Beruflich Dokumente
Kultur Dokumente
IBM
Manoj Khilnani
Abstract: FileNet P8 is a very complex system with many different components, technologies and databases.
The management of the system requires understanding of multiple products and the integration between these
products and P8 components. The P8 system requires accounts to authenticate with other products. These
accounts are stored in different types of repositories and require separate processes to manage the accounts.
This article covers all aspects of the P8 product involved in the password modification. The article discusses
the LDAP and DB password changes and how to manage the P8 system while performing these changes.
About the author: Manoj Khilnani is a Senior Managing Consultant working with IBM Software
Services for Federal (ISSF). He is a certified IT Specialist and FileNet Consultant. He has 16 years of
software development life-cycle experience. In the last few years, he has extensively worked on
ECM products such as DB2 Content Manager and FileNet P8. Reach out to him at
mkhilnan@us.ibm.com
Managing P8 LDAP and DB passwords in a dynamic environment: Process to modify the P8 System LDAP
and DB passwords
Introduction ...................................................................................................................... 3
Explore P8 System ........................................................................................................... 3
P8 System LDAP Users ................................................................................................ 3
P8 System DB Users .................................................................................................... 4
P8 System Architecture ................................................................................................ 4
Verify P8 System Health .............................................................................................. 4
Backup GCD Database ................................................................................................. 5
Modify LDAP Bind Account Password ............................................................................ 5
Figure 1. Modify FEM Directory Configuration........................................................ 6
Figure 2. Modify WebSphere LDAP Server Bind Password...................................... 7
Modify Content Engine Bootstrap LDAP Account Password............................................ 8
Figure 3. Configure Bootstrap properties in Configuration Manager ......................... 9
Modify Process Engine Service LDAP Account Password ............................................. 10
Figure 4. Modify LDAP Password in Process Task Manager .................................. 10
Modify Content Engine Database Account Password ..................................................... 10
Figure 5. Modify DB Password in WebSphere ........................................................ 11
Figure 6. Verify DB Connections ............................................................................ 12
Modify Process Engine Database Account Password ...................................................... 12
Figure 7. Modify DB Password in Process Task Manager ...................................... 13
Modify P8 LDAP Passwords already reset in LDAP ...................................................... 13
Conclusion ..................................................................................................................... 15
Acknowledgements ........................................................................................................ 15
Resources ....................................................................................................................... 15
2
Managing P8 LDAP and DB passwords in a dynamic environment: Process to modify the P8 System LDAP
and DB passwords
Introduction
FileNet P8 is a very complex system with many different components, technologies and
databases. The management of the system requires an understanding of multiple products
and their integration. FileNet P8 system requires accounts to authenticate with other
products. These accounts are stored in different types of repositories and require separate
processes to modify the passwords.
This article covers all aspects of the product involved in the password modification. The
article discusses the LDAP and DB password changes and how to manage FileNet P8
system while performing these changes.
IMPORTANT NOTE: Because of the relative complexity of this procedure, unless there
is an overriding reason to change the password of this important account, you can consider
exempting the Directory Server bind user account from your password change policy if
this still meets your security requirements.
Note: The article references FileNet P8 v5.1 and WebSphere v7 deployed on Windows
operating system.
Explore P8 System
P8 System LDAP Users
Below is the list of directory server accounts that will require P8 system to be
reconfigured if the password changes.
1. Content Engine bootstrap account (fnadmin): The account details are captured
in the FileNet Configuration Manager Bootstrap section. The details are user in
CEMPBoot.properties file that is archived in the Content Engine EAR file. Any
password changes to the account will require redeployment of the Content Engine
application.
2. Content Engine LDAP bind account (fnldapbind): The account details are
captured in the FileNet Configuration Manager LDAP section and Enterprise
Manager directory configuration wizard. Any password changes to the account
will require the WebSphere and Enterprise Manager to be modified in conjunction
with the LDAP password changes.
The LDAP account for WebSphere is stored in the XML file. The LDAP account
for the Content Engine is stored as a blob object in the GCD database.
3
Managing P8 LDAP and DB passwords in a dynamic environment: Process to modify the P8 System LDAP
and DB passwords
the account will require the WebSphere to be modified in conjunction with the
LDAP password changes.
4. Process Engine Service account (peadmin): The account details are captured in
the Process Task Manager. Any password changes to the account will require the
Process Task Manager to be updated.
Note: P8 system does not store the WebSphere administrative account (wasadmin).
This account is used to login to the WebSphere Admin Console.
Note: The article assumes the WebSphere LDAP bind account (fnldapbind) is
different than the bootstrap account (fnadmin).
P8 System DB Users
Below is the list of database accounts that will require P8 system to be reconfigured if the
password changes.
Note: For IBM Case Manager, there is only single combined database and single
database user account.
P8 System Architecture
The article considers the deployment of P8 in a non-HA environment. The P8 components
are installed in its own below VM images.
Content Engine Server : CE-DEV
Process Engine Server : PE-DEV
WorkplaceXT Server : AE-DEV
Forms Server: FORMS-DEV
4
Managing P8 LDAP and DB passwords in a dynamic environment: Process to modify the P8 System LDAP
and DB passwords
1. Launch FileNet Enterprise Manager (FEM) from the server where it is installed
(e.g. DEV: CE-DEV), and login as fnadmin.
