+

Search Tips   |   Advanced Search


Update user ID and passwords

WebSphere Portal and IBM WAS use some user accounts from the registry (for example, the LDAP server) for various purposes. This information includes the "Security Server ID" for the JVM, access ID for authenticated access to databases and LDAP servers, and WAS and WebSphere Portal administrative ID's. Often this means that the account passwords are stored in the WAS and WebSphere Portal bootstraps configuration files, which allows the authentication process to work.

Before updating any user ID or password, review Special characters in user ID and passwords located under Planning for WebSphere Portal.

If the password for any ID is changed (either through WebSphere Portal or through any other means, including directly through the LDAP administration interfaces), then the password value stored in the appropriate configuration file must be changed at the same time. The following instructions describe how to make the appropriate changes based on which account passwords might have changed.

If you reuse the same account ID/password for multiple purposes, such as using wpsbind as the administrative ID and the LDAP access ID, then you might have to do more than one of the following steps to accommodate the password change. Some changes, particularly changes made through the admin console, require that the admin console be open and the current ID/password logged in before actually making the password change in the registry. Carefully plan which steps are required and in what order to avoid not being able to bring up server processes or log in. Use the following topics to change passwords to better secure your environment.


Change the WebSphere Portal administrator password

WebSphere Portal treats wpsadmin (the administrator) as any other user, just with more permissions granted. With a normal configuration, it is possible to change the wpsadmin or equivalent password through the user interface, just like any other user can manage their own password through the user interface. However, if the wpsadmin account is also used for more than just the administrator, then additional changes, outlined in other steps in this section, must be made to accommodate the change. Follow these steps to change the administrator password:

  1. Log in to WebSphere Portal as the administrator.

  2. Click Edit My Profile.

  3. Change your password in the appropriate box.

  4. Click Continue.

You can also change the Administrator password, like any other user password, using an LDAP editor.


Change the WAS administrator password using WebSphere Portal

Change the WAS administrator password using WebSphere Portal:

  1. Log in to WebSphere Portal as the WAS administrator and select Edit Profile.

  2. Type a new password and click OK.

  3. Perform the Updating the RunAsRole after changing the WAS administrator password steps.


Change the WAS administrator password in the LDAP server using the LDAP administration interface

These steps are valid for changing all passwords in LDAP. Follow these steps to change the WAS administrator password in LDAP if you are using IBM Tivoli Directory Server.

For a different LDAP server, refer to the product documentation for information about changing passwords:

The following directions assume an LDAP tree layout where the users are all in the cn=users,o=wps subtree in the directory server. You should adjust these directions based on your own LDAP server layout.

  1. Log in to the Tivoli Directory Server Web Administration Tool.

  2. Click Directory management > Manage entries.

  3. Select the o=wps RDN and click Expand.

  4. Select cn=users and click Expand.

  5. Select the WAS administrator user and click Edit Attributes.

  6. Click Other attributes.

  7. Enter the new password in the userPassword field.

  8. Click OK.

  9. Exit the Tivoli Directory Server Web Administration Tool.

  10. Perform the Updating the RunAsRole after changing the WAS administrator password steps.


Change the WAS administrator password in the file registry

To change the WAS administrator password stored in the file registry if you are using the federation repository:

  1. Using a command prompt, change to the profile_root/bin directory.

  2. Issue the wsadmin -conntype NONE command and press Enter.

  3. Issue the $AdminTask changeFileRegistryAccountPassword {-userId <wpsadmin_ID> -password <wpsadmin_new_password>} command and press Enter.

  4. Issue the $AdminConfig save command and press Enter.

  5. Perform the Updating the RunAsRole after changing the WAS administrator password steps.


Replacing the WAS administrator user ID

Choose one of the following options to replace the WAS administrator user ID:

Method Required steps
Using a command line task

  1. Create a new user to replace the current WAS administrative user.

  2. Run...

      following

    to replace the old WAS administrative user with the new user:

      Windows: ConfigEngine.bat wp-change-was-admin-user -DWasPassword=password -DnewAdminId=newadminid -DnewAdminPw=newpassword from the profile_root/ConfigEngine directory

      UNIX: ./ConfigEngine.sh wp-change-was-admin-user -DWasPassword=password -DnewAdminId=newadminid -DnewAdminPw=newpassword from the profile_root/ConfigEngine directory

      i5/OS: ConfigEngine.sh wp-change-was-admin-user -DWasPassword=password -DnewAdminId=newadminid -DnewAdminPw=newpassword from the profile_root/ConfigEngine directory

    This task verifies the user against a running server instance.

