Portal Express, Version 6.0
Operating systems: i5/OS, Linux, Windows

---

 

Change passwords

 

+

Search Tips   |   Advanced Search

 

1. Overview
2. WebSphere Portal Express administrator password
3. WAS administrator password
4. WAS administrator password using WebSphere Portal
5. WAS administrator password in the LDAP server using the LDAP administration interface
6. Database administrator password
7. Replace the WAS administrator user ID
8. LDAP administrator password within the Member Manager configuration
9. LDAP bind password
10. i5/OS password

 

Overview

IBM^® WebSphere^® Portal Express and IBM WebSphere Application Server (WAS) use some user accounts from the registry (for example, the LDAP server) for various purposes. This information includes...

• Security Server ID for the WAS JVM
• Access ID for authenticated access to databases and LDAP servers
• WAS and WebSphere Portal Express administrative ID's

Often this means that the account passwords are stored in the WAS and WebSphere Portal Express bootstraps configuration files, which allows the authentication process to work.

If the password for any ID is changed, either through WebSphere Portal Express or through any other means, including directly through the LDAP administration interfaces, then the password value stored in the appropriate configuration file must be changed at the same time. The following instructions describe how to make the appropriate changes based on which account passwords might have changed.

If you reuse the same account ID/password for multiple purposes, such as using wpsbind as the administrative ID and the LDAP access ID, then you might have to do more than one of the following steps to accommodate the password change.

Some changes, particularly changes made through the WAS Administrative Console, require that the WAS Administrative Console be open and the current ID/password logged in before actually making the password change in the registry.

Carefully plan which steps are required and in what order to avoid not being able to bring up server processes or log in.

 

Change the WebSphere Portal Express administrator password

WebSphere Portal Express treats wpsadmin (the administrator) as any other user, just with more permissions granted. With a normal configuration, it is possible to change the wpsadmin or equivalent password through the UI, just like any other user can manage their own password through the UI. However, if the wpsadmin account is also used for more than just the administrator, then additional changes, outlined in other steps in this section, must be made to accommodate the change.

Follow these steps to change the WebSphere Portal Express administrator password:

1. Log in to WebSphere Portal Express as the administrator.

2. Click Edit My Profile.

3. Change your password in the appropriate box.

4. Click Continue.

You can also change the WebSphere Portal Express Administrator password, like any other user password, using an LDAP editor.

The WebSphere Portal configuration tasks that enable security automatically set the Security Cache Timeout to a value specified in the wpconfig.properties file. Old passwords are stored in cache for this amount of time. The default value is 600 seconds.

For WebSphere Portal V6.0.1 only, after successfully changing your password, you will need to make additional changes to the RunAsRole passwords; see...

WebSphere Portal requires additional changes to the RunAsRole passwords for the EJBs to support password change for WPSAdmin and WASAdmin users

 

Change the WAS administrator password

You can change the password for the IBM WAS administrator user ID using the WAS Administrative Console. For complete information about WAS security, including changing passwords for administrative accounts, see the WAS documentation.

Use either the procedure to change the administrator password using WebSphere Portal Express or directly in LDAP as described in the next two sections to change the WAS administrator password.

After successfully changing your password, you will need to make additional changes to the RunAsRole passwords; see...

WebSphere Portal requires additional changes to the RunAsRole passwords for the EJBs to support password change for WPSAdmin and WASAdmin users

 

Change the WAS administrator password using WebSphere Portal

Follow these steps to change the WAS administrator password using WebSphere Portal:

1. Confirm that the WAS Administrative Server and Administrative Console are running.

2. Log in to the WAS Administrative Console as the administrator.

3. Log in to WebSphere Portal Express as the WAS administrator and select Edit Profile.

4. Type a new password and click OK.

5. In the WAS Administrative Console do one of the following, depending on the type of security installation:

   • LDAP (non-realm): Click...

     Security | Global Security | User registries | LDAP

   • LDAP (realm): Click...

     Security | Global Security | User registries | Custom

     Since you are using the database user registry for realm support under the WAS, you should also read and, if appropriate...

     1. From the command prompt, change to...

        portal_server_root/config

        For i5/OS change to the UserData path of...

        portal_server_root_user/config

     2. Enter the following appropriate command to encrypt the new password:

        • Linux:

          ./WPSconfig.sh -DPassword=new_password wmm-encrypt

        • Windows:

          WPSconfig.bat -DPassword=new_password wmm-encrypt

        • i5/OS:

          From the UserData directory:

          WPSconfig.sh -profileName wp_profile -DPassword=new_password wmm-encrypt

        The script returns a value for the ASCII encrypted string.