2. From the CE server (e.g. DEV: CE-DEV), launch the WAS admin console, and
login as wasadmin.
3. From the AE server (e.g. DEV: AE-DEV), launch the WAS admin console, and
login as wasadmin.
4. From the Forms server (e.g. DEV: FORMS-DEV), launch the WAS admin
console, and login as wasadmin.
Important: Do not close the above applications until later steps are completed
below.
6. Go to FEM on the server (e.g. DEV: CE-DEV), follow the steps below:
a. From the top on the left pane of the window, right-click Enterprise
Manager [] and select Properties.
5
Managing P8 LDAP and DB passwords in a dynamic environment: Process to modify the P8 System LDAP
and DB passwords
1. Click OK.
Note: At this point you will be presented a dialog box with following
message:
“These changes require the application server to be restarted. Please
restart the application server to incorporate these changes”.
Important: Do not restart any application server until later steps are
completed below.
7. Go to the logged-in WAS admin console on the CE server (e.g. DEV: CE-DEV),
follow the steps below:
6
Managing P8 LDAP and DB passwords in a dynamic environment: Process to modify the P8 System LDAP
and DB passwords
8. Go to the logged-in WAS admin console on the AE server (e.g. DEV: AE-DEV),
follow the same sub-steps described on Step 7 above.
9. Go to the logged-in WAS admin console on the forms server (e.g. DEV: FORMS-
DEV), follow the same sub-steps described on Step 7 above.
10. From the server (e.g. DEV: CE-DEV) where FEM is installed, close FEM.
11. From the CE server (e.g. DEV: CE-DEV), follow the steps below:
7
Managing P8 LDAP and DB passwords in a dynamic environment: Process to modify the P8 System LDAP
and DB passwords
C:\IBM\WebSphere\AppServer\profiles\AppSrv01\wstem
p\*
12. From the AE and Forms server follow the same sub-steps described on Step 11
above.
13. From the CE server (e.g. DEV: CE-DEV), follow the steps below:
14. From the AE server and Forms server follow the same sub-steps described on Step
13 above.
Note: If you cannot access the administrative console due to security errors, you can
disable the global security and verify the LDAP bind account. Follow the Disabling global
security tech note.
Follow the steps below to change the password of the bootstrap account fnadmin:
2. Go to C:\IBM\FileNet\ContentEngine\tools\configure\profiles\ConfigCE\ear and
backup Engine-ws.ear.
Note: Leave this window open and do not change anything yet. The Bootstrap user
password is the field that will be changed later in this procedure.
8
Managing P8 LDAP and DB passwords in a dynamic environment: Process to modify the P8 System LDAP
and DB passwords
7. Set the Bootstrap Operation property to Modify Existing and change the
Bootstrap user password.
10. Run the Deploy Application task to ensure that there is no error.
12. From the CE server (e.g. DEV: CE-DEV), follow the steps below:
a. Stop and start the application server server1.
i. cd c:\IBM\WebSphere\AppServer\profiles\AppSrv01\bin
ii. stopServer server1 –username wasadmin –password <>
iii. startServer server1
13. Verify the change by logging on to FEM from the server where it is installed (e.g.
DEV: CE-DEV), and performing a user and group look up.
Note: If the connections fails, check the systemout.log, verify the datasource test
connection in WAS admin console and restart CE server1.
9
Managing P8 LDAP and DB passwords in a dynamic environment: Process to modify the P8 System LDAP
and DB passwords
6. Click Apply.
10
Managing P8 LDAP and DB passwords in a dynamic environment: Process to modify the P8 System LDAP
and DB passwords
11
Managing P8 LDAP and DB passwords in a dynamic environment: Process to modify the P8 System LDAP
and DB passwords
12
Managing P8 LDAP and DB passwords in a dynamic environment: Process to modify the P8 System LDAP
and DB passwords
6. Click Apply.
13
Managing P8 LDAP and DB passwords in a dynamic environment: Process to modify the P8 System LDAP
and DB passwords
(WAS_install_root/profile/profile_name/config/cells/cellname)
> cd C:\IBM\WebSphere\AppServer\profiles\AppSrv01\bin
b. Click Configure…
d. Specify the new password for ‘fnldapbind’ in the Bind password field.
> cd C:\IBM\WebSphere\AppServer\profiles\AppSrv01\bin
14
Managing P8 LDAP and DB passwords in a dynamic environment: Process to modify the P8 System LDAP
and DB passwords
Conclusion
This article described how to manage the P8 passwords in an environment where the
LDAP and DB passwords expire due to company policies. The article also discussed on
how to modify the passwords when the administrator resets the passwords rather than
following the P8 process to modify them.
Acknowledgements
Thanks to the following reviewers who spent their valuable time reviewing and giving
their suggestions and comments on all aspects of this article:
Jean-Marc Vergans - Client Technical Professional (FileNet Specialist)
Resources
Refer to IBM FileNet P8 documentation for information about FileNet accounts.
o Change Bootstrap admin password
o Configure Process Engine security
Technote: Disabling Global Security.
Technote: Procedure to change username and/or password for FileNet Content
Engine
15