IBM Intelligent Operations Center Password Management

Transcription

1 IBM Intelligent Operations Center Password Management

2 ii IBM Intelligent Operations Center Password Management

3 Contents Chapter 1. Managing user and system passwords Chapter 2. Configuration changes required prior to using the password management tool Chapter 3. Changing passwords in IBM Intelligent Operations Center Password changes managed using IBM Security Identity Manager Password changes not managed by IBM Security Identity Manager Chapter 4. Using IBM Security Identity Manager Viewing system users managed by IBM Security Identity Manager Changing system passwords using IBM Security Identity Manager Synchronizing password changes that are made through IBM Security Identity Manager Synchronizing password changes made outside IBM Security Identity Manager Viewing and changing system user password policies Managing services Chapter 5. Changing system passwords not managed by IBM Security Identity Manager Changing the Tivoli Directory Server administration ID password Changing the WebSphere Application Server version 7 administration ID password Changing the WebSphere Application Server version 8 administration ID password Changing the Tivoli Directory Server bind ID password for WebSphere Application Server version 7.0 and version Changing the Tivoli Directory Server replica bind credentials password Changing the Tivoli Directory Server proxy server DN credentials password Chapter 6. Using the password management tool Standard environment password management tool syntax High availability environment password management tool syntax Using the password management tool to synchronize passwords managed by IBM Security Identity Manager Using the password management tool to synchronize passwords not managed by IBM Security Identity Manager Chapter 7. Synchronizing password changes that cannot be made using the password management tool Importing the LTPA token into Lotus Domino Changing the LDAP bind password in IBM Lotus Sametime Changing the POSIX Linux agent password Encrypting database, LDAP, and application server user passwords Updating the IBM Security Identity Manager system user password Updating the database password in the Cognos configuration file iii

4 iv IBM Intelligent Operations Center Password Management

5 Chapter 1. Managing user and system passwords IBM Intelligent Operations Center provides a version of IBM Security Identity Manager allowing administrators to manage user and application IDs. Tools are provided to assist with password management, the ability to create and manage user accounts on multiple systems, and auditing. Administrators can remotely manage the provided Tivoli Directory Server and Linux accounts. A copy of the topology properties file used when IBM Intelligent Operations Center was installed can be used as a repository to store the current passwords assigned to each ID. This file can then be used as a reference when changing passwords. Since the passwords are in clear text, this reference file should be maintained in a secure location. 1

6 2 IBM Intelligent Operations Center Password Management

7 Chapter 2. Configuration changes required prior to using the password management tool The IBM Intelligent Operations Center configuration must be changed to enforce Linux user password policies defined in IBM Security Identity Manager. About this task Use the following steps to change each IBM Intelligent Operations Center server. In a standard environment, use these steps to update the configuration for the following servers: v Application server v Data server v Analytics server v Web server In a high availability environment, use these steps to update the configuration for the following servers: v Application server 1 v Application server 2 v Data server 1 v Data server 2 v Analytics server 1 v Analytics server 2 v Web server 1 v Web server 2 Procedure 1. Log on to the server as a root user and open a terminal window. 2. Create a backup copy of the /etc/pam.d/system-auth file. 3. Edit the /etc/pam.d/system-auth file. 4. Change the pam_unix.so sha512 shadow nullok try_first_pass use_authtok line. From: password required pam_unix.so sha512 shadow nullok try_first_pass use_authtok To: password requisite pam_unix.so sha512 shadow nullok try_first_pass use_authtok This will force the pam_unix.so module results to be successful so authentication can continue. 5. Change the /opt/ibm/tdi/v7.1/pwd_plugins/pam/libpamtivoli_64.so use_first_pass /opt/ibm/tdi/v7.1/pwd_plugins/pam/pwsync_ioc.props line. From: password sufficient /opt/ibm/tdi/v7.1/pwd_plugins/pam/libpamtivoli_64.so use_first_pass /opt/ibm/tdi/v7.1/pwd_plugins/pam/pwsync_ioc.props To: password requisite /opt/ibm/tdi/v7.1/pwd_plugins/pam/libpamtivoli_64.so use_first_pass /opt/ibm/tdi/v7.1/pwd_plugins/pam/pwsync_ioc.props This will force the libpamtivoli_64.so module results to be successful so authentication can continue. 6. Move the following line so it is after the line beginning: password requisite pam_cracklib.so... password requisite /opt/ibm/tdi/v7.1/pwd_plugins/pam/libpamtivoli_64.so use_first_pass /opt/ibm/tdi/v7.1/pwd_plugins/pam/pwsync_ioc.props This will cause the libpamtivoli_64.so module to be called after the pam_cracklib.so module. 3

8 7. Delete the following line. password required pam_deny.so 8. Save your changes. 9. Check whether the password synchronization Java proxy process is running using the following command:. ps -ef grep "pam/pwsync_ioc.props" 10. If the password synchronization Java proxy process is running, run the following command as root from the command line to stop the password synchronization Java proxy process: /opt/ibm/tdi/v7.1/pwd_plugins/bin/stopproxy.sh /opt/ibm/tdi/v7.1/pwd_plugins/pam/ pwsync_ioc.props What to do next The password synchronization Java proxy process will be automatically started when the Linux passwd command is run. 4 IBM Intelligent Operations Center Password Management