     3. Choose one of the following steps:

        • If you have a Base installation, open...

          portal_server_root/wmm/wmmWASAdmin.xml

        • If you have a Network Deployment, refer to Setting up a cluster.

     4. Copy the value from the ASCII encrypted string and paste it in the logonPassword field of the wmmWASAdmin.xml file.

     5. Adapt the admin logon and uniqueUserid fields to the distinguished name of the new user.

6. Change Server User Password to the new value and save the changes.

7. Stop and restart the WebSphere_Portal and server1 servers.

The configuration tasks that enable security automatically set the Security Cache Timeout to a value specified in the wpconfig.properties file.

Old passwords are stored in cache for this amount of time. The default value is 600 seconds.

After successfully changing your password, you will need to make additional changes to the RunAsRole passwords; see WebSphere Portal requires additional changes to the RunAsRole passwords for the EJBs to support password change for WPSAdmin and WASAdmin users for information.

 

Change the WAS administrator password in the LDAP server using the LDAP administration interface

These steps are valid for changing all passwords in LDAP.

Follow these steps to change the WAS administrator password in LDAP if you are using IBM Tivoli^® Directory Server.

If you are using a different LDAP server, refer to the product documentation for information about changing passwords:

The following directions assume an LDAP tree layout where the users are all in the cn=users,o=wps subtree in the directory server. You should adjust these directions based on a LDAP server layout.

1. Log in to the Tivoli Directory Server Web Administration Tool.

2. Click...

   Directory management | Manage entries

3. Select the o=wps RDN and click Expand.

4. Select cn=users and click Expand.

5. Select the WAS administrator user and click Edit Attributes.

6. Click Other attributes.

7. Enter the new password in the userPassword field.

8. Click OK.

9. Exit the Tivoli Directory Server Web Administration Tool.

10. Log in to the WAS Administrative Console.

11. Click...

    Security | User Registries | LDAP

12. Type the new WAS administrator password in the Server User Password field and click OK.

13. Save the changes and restart the WAS.

The following steps are required if you are using a database user registry or an LDAP user registry with realm support where the "local mode" is set to file, by default on wmmWASAdmin.xml.

Check this information under custom properties in the database user registry in the WAS Administrative Console. If the database user registry's local mode is configured for LDAP, these steps are not required.

1. From the command prompt, change to...

   portal_server_root/config

   For i5/OS change to the UserData path of...

   portal_server_root_user/config

2. Enter the following appropriate command to encrypt the new password:

   • Linux:

     ./WPSconfig.sh -DPassword=new_password wmm-encrypt

   • Windows:

     WPSconfig.bat -DPassword=new_password wmm-encrypt

   • i5/OS:

     From the UserData directory:

     WPSconfig.sh -profileName wp_profile -DPassword=new_password wmm-encrypt

   The script returns a value for the ASCII encrypted string.

3. Choose one of the following steps:

   • If you have a Base installation, open...

     portal_server_root/wmm/wmmWASAdmin.xml

   • If you have a Network Deployment, refer to Setting up a cluster.

4. Copy the value from the ASCII encrypted string and paste it in the logonPassword field of wmmWASAdmin.xml.

5. Adapt the admin logon and uniqueUserid fields to the distinguished name of the new user.

6. Restart WebSphere Portal Express.

 

Change the database administrator password

If you change the password for the database administrative user, update the password information in the WAS administrative console.

 

Replacing the WAS administrator user ID

Follow these steps to replace the WAS administrator user ID:

1. Create a new user to replace the current WAS user through the Manage Users and Groups portlet.

2. In the WAS Administrative Console do one of the following depending on the type of security installation:

   • LDAP (non-realm): Click...

     Security | Global Security | User registries | LDAP

   • LDAP (realm): Click...

     Security | Global Security | User registries | Custom

     Since you are using the database user registry for realm support under the WAS, you should also read and, if appropriate...

     1. From the command prompt, change to...

        portal_server_root/config

        For i5/OS change to the UserData path of...

        portal_server_root_user/config

     2. Enter the following appropriate command to encrypt the new password:

        • Linux:

          ./WPSconfