modify the P8 System LDAP
and DB passwords

C:\IBM\WebSphere\AppServer\profiles\AppSrv01\wstem
p\*

12. From the AE and Forms server follow the same sub-steps described on Step 11
above.

13. From the CE server (e.g. DEV: CE-DEV), follow the steps below:

a. Start the application server server1.

i. cd c:\IBM\WebSphere\AppServer\profiles\AppSrv01\bin
ii. startServer server1

14. From the AE server and Forms server follow the same sub-steps described on Step
13 above.

15. Verify the P8 System Health.

Note: If you cannot access the administrative console due to security errors, you can
disable the global security and verify the LDAP bind account. Follow the Disabling global
security tech note.

Modify Content Engine Bootstrap LDAP Account

Password

Follow the steps below to change the password of the bootstrap account fnadmin:

1. Login to the CE server (e.g. DEV: CE-DEV).

2. Go to C:\IBM\FileNet\ContentEngine\tools\configure\profiles\ConfigCE\ear and
backup Engine-ws.ear.

3. Start the Configuration Manager.

4. Select File > Open profiles… and navigate to the path

C:\IBM\FileNet\ContentEngine\tools\configure\profiles\ConfigCE to select
ConfigCE.cfgp that describes the installation.

Note: Leave this window open and do not change anything yet. The Bootstrap user
password is the field that will be changed later in this procedure.

5. Change the password of the domain fnadmin account on LDAP server

8
 Managing P8 LDAP and DB passwords in a dynamic environment: Process to modify the P8 System LDAP
and DB passwords

Figure 3. Configure Bootstrap properties in Configuration Manager

6. Return to the window containing Configuration Manager, and right-click

Configuration Bootstrap Properties and select Edit Selected Task.

7. Set the Bootstrap Operation property to Modify Existing and change the
Bootstrap user password.

8. Use Configuration Manager's features to save and run the task.

Note: From Configuration Manager, save the Configuration Bootstrap

Properties task and run the task to ensure that there is no error.

9. Right-click Deploy Application and select Edit Selected Task.

10. Run the Deploy Application task to ensure that there is no error.

11. Close Configuration Manager.

12. From the CE server (e.g. DEV: CE-DEV), follow the steps below:
a. Stop and start the application server server1.
i. cd c:\IBM\WebSphere\AppServer\profiles\AppSrv01\bin
ii. stopServer server1 –username wasadmin –password <>
iii. startServer server1

13. Verify the change by logging on to FEM from the server where it is installed (e.g.
DEV: CE-DEV), and performing a user and group look up.

Note: If the connections fails, check the systemout.log, verify the datasource test
connection in WAS admin console and restart CE server1.

9
 Managing P8 LDAP and DB passwords in a dynamic environment: Process to modify the P8 System LDAP
and DB passwords

Modify Process Engine Service LDAP Account Password

Follow the steps below to change the password of the process engine account peadmin:

1. Login to the PE server (PE-DEV).

2. Start the Process Task Manager.

3. Select the Security tab in the Process Engine node

4. Change the Service password for peadmin.

Figure 4. Modify LDAP Password in Process Task Manager

5. Click Test Connection

6. Click Apply.

7. Click Yes to restart process engine.

Modify Content Engine Database Account Password

Follow the steps below to change the password of the content engine account cedbadmin:

1. Login to the CE server (CE-DEV).

10
 Managing P8 LDAP and DB passwords in a dynamic environment: Process to modify the P8 System LDAP
and DB passwords

2. Login to the WebSphere Administrative Console using wasadmin.

3. Expand Security and click Global Security

4. Expand Java Authentication and Authorization Services and click J2C

authentication data.

5. Click the P8 alias for the user cedbadmin.

6. Enter the new database password for cedbadmin. Click OK

Figure 5. Modify DB Password in WebSphere

7. Click Save for the change.

8. Expand Resources -> JDBC and click Data Sources

9. Select all the P8 data sources and click Test connection

11
 Managing P8 LDAP and DB passwords in a dynamic environment: Process to modify the P8 System LDAP
and DB passwords

Figure 6. Verify DB Connections

10. Verify that the connection is successful.

11. Click Logout.

Modify Process Engine Database Account Password

Follow the steps below to change the password of the process engine account pedbadmin:

1. Login to the PE server (PE-DEV).

2. Start the Process Task Manager.

3. Select the Database tab in the Process Engine node

4. Enter the new database password for pedbadmin.

12
 Managing P8 LDAP and DB passwords in a dynamic environment: Process to modify the P8 System LDAP
and DB passwords

Figure 7. Modify DB Password in Process Task Manager

5. Click Test Connection

6. Click Apply.

7. Click Yes to restart process engine.

Modify P8 LDAP Passwords already reset in LDAP

The normal procedure to modify the LDAP password is performing simultaneously in
LDAP, P8 and WebSphere environments. If the passwords have already been reset in
LDAP then the process becomes more complex as the P8 system is unstable and unusable.
Below steps will allow the user to bring back the P8 system online with the new LDAP
password.

 Backup the GCD database

Modify the WebSphere Bind Password

1. Stop or kill the WebSphere Application processes (CE, XT and Forms)

13
 Managing P8 LDAP and DB passwords in a dynamic environment: Process to modify the P8 System LDAP
and DB passwords

2. Disable the WebSphere security by modifying the first instance of enabled=”true”

to enabled=”false” in the security.xml

(WAS_install_root/profile/profile_name/config/cells/cellname)

3. Note: Follow tech note Disabling Global Security.

4. Start the WebSphere Application Server

> cd C:\IBM\WebSphere\AppServer\profiles\AppSrv01\bin

> startServer server1

5. Logon to the WAS admin console, follow the steps below:

a. Expand Security and click Global Security.

b. Click Configure…

c. On the table for Repositories in the realm, click <LDAP> on the

Repository Identifier column.

d. Specify the new password for ‘fnldapbind’ in the Bind password field.

e. Click OK, and then click Save for the change.

f. Click Global Security on left panel.

g. Check the Administrative Security, Check Application Security and

Uncheck Java Security.

h. Click OK, and then click Save for the change.

6. Restart the WebSphere Application Server

> cd C:\IBM\WebSphere\AppServer\profiles\AppSrv01\bin

> stopServer server1

> startServer server1

14
 Managing P8 LDAP and DB passwords in a dynamic environment: Process to modify the P8 System LDAP
and DB passwords

Modify the CE BootStrap Password

Follow the Modify Content Engine Bootstrap LDAP Account Password steps.

Modify the CE LDAP Bind Password

The only way the CE LDAP password can be modified is by executing a tool
provided by IBM support. Call IBM support for help in modifying the CE LDAP
password. The support will provide a GCDUtility tool that will change the CE LDAP bind
password which is located in a blob in GCD database. The tool requires the GCD database
account information and the content engine application ear located in the Content Engine
server.

Modify the PE LDAP Bind Password

Follow the Modify Process Engine Service LDAP Account Password steps.

Conclusion
This article described how to manage the P8 passwords in an environment where the
LDAP and DB passwords expire due to company policies. The article also discussed on
how to modify the passwords when the administrator resets the passwords rather than
following the P8 process to modify them.

Acknowledgements
Thanks to the following reviewers who spent their valuable time reviewing and giving
their suggestions and comments on all aspects of this article:
 Jean-Marc Vergans - Client Technical Professional (FileNet Specialist)

Resources
 Refer to IBM FileNet P8 documentation for information about FileNet accounts.
o Change Bootstrap admin password
o Configure Process Engine security
 Technote: Disabling Global Security.
 Technote: Procedure to change username and/or password for FileNet Content
Engine

15