How to change Bootstrap admin password
This procedure describes how to change the password for the Content Engine
system user (also known as the bootstrap admininstrator, or ce_bootstrap_admin). The credentials
for this account are entered during Content Engine configuration. Configuration
Manager places this user name and its password into the Content Engine bootstrap file and
subsequently into the GCD. Here are the locations that this procedure
will describe:
- The Content Engine's bootstrap file. In this location ce_bootstrap_admin is called the
Content Engine system user.
- On WebLogic and WebSphere, the Content Engine installation program grants this account the
role of application server administrator, also called the application server's
console administrator. (JBoss has no similar requirement.)
- The Content Engine installation program gives this account Full Control access to the GCD, which defines
the FileNet P8 domain. It will appear in Enterprise Manager's domain root
property sheet, on the Security tab. In this location this account is
the GCD Administrator.
- Many installations will also enter this account into the
Content Engine installation program as the directory service user account, the account
that Content Engine uses to bind to the directory server (also called the
LDAP). The installation program places the account into the application server's
authentication configuration location, where it is referred to as the directory
service user.
Changing ce_bootstrap_admin's password in the directory server means
that you must at the same time change it in these several locations. If you
do not, the bootstrap file will not be able to authenticate to the LDAP and
Content Engine will not be able to start. You can also lock yourself out from
Enterprise Manager. Therefore, follow this procedure carefully to avoid this
scenario.
NOTE This
procedure requires access to the Content Engine location, to the application
server console, and to the directory server.
NOTE Because of the relative complexity of this procedure, unless there is
an overriding reason to change the password of this important account, you
should consider exempting the Content Engine System User account from your
password change policy.
NOTE Some
steps below will be different for installations using JBoss, as JBoss does
not have an administrative console or the need to log in as an administrator.
To change the Content Engine system user password
- Backup of the Engine-##.ear file, where
ws
denotes WebSphere,wl
denote
WebLogic, and jb
denotes JBoss. You can then revert
to last good known ear file, in case
changing the password fails.
- On the server containing Content Engine, open a command window and navigate
to the installation location.
- Use the BootstrapConfig utility, described above, to list the current
Username and EncryptedPassword entry on an Engine-##.ear file, as in
the following WebLogic example:
java -jar BootstrapConfig.jar -e Engine-wl.ear -l
- Do not change anything yet. Leave this command window open while
doing the remaining steps.
- Log in to Enterprise Manager as GCD administrator.
- In Enterprise Manager, right-click the Root
Folder, and then click
Properties
- Click the Directory Configuration tab.
- Select the row that represents the configuration parameters pointing
to the LDAP location that the Content Engine system user belongs
to, and click Edit.
- When the Modify Directory Configuration dialog box opens, view
the value for the Directory Service User.
NOTE If
this account is the same as the Content Engine system user identified
in step 1, do all the steps that follow. If it is different, then use
just this step by itself to change its password if and only if it is
being changed on the LDAP.
- Do not change anything yet. Leave the dialog box open while doing
the remaining steps.
- (WebLogic and WebSphere) Log in to your application server console.
- Stop the application server.
- Navigate to the authentication provider panel containing the
ID and password for the directory service user account.
- WebLogic: this will be the value of the Principal field
in the Authentication Provider for the WebLogic domain containing
Content Engine.
- WebSphere: this will be the bind user account in the
Profile containing Content Engine.
- JBoss: the directory service user account is contained
in the login-config.xml file.
- Do not change anything yet. Leave the console open while doing
the remaining steps.
- Log in to your directory server.
- Navigate to the location containing the account for the Content Engine
system user.
- Change its password.
- Save and apply.
- Return to your application server console
.
- Change the password of the directory service user account (also known
as the bind account) to the new password
.
- Save and apply.
- Do not restart the application server until instructed to do so below.
- Return to Enterprise Manager dialog box
.
- Change the directory service user's password to the new password.
- Click Apply and OK to close the dialog box.
- Return to the command window containing the BootstrapConfig utility.
- Issue a command similar to the following, which uses Websphere as
an example:
java -jar BootstrapConfig.jar -e Engine-ws.ear [-p password]
- Close the command window.
- Restart the application server.
- Verify the change by logging on to Enterprise Manager as a GCD administrator
and performing a user and group look up. See Modify
an object's security for one way to do this.