9 Chapter 3. Changing passwords in IBM Intelligent Operations Center IBM Intelligent Operations Center includes products and tools allowing you to change passwords and synchronize those changes across the IBM Intelligent Operations Center environment. About this task IBM Intelligent Operations Center provides a version of IBM Security Identity Manager as well as a password management tool to synchronize password changes where possible. Manual password changes as well as manual password synchronization is required in some cases. When the application user password is changed using IBM Security Identity Manager, the password is only updated on the target system or application. For example, if the password of the database instance owner (db2inst1) is changed, the password is only updated on the Linux systems where the user exists. If the password of WebSphere Portal admin user (wpsadmin) is changed, the password is only updated in the LDAP application. Password changes are not propagated to all places where the password is used. The password management tool is used to synchronize password changes made through IBM Security Identity Manager across the IBM Intelligent Operations Center. The password management tool can also be used to synchronize some password changes that are made outside of IBM Security Identity Manager. The password management tool is installed on the application server in a standard environment, or application server 1 in a high availability environment. The tool is located in the /opt/ibm/pmt directory. Run the password management tool script as the ibmadmin user. Important: Password changes should be made and synchronized in a serial manner. Procedure 1. Change the password using IBM Security Identity Manager, if supported, or using manual password change steps. 2. Synchronize the password change using the password management tool, if supported, or using manual steps. 3. Complete any required manual instructions. 4. Restart all IBM Intelligent Operations Center servers. a. Stop all IBM Intelligent Operations Center components by running the platform control tool. b. Check that all of the components have stopped successfully by reviewing the displayed messages. c. Shut down the Linux operating system on all servers. d. Start the Linux operating system on all servers. IBM Intelligent Operations Center components will start automatically. This can take some time. 5. Verify that the password was successfully changed, synchronized, and tested for the appropriate application user before changing the next password. Password changes managed using IBM Security Identity Manager A number of IBM Intelligent Operations Center system users and passwords can be managed using the version of IBM Security Identity Manager provided with the product. Once changed, the password management tool is used to propagate the changes across all IBM Intelligent Operations Center servers. 5

10 Information on the application IDs shown in Table 1 can be viewed through IBM Security Identity Manager. For IBM Intelligent Operations Center to operate successfully, any ID with the string "{DO NOT DELETE} Application User" in the Last Name field should not be deleted or modified. Table 1. IBM Intelligent Operations Center application IDs that can be managed using IBM Security Identity Manager Account name Account ID IBM Intelligent Operations Center capability Account description DB2 DAS user 1 dasusr1 database server The ID used to run the database administration server. This user ID is also used by the DB2 GUI tools for local server database instance and database administration tasks. DB2 fence user 1 db2fenc1 database server The fenced user ID for DB2 instance user 1. This user ID is used to run user defined functions (UDFs) and stored procedures outside the address space used by the DB2 database. DB2 fence user 2 db2fenc2 database server The fenced user ID for DB2 instance user 2. This user ID is used to run user defined functions (UDFs) and stored procedures outside the address space used by the DB2 database. DB2 instance user 1 db2inst1 database server The DB2 instance owner controlling all DB2 processes for the first DB2 instance. This user owns all file systems and devices used by the databases contained within the instance. DB2 instance user 2 db2inst2 database server The DB2 instance owner controlling all DB2 processes for the second DB2 instance. This user owns all file systems and devices used by the databases contained within the instance. DB2 user for IBM WebSphere Business Monitor db2ibm database server The administration user ID for IBM WebSphere Business Monitor databases. DB2 user for WebSphere Portal This user ID is defined by the WBM.DB.USER property in the topology properties file. db2portl database server The administration user ID for WebSphere Portal databases. This user ID is defined by the PORTAL.DB.USER property in the topology properties file. DB2 user for IBM Worklight db2wrklt database server The administration user ID for IBM Worklight databases. This user ID is defined by the WORKLIGHT.DB.USER property in the topology properties file. 6 IBM Intelligent Operations Center Password Management

11 Table 1. IBM Intelligent Operations Center application IDs that can be managed using IBM Security Identity Manager (continued) Account name Account ID HTTP Server administration user IBM Intelligent Operations Center administration user IBM Intelligent Operations Center user IBM Intelligent Operations Center capability Account description ihsadmin web server The administration user ID for the IBM HTTP server. ibmadmin generic A generic Linux administration user ID. This user ID is defined by the IOP.ADMIN.USER property in the topology properties file. ibmuser generic A generic Linux user ID. This user ID is defined by the IOP.USER.USER property in the topology properties file. LDAP instance user dsrdbm01 directory server The name of the directory server LDAP instance. LDAP user idsldap directory server The administration user ID for the directory server. Lotus Notes user notes IBM Lotus Sametime server The administration user ID for the IBM Lotus Sametime server. WebSphere MQ connection user This user ID is defined by the DOMINO.USER property in the topology properties file. mqmconn WebSphere MQ server The administration user ID for WebSphere MQ. This user ID is defined by the MQM.CONN.USER property in the topology properties file. WebSphere MQ user mqm WebSphere MQ server The administration user ID for WebSphere MQ queue manager. WebSphere Portal administration user WebSphere Portal bind user This user ID is defined by the MQM.CONNID property in the topology properties file. wpsadmin WebSphere Portal server The administration user ID for WebSphere Portal. This user ID is defined by the PORTAL.ADMIN.UID property in the topology properties file. wpsbind WebSphere Portal server The administration user ID for WebSphere Portal LDAP bind. This user ID is defined by the DOMINO.ST.BIND property in the topology properties file. Chapter 3. Changing passwords in IBM Intelligent Operations Center 7