    If the server is stopped, add the -Dskip.ldap.validation=true parameter to the task to skip the validation.

  3. Verify that the task completed successfully.

    In a clustered environment, restart the deployment manager, the node agent(s), server1, and WebSphere_Portal servers. In a standalone environment, restart the server1 and WebSphere_Portal servers.

Using the admin console

  1. Create a new user to replace the current WAS administrative user.

  2. Replace the Primary administrative user name with the information for the new user. For the ID, retain the fully qualified server ID.

  3. Restart the server1 server.

If you use an external security manager such as Tivoli Access Manager, manually remove the old administrator user ID from the external security manager.


Update the RunAsRole after changing the WAS administrator password

You can change the password for the IBM WAS administrator user ID using the WebSphere Portal Edit My Profile portlet, the native utilities for the user repository, such as the LDAP administration interface or the WAS Administrative utilities. Regardless of which option you choose, once you have updated the successfully updated the password, also update the RunAsRole for the PZNScheduler application. To update the RunAsRole, which changes the stored password:

  1. Log in to the WAS Integrated Solutions Console with your new password.

  2. Navigate to Applications > Enterprise applications and locate the pznscheduler application.

  3. Click User RunAs Roles.

  4. Select RuleEventRunAsRole and then click Remove.

  5. Enter the fully distinguished name of the WAS Administrator in the username field and the new password in the password field.

  6. Click Apply to apply your changes.

  7. Click OK, save your changes, and then restart the server.


Replacing the WebSphere Portal administrator user ID

To replace the WebSphere Portal administrative user ID:

  1. Create a new user to replace the current WebSphere Portal administrative user.

  2. Run...

      following

    to replace the old WebSphere Portal administrative user with the new user:

      Windows: ConfigEngine.bat wp-change-portal-admin-user -DWasPassword=password -DnewAdminId=newadminid -DnewAdminPw=newpassword -DnewAdminGroupId=newadmingroup from the profile_root/ConfigEngine directory

      UNIX: ./ConfigEngine.sh wp-change-portal-admin-user -DWasPassword=password -DnewAdminId=newadminid -DnewAdminPw=newpassword -DnewAdminGroupId=newadmingroup from the profile_root/ConfigEngine directory

      i5/OS: ConfigEngine.sh wp-change-portal-admin-user -DWasPassword=password -DnewAdminId=newadminid -DnewAdminPw=newpassword -DnewAdminGroupId=newadmingroup from the profile_root/ConfigEngine directory

    This task verifies the user against a running server instance.

    If the server is stopped, add the -Dskip.ldap.validation=true parameter to the task to skip the validation.

  3. Verify that the task completed successfully.

    In a clustered environment, restart the deployment manager, the node agent(s), server1, and WebSphere_Portal servers. In a standalone environment, restart the server1 and WebSphere_Portal servers.


Change the LDAP bind password

For an LDAP server as the user registry, adapt the LDAP bind user ID using the appropriate task to update the LDAP user registry. Choose the appropriate file to view for information on how to change the LDAP bind password:


Table 1. Choose the appropriate file for information on how to change the LDAP bind password

Operating system Standalone LDAP user registry Federated LDAP user registry
AIX Updating the stand-alone LDAP user registry on AIX Updating the federated LDAP user registry on AIX
HP-UX Updating the stand-alone LDAP user registry on HP-UX Updating the federated LDAP user registry on HP-UX
i5/OS Updating the stand-alone LDAP user registry on i5/OS Updating the federated LDAP user registry on i5/OS
Linux Updating the stand-alone LDAP user registry on Linux Updating the federated LDAP user registry on Linux
Solaris Updating the stand-alone LDAP user registry on Solaris Updating the federated LDAP user registry on Solaris
Windows Updating the stand-alone LDAP user registry on Windows Updating the federated LDAP user registry on Windows


Parent topic:

Additional security features


Related information


User IDs and passwords