12 Table 1. IBM Intelligent Operations Center application IDs that can be managed using IBM Security Identity Manager (continued) Account name Account ID IBM Intelligent Operations Center capability Account description POSIX agent user posixagent identity manager server The administrator ID for the directory server Linux adapter. Identity manager system user This user ID is defined by the ISIM.POSIX.LINUX.USER property in the topology properties file. isimsystem identity manager server The user ID for the identity manager system. This user ID is defined by the ISIM.SYSTEM.USER property in the topology properties file. LDAP proxy instance user tdsproxy directory proxy server The directory proxy server LDAP instance user name. IBM Worklight application center administration user This user ID is defined by the LDAP.PROXY.INSTANCE.USER property in the topology properties file. appcenteradmin IBM Worklight server The user ID for the IBM Worklight application center administrator. User accounts can exist on multiple systems. For example, the POSIX agent user exists on all four servers in the standard topology and all eight servers in the high availability topology. Password changes not managed by IBM Security Identity Manager Some IBM Intelligent Operations Center passwords cannot be managed using IBM Security Identity Manager, but changes to those passwords can be propagated using the password management tool. User IDs shown in Table 2 can have password changes synchronized across the system after they have been changed. Table 2. IBM Intelligent Operations Center user IDs that cannot be managed by IBM Security Identity Manager but can by synchronized using the password management tool Account name Tivoli Directory Server administration ID Account ID IBM Intelligent Operations Center capability Account description cn=root directory server The administration ID used to connect to Tivoli Directory Server. This user ID is defined by the LDAP.ADMIN.DN and LDAP.PROXY.ADMIN.DN properties in the topology properties file. 8 IBM Intelligent Operations Center Password Management

13 Table 2. IBM Intelligent Operations Center user IDs that cannot be managed by IBM Security Identity Manager but can by synchronized using the password management tool (continued) Account name WebSphere Application Server administration ID Account ID admin IBM Intelligent Operations Center capability WebSphere Application Server version 8 Account description The administration ID used to log on to the WebSphere Application Server deployment manager administration console. This user ID is defined by the WAS.ADMIN.ACCOUNT property in the topology properties file. WebSphere Application Server administration ID admin WebSphere Application Server version 7 The administration ID used to log on to the WebSphere Application Server deployment manager administration console. This user ID is defined by the WAS.ADMIN.ACCOUNT property in the topology properties file. Directory server bind ID cn=bind directory server The bind ID used by applications to connect or bind to the directory server. Directory server replication bind DN ID This user ID is defined by the LDAP.BIND.DN property in the topology properties file. cn=master directory server The bind DN ID used by the directory server for peer-to-peer replication. This user ID is defined by the LDAP.REPLICA.BIND.DN property in the topology properties file. Directory proxy server bind DN ID cn=proxyadmin, cn=ibmpolicies directory proxy server The bind DN ID used by applications to connect to the directory proxy server. This user ID is defined by the LDAP.PROXY.BIND.DN property in the topology properties file. Chapter 3. Changing passwords in IBM Intelligent Operations Center 9

14 10 IBM Intelligent Operations Center Password Management

15 Chapter 4. Using IBM Security Identity Manager The version of IBM Security Identity Manager provided by IBM Intelligent Operations Center can be used to manage a number of IBM Intelligent Operations Center system and application IDs. Viewing system users managed by IBM Security Identity Manager Information regarding IBM Intelligent Operations Center system users that are managed by IBM Security Identity Manager can be viewed. About this task To view the accounts for each user, do the following. Procedure 1. Log on to IBM Security Identity Manager on the application server, in a standard environment, or application server 1, in a high availability environment. The IBM Security Identity Manager administrator ID is ITIM Manager and the password is defined in the ISIM.ADMIN.USER property in the topology properties file. The default password is secret. IBM Security Identity Manager can be accessed at the following URL: 2. Click Manage Users > Select a User. 3. Enter search criteria in the Search information field to find the required user. An asterisk (*) can be used as a wildcard. 4. In Search by select an attribute. Available attributes are: v Last Name v Full Name v address v Entire profile 5. Click Search. 6. To view account information, click the arrow next to the user name in the Users table and then click Accounts. 7. On the Accounts page, enter information about the account in Account information. 8. Select the desired Search by and Ownership Type values. 9. Click Search. The accounts associated with the selected user are displayed. Changing system passwords using IBM Security Identity Manager Administrators can manage passwords of system application and user IDs using IBM Security Identity Manager. These steps cannot be use to change passwords of individual IBM Intelligent Operations Center end users and administrators. About this task When a password is changed, the password policy that is defined in IBM Security Identity Manager is applied. To change a password, do the following. 11

16 Procedure 1. Log on to IBM Security Identity Manager on the application server, in a standard environment, or application server 1, in a high availability environment. The IBM Security Identity Manager administrator ID is ITIM Manager and the password is defined in the ISIM.ADMIN.USER property in the topology properties file. The default password is secret. IBM Security Identity Manager can be accessed at the following URL: 2. Click Manage Users > Select a User. 3. Enter search criteria in the Search information field to find the desired user. An asterisk (*) can be used as a wildcard. 4. In Search by select an attribute. Available attributes are: v Last Name v Full Name v address v Entire profile 5. Click Search. 6. Select the user to have their password changed by clicking the arrow next to the user in the Users table. 7. Click Change Passwords. 8. Click Allow me to type a password. Password strength rules can be viewed by expanding View password strength rules. 9. By default, password synchronization is enabled. All individual accounts associated with the selected user will be updated. A list of accounts is displayed. The list might only display a subset of all accounts that are associated with the user. Accounts that are not listed are also changed. 10. The password change can be scheduled to occur at a later time by clicking Schedule > Effective Date. Use the calendar and clock icons to select the date and time to make the password change. 11. Click Submit. 12. Click Close on the Success page. Synchronizing password changes that are made through IBM Security Identity Manager Password synchronization assigns and maintains one password for all individual accounts that are owned by a user. IBM Security Identity Manager automatically synchronizes password changes across all accounts that are owned by a user. For example, a user might have an LDAP account and a Linux account. If a user changes or resets the password for the Linux account, the LDAP password is automatically changed to the same password. About this task It is highly recommended that password synchronization be enabled. To view and change password synchronization settings, do the following. Procedure 1. Log on to IBM Security Identity Manager on the application server, in a standard environment, or application server 1, in a high availability environment. The IBM Security Identity Manager administrator ID is ITIM Manager and the password is defined in the ISIM.ADMIN.USER property in the topology properties file. The default password is secret. IBM Security Identity Manager can be accessed at the following URL: 12 IBM Intelligent Operations Center Password Management

17 2. Click Set System Security > Set Security Properties. Ensure that the Enable password synchronization setting is selected. Synchronizing password changes made outside IBM Security Identity Manager System application and user IDs should be changed through IBM Security Identity Manager. However, if they are changed outside IBM Security Identity Manager there is a way to synchronize those changes across the IBM Intelligent Operations Center environment. When a password is changed on a Linux system or directory server, the directory integrator capabilities in IBM Intelligent Operations Center intercept the changed password. Changed passwords are stored in an LDAP password store. They are not stored in IBM Security Identity Manager. Because they are not stored in IBM Security Identity Manager, each IBM Intelligent Operations Center installation must provide its own code to read the password from the LDAP password store and update it in IBM Security Identity Manager for IBM Intelligent Operations Center password synchronization to work. This custom code can be written in Java or IBM Intelligent Operations Center AssemblyLines. Passwords are stored in the LDAP password store under the O=PWDSTORE LDAP suffix. There is a separate LDAP container created under the PWDSTORE suffix for each service existing in IBM Security Identity Manager. For example, if the host name of the IBM Intelligent Operations Center application server is iocapp, then the password store container will be dc=pwdstore-iocapp,o=pwdstore. Or, if the host name of the directory server is iocdb, then the password store container will be dc=pwdstore-tdsiocdb,o=pwdstore. Password policies defined in IBM Intelligent Operations Center are applied to the changed passwords. For this reason the IBM Security Identity Manager server must be functional if passwords are changed from the IBM Intelligent Operations Center application or Linux console. Viewing and changing system user password policies Administrators can view or change password policies for system user IDs. Password strength rules determine if a new password is valid. About this task To view and change password policies, do the following. Procedure 1. Log on to IBM Security Identity Manager on the application server, in a standard environment, or application server 1, in a high availability environment. The IBM Security Identity Manager administrator ID is ITIM Manager and the password is defined in the ISIM.ADMIN.USER property in the topology properties file. The default password is secret. IBM Security Identity Manager can be accessed at the following URL: 2. Click Manage Policies > Manage Password Policies > Select Password Policies. 3. Enter search criteria in the Search information field to find the desired policy. An asterisk (*) can be used as a wildcard. 4. For Search by select Password policy name to search by policy name. 5. Click Search. 6. Select the password policy. The policy details are displayed. 7. Click the Rules tab. Chapter 4. Using IBM Security Identity Manager 13

18 8. Change the Setting field for each password rule if required. IBM Intelligent Operations Center has several password restrictions. The password length cannot be greater than 30 characters. Passwords can only contain the following characters: v Lowercase letters (a-z) v Uppercase letters (A-Z) v Numbers (0-9) v Dash (-) v Period (.) v Underscore (_) v Tilde (~) Dash and period cannot be used as the first character in a password. 9. Click OK to close and apply the changes. Managing services Linux systems, including security, application, database, analytical servers, and LDAP applications are managed using services managed in IBM Security Identity Manager. About this task A service represents a user repository for a resource, for example, an operating system, database application, or another application managed by IBM Security Identity Manager. Services for each Linux system and LDAP application are created based on a service type. A service type is a category of related services sharing schemas. The service type defines the common schema attributes across a set of similar resources. Linux system services are created using the POSIX Linux profile service type. LDAP application services are created using the LDAP profile service type. To view and manage the services in IBM Security Identity Manager, do the following. Procedure 1. Log on to IBM Security Identity Manager on the application server, in a standard environment, or application server 1, in a high availability environment. The IBM Security Identity Manager administrator ID is ITIM Manager and the password is defined in the ISIM.ADMIN.USER property in the topology properties file. The default password is secret. IBM Security Identity Manager can be accessed at the following URL: 2. Click Manage Services > Select a Service. 3. Enter search criteria in the Search information field to find the desired service. An asterisk (*) can be used as a wildcard. 4. For Search by select Service to search by service name. 5. Optional: Select a service type in the Service type list. 6. Optional: Select a status in the Status list. 7. Click Search. Search results are displayed in a table. 8. Select the service to be viewed or modified by clicking the arrow next to the service name in the Services table. 9. Select the operation to be carried out on the service. v Click Accounts to display the accounts associated with the selected service. If None is displayed for Owner and Ownership, the account is an orphaned account. There is no corresponding user associated with orphaned accounts. 14 IBM Intelligent Operations Center Password Management

19 v Click Reconcile Now to synchronize the accounts and supporting data to the IBM Security Identity Manager server data repository. Reconciliation is required when accounts and associated data are changed on the managed resource, rather than through IBM Security Identity Manager. Reconciliation ensures that the IBM Security Identity Manager data is consistent with changes made in the remote resource. During the reconciliation process, new accounts created on the managed resource will be created in the IBM Security Identity Manager repository and assigned to a user based on the service adoption policy. If no user matches the account, the account will be created as an orphaned account. Orphaned accounts can be manually assigned to a user through IBM Security Identity Manager. Accounts removed from managed resources are also removed from IBM Security Identity Manager during reconciliation. Click Set Up Reconciliation to create and manage the schedule when reconciliation will be run. The default reconciliation schedule runs 15 minutes past every hour. Chapter 4. Using IBM Security Identity Manager 15

20 16 IBM Intelligent Operations Center Password Management

21 Chapter 5. Changing system passwords not managed by IBM Security Identity Manager Passwords for system users not managed by IBM Security Identity Manager are changed using manual steps. The changes often need to be made in the individual tools. Changing the Tivoli Directory Server administration ID password Change the Tivoli Directory Server administration ID password in Tivoli Directory Server. Once changed, use the password management tool to propagate the new password across the IBM Intelligent Operations Center servers. About this task Use the following steps to change the Tivoli Directory Server administration ID (cn=root) password. Procedure 1. In a standard environment, stop IBM Security Identity Manager using the platform control tool. a. Log on to the analytics server and open a terminal window. b. Run the following commands: su - ibmadmin /opt/ibm/isp/mgmt/scripts/ioccontrol -a stop -c appisim -p password where password is the topology password. 2. In a high availability environment, stop IBM Security Identity Manager using the stopserver.sh command. a. Log on to application server 1 and open a terminal window. b. Run the following commands: su - ibmadmin cd /opt/ibm/websphere/appserverv7/profiles/isim1/bin/./stopserver.sh server1 -username admin -password password where password is the password defined by the WAS.ADMIN.ACCOUNT.PWD property in the topology properties file. 3. Stop Tivoli Directory Server using the platform control tool. In a high availability environment, stop Tivoli Directory Server on both data server 1 and data server 2. a. Log on to the analytics server (in a standard, or analytics server 1 (in a high availability and open a terminal window. b. Run the following command: su - ibmadmin v In a standard environment, run the following command: /opt/ibm/isp/mgmt/scripts/ioccontrol -a stop -c dbstds -p password v In a high availability environment, run the following commands: /opt/ibm/isp/mgmt/scripts/ioccontrol -a stop -c dbstdspri -p password /opt/ibm/isp/mgmt/scripts/ioccontrol -a stop -c dbstdssby -p password where password is the topology password. 4. Change the Tivoli Directory Server administration ID password. 17

22 a. Log on to the data server (in a standard, or data server 1 and data server 2 (in a high availability and open a terminal window. b. Run the following command: su - dsrdbm01 c. Run the following command to change the password: opt/ibm/ldap/v6.3/sbin/idsdnpw -p new_password -n where new_password is the new Tivoli Directory Server administration ID password. 5. Start Tivoli Directory Server using the platform control tool. If you are running in a high availability environment, start Tivoli Directory Server on both data server 1 and data server 2. a. Log on to the data server (in a standard, or data server 1 and data server 2 (in a high availability and open a terminal window. b. Run the following commands as the root user: su - dsrdbm01 -c "/opt/ibm/ldap/v6.3/sbin/64/ibmdiradm -I dsrdbm01" su - root -c "/opt/ibm/ldap/v6.3/sbin/ibmslapd -I dsrdbm01" 6. In a standard environment, log on to the application server and open a terminal window. a. Run the following commands: su - ibmadmin /opt/ibm/isim/bin/runconfig b. Click the Directory tab. c. Update the Principal DN password. d. Click Apply. e. Click Test. If the test fails, the specified password was incorrect. f. Click OK. The runconfig tool exits. 7. Start IBM Security Identity Manager using the startserver.sh command. a. Log on to the application server (in a standard, or application server 1 (in a high availability and open a terminal window. b. Run the following commands: su - ibmadmin cd /opt/ibm/websphere/appserverv7/profiles/isim1/bin/./startserver.sh server1 8. Complete the following steps (8-10) only if you are running a high availability environment. Stop the Directory Proxy Server on analytics server 1 and analytics server 2 using the platform control tool. a. Log on to analytics server 1 and open a terminal window. b. Run the following commands: su - ibmadmin /opt/ibm/isp/mgmt/scripts/ioccontrol -a stop -c anatdsproxypri -p password /opt/ibm/isp/mgmt/scripts/ioccontrol -a stop -c anatdsproxysby -p password where password is the topology password. 9. Log on to analytics server 1 and analytics server 2 and open a terminal window. a. Run the following commands on both servers: su - tdsproxy /opt/ibm/ldap/v6.3/sbin/idsdnpw -p new_password -n where new_password is the required password. 10. Start the Directory Proxy Server using the platform control tool. a. Log on to analytics server 1 and analytics server 2 (in a high availability and open a terminal window. b. Run the following commands as the root user. 18 IBM Intelligent Operations Center Password Management

23 su - tdsproxy -c "/opt/ibm/ldap/v6.3/sbin/64/ibmdiradm -I tdsproxy" su - root -c "/opt/ibm/ldap/v6.3/sbin/ibmslapd -I tdsproxy" Changing the WebSphere Application Server version 7 administration ID password Change the WebSphere Application Server version 7 administration ID password in WebSphere Application Server. Once changed, use the password management tool to propagate the new password across the IBM Intelligent Operations Center servers. About this task Use the following steps to change the WebSphere Application Server version 7 administration ID (admin) password. Procedure 1. Stop WebSphere Application Server version 7 server using the platform control tool. a. Log on to the application server (in a standard or application server 1 (in a high availability and open a terminal window. c. In a standard environment, run the following command. /opt/ibm/isp/mgmt/scripts/ioccontrol -a stop -c appisim -p password where password is the topology password. d. In a high availability environment, run the following command. /opt/ibm/websphere/appserverv7/profiles/isim1/bin/stopserver.sh server1 -username admin_username -password admin_password where admin_username is the account defined by the WAS.ADMIN.ACCOUNT property in the topology properties file and admin_password is the password defined by the WAS.ADMIN.ACCOUNT.PWD property in the topology properties file. 2. Change the WebSphere Application Server administration ID password. a. Log on to the application server (in a standard or application server 1 (in a high availability and open a terminal window. b. Run the su -ibmadmin command. c. Change to the /opt/ibm/websphere/appserverv7/profiles/isim1/bin directory. d. Run the wsadmin.sh -conntype NONE command. e. Run the following command to change the password. $AdminTask changefileregistryaccountpassword {-userid admin -password new_password} where new_password is the new WebSphere Application Server administration ID password. f. Run $AdminConfig save. The new password will be saved. 3. Run /opt/ibm/isim/bin/runconfig 4. Click the Security tab. 5. Update the WebSphere Administrator Password with the new password. 6. Click Apply. 7. Click OK. The runconfig tool exits. 8. Start WebSphere Application Server using the platform control tool. a. Log on to the application server (in the Field Edition) or application server 1 (in the Command Center Edition) and open a terminal window. Chapter 5. Changing system passwords not managed by IBM Security Identity Manager 19

24 c. Run the following command. /opt/ibm/websphere/appserverv7/profiles/isim1/bin/startserver.sh server1 where password is the topology password. Changing the WebSphere Application Server version 8 administration ID password Change the WebSphere Application Server version 8 administration ID password in WebSphere Application Server. Once changed, use the password management tool to propagate the new password across the IBM Intelligent Operations Center servers. About this task Use the following steps to change the WebSphere Application Server version 8 administration ID (admin) password. Procedure 1. Stop all WebSphere Application Server version 8 servers using WebSphere Application Server version 8 deployment manager. a. On the application server (in a standard or application server 1 (in a high availability log on to the WebSphere Application Server version 8 integrated solutions console at where app_server is the host name of application server or application server 1. b. Click Servers > Server Types > WebSphere application servers. c. Select all servers and click Stop. All WebSphere Application Server servers will be stopped. d. Click Logout. The WebSphere Application Server version 8 integrated solutions console exits. 2. Stop WebSphere Application Server version 8 deployment manager using the platform control tool (in a standard and the stopmanager.sh command (in a high availability. a. Log on to the analytics server (in a standard or application server 1 (in a high availability and open a terminal window. c. In a standard environment, run the following command. /opt/ibm/isp/mgmt/scripts/ioccontrol -a stop -c appdmgr -p password where password is the topology password. d. In a high availability environment, run the following command. /opt/ibm/websphere/appserver/profiles/dmgr/bin/stopmanager.sh -username admin -password password where password is the password defined by the WAS.ADMIN.ACCOUNT.PWD in the topology properties file when IBM Intelligent Operations Center was installed. 3. Change the WebSphere Application Server administration ID password. a. Log on to the application server (in a standard or application server 1 (in a high availability and open a terminal window. c. Change to the /opt/ibm/websphere/appserver/profiles/dmgr/bin directory. d. Run the wsadmin.sh -conntype NONE command. e. Run the following command to change the password. $AdminTask changefileregistryaccountpassword {-userid admin -password new_password} where new_password is the new WebSphere Application Server administration ID password. 20 IBM Intelligent Operations Center Password Management

25 f. Run $AdminConfig save. The new password will be saved. 4. Start WebSphere Application Server deployment manager using the platform control tool in a standard environment and the startmanager.sh command in a high availability environment. a. Log on to the analytics server (in a standard or analytics server 1 (in a high availability and open a terminal window. c. Run the following command. /opt/ibm/websphere/appserver/profiles/dmgr/bin/startmanager.sh 5. Update the stored password. a. Log on to the WebSphere Application Server integrated solutions console with the new password. b. Click Applications > Application Types > WebSphere enterprise applications. c. Select the pznscheduler application. d. Click Detail Properties > User RunAs Roles. e. Select RuleEventRunAsRole. Click Remove. f. Enter the WebSphere Application Server administrator name for username and the new password for password. The administrator name is defined by the WAS.ADMIN.ACCOUNT property in the topology properties file and is admin by default. g. Select RuleEventRunAsRole. Click Apply. h. Click OK. 6. Restart WebSphere Application Server using the platform control tool. a. Log on to the application server (in a standard or application server 1 (in a high availability and open a terminal window. c. Run the following commands: /opt/ibm/websphere/appserver/profiles/dmgr/bin/stopmanager.sh -username admin -password password /opt/ibm/websphere/appserver/profiles/dmgr/bin/startmanager.sh where password is the password defined by the WAS.ADMIN.ACCOUNT.PWD value in the topology properties file when IBM Intelligent Operations Center was installed. Changing the Tivoli Directory Server bind ID password for WebSphere Application Server version 7.0 and version 8.0 Change the Tivoli Directory Server bind ID password in Tivoli Directory Server. Once changed, use the password management tool to propagate the new password across the IBM Intelligent Operations Center servers. About this task Use the following steps to change the Tivoli Directory Server Bind ID (cn=bind) password for WebSphere Application Server version 7.0 and version 8.0. Procedure 1. Stop all of the WebSphere Application Server version 8 servers using the WebSphere Application Server version 8 deployment manager. a. On the application server, in a standard environment, or on application server 1, in a high availability environment, log on to the WebSphere Application Server version 8 integrated solutions console at: Chapter 5. Changing system passwords not managed by IBM Security Identity Manager 21

26 where app_server is the host name of the application server or of application server 1. b. Click Servers > Server Types > WebSphere application servers. c. Select all of the servers and click Stop. All WebSphere Application Server servers are stopped. d. Click Logout. 2. Stop Tivoli Directory Server using the platform control tool. a. Log on to the analytics server in a standard environment, or on to analytics server 1, in a high availability environment and open a command prompt. b. Run the following command: su - ibmadmin. c. In a standard environment, run the following command: /opt/ibm/isp/mgmt/scripts/ioccontrol -a stop -c dbstds -p password where password is the topology password. d. In a high availability environment, run the following commands: /opt/ibm/isp/mgmt/scripts/ioccontrol -a stop -c dbstdspri -p password /opt/ibm/isp/mgmt/scripts/ioccontrol -a stop -c dbstdssby -p password where password is the topology password. 3. Change the Tivoli Directory Server bind ID password. a. Log on to the data server in a standard environment, or on to data server 1, in a high availability environment and open a command prompt. b. Run the following command: su - dsrdbm01. c. Edit the following file: /datahome/dsrdbm01/idsslapd-dsrdbm01/etc/ibmslapd.conf d. Select ibm-slapdadmindn: cn=bind and enter a new password for the ibm-slapdadminpw attribute. The password is encrypted when Tivoli Directory Server starts. e. Save your changes. 4. Start Tivoli Directory Server using the platform control tool. a. Log on to the analytics server in a standard environment, or on to analytics server 1, in a high availability environment and open a command prompt. b. Run the following command: su - ibmadmin. c. In a standard environment, run the following command: /opt/ibm/isp/mgmt/scripts/ioccontrol -a start -c dbstds -p password where password is the topology password. d. In a high availability environment, run the following commands: /opt/ibm/isp/mgmt/scripts/ioccontrol -a start -c dbstdspri -p password /opt/ibm/isp/mgmt/scripts/ioccontrol -a start -c dbstdssby -p password where password is the topology password. Note: Complete the following steps only if you are running a standard environment. 5. Stop the Cognos server using the platform control tool. a. Log on to the analytics server in a standard environment and open a command prompt. b. Run the following command: su - ibmadmin. c. In a standard environment, run the following command: /opt/ibm/isp/mgmt/scripts/ioccontrol -a stop -c anacognos -p password where password is the topology password. 6. Update the LDAP bind password in the Cognos configuration file. 22 IBM Intelligent Operations Center Password Management

27 a. Log on to the analytics server in a standard environment and open a command prompt. b. Run the following command: su - ibmadmin. c. Navigate to the following directory: /opt/ibm/cognos/c1021_64/bin64/ d. Run cogconfig.sh e. Click Local Configuration > Security > LDAP > Bind user DN and password f. Enter a new LDAP ID password. g. Click File > Save to save the new password. h. Click Close and then click File > Exit. Click No for Do you want to apply these actions before exiting? Changing the Tivoli Directory Server replica bind credentials password Change the Tivoli Directory Server replica bind credentials password in Tivoli Directory Server. Once changed, use the password management tool to propagate the new password across the IBM Intelligent Operations Center servers. About this task These steps are only valid when running IBM Intelligent Operations Center in a high availability environment. Procedure 1. Log on to data server 1 and data server 2 and open a terminal window. 2. Run the su - dsrdbm01 command. 3. Create a file containing the following: dn: cn=replicabindcredentials,replicatedn changetype: modify replace: replicacredentials replicacredentials: new_password dn: cn=replicabindcredentials,o=pwdstore changetype: modify replace: replicacredentials replicacredentials: new_password Where replicatedn is the LDAP suffix defined by the LDAP.SUFFIX property in the installation properties topology file and new_password is the desired new replica bind password. 4. Run the following command to update the password of the replica bind credentials: /opt/ibm/ldap/v6.3/bin/idsldapmodify -h hostname -p 389 -D admindn -w adminpw -i filename Where v hostname is the data server host name. v admindn is the LDAP.ADMIN.DN value defined in the topology properties file. v adminpw is the LDAP.ADMIN.DN.PWD value defined in the topology properties file. v filename is the file name, with full path information, created in step Stop Tivoli Directory Server using the platform control tool. a. Log on to analytics server 1 and open a terminal window. c. Run the following commands. /opt/ibm/isp/mgmt/scripts/ioccontrol -a stop -c dbstdspri -p password /opt/ibm/isp/mgmt/scripts/ioccontrol -a stop -c dbstdssby -p password Chapter 5. Changing system passwords not managed by IBM Security Identity Manager 23

28 where password is the topology password. 6. Change the Tivoli Directory Server Replica Bind Credentials. a. Log on to data server 1 and data server 2 and open a terminal window. b. Run the su - dsrdbm01 command. c. Edit the /datahome/dsrdbm01/idsslapd-dsrdbm01/etc/ibmslapd.conf file. d. For ibm-slapdmasterdn: cn=master specify a new password for the ibm-slapdmasterpw attribute. The password will be encrypted when Tivoli Directory Server is started. e. Save the changes. 7. Start Tivoli Directory Server using the platform control tool. a. Log on to analytics server 1 and open a terminal window. c. Run the following commands. /opt/ibm/isp/mgmt/scripts/ioccontrol -a start -c dbstdspri -p password /opt/ibm/isp/mgmt/scripts/ioccontrol -a start -c dbstdssby -p password where password is the topology password. Changing the Tivoli Directory Server proxy server DN credentials password Change the Tivoli Directory Server proxy server DN credentials password in Tivoli Directory Server. Once changed, use the password management tool to propagate the new password across the IBM Intelligent Operations Center servers. About this task These steps are only valid when running IBM Intelligent Operations Center in a high availability environment. Procedure 1. Log on to data server 1 and data server 2 and open a terminal window. 2. Run the su - dsrdbm01 command. 3. Create a file containing the following: dn: cn=proxyadmin,cn=ibmpolicies changetype: modify replace: userpassword userpassword: new_password Where new_password is the desired new proxy server DN credentials password. 4. Run the following command to update the proxy server DN credentials password: /opt/ibm/ldap/v6.3/bin/idsldapmodify -h hostname -p 389 -D admindn -w adminpw -i filename Where v hostname is the data server host name. v admindn is the LDAP.ADMIN.DN value defined in the topology properties file. v adminpw is the LDAP.ADMIN.DN.PWD value defined in the topology properties file. v filename is the file name, with full path information, created in step Stop Tivoli Directory Server proxy server using the platform control tool. a. Log on to analytics server 1 and open a terminal window. 24 IBM Intelligent Operations Center Password Management

29 c. Run the following commands. /opt/ibm/isp/mgmt/scripts/ioccontrol -a stop -c anatdsproxypri -p password /opt/ibm/isp/mgmt/scripts/ioccontrol -a stop -c anatdsproxysby -p password where password is the topology password. 6. Change the Tivoli Directory Server proxy server DN credentials password. a. Log on to analytics server 1 and analytics server 2 and open a terminal window. b. Run the su - tdsproxy command. c. Edit the /datahome/proxy/idsslapd-tdsproxy/etc/ibmslapd.conf file. d. For ibm-slapdproxydn: cn=proxyadmin,cn=ibmpolicies specify a new password for the ibm-slapdproxypw attribute. The password will be encrypted when Tivoli Directory Server is started. e. Save the changes. 7. Start Tivoli Directory Server proxy server using the platform control tool. a. Log on to analytics server 1 and open a terminal window. c. Run the following commands. /opt/ibm/isp/mgmt/scripts/ioccontrol -a start -c anatdsproxypri -p password /opt/ibm/isp/mgmt/scripts/ioccontrol -a start -c anatdsproxysby -p password where password is the topology password. 8. Stop IBM Security Identity Manager using the stopserver.sh command. a. Log on to application server 1 and open a terminal window. c. Run the following command. cd /opt/ibm/websphere/appserverv7/profiles/isim1/bin/./stopserver.sh server1 -username admin -password password where password is the password defined by the WAS.ADMIN.ACCOUNT.PWD property in the topology properties file. 9. Log on to the application server and open a terminal window. 10. Run the su - ibmadmin command. 11. Run the /opt/ibm/isim/bin/runconfig command. 12. Click the Directory tab. 13. Update the Principal DN password. 14. Click Apply. 15. Click Test. If the test fails, check that the password is correct. 16. Click OK. The runconfig tool will exit. 17. Start IBM Security Identity Manager using the startserver.sh command. a. Log on to application server 1 and open a terminal window. c. Run the following command. cd /opt/ibm/websphere/appserverv7/profiles/isim1/bin/./startserver.sh server1 18. Stop the Cognos server using the platform control tool. a. Log on to analytics server 1 and open a terminal window. c. Run the following commands. Chapter 5. Changing system passwords not managed by IBM Security Identity Manager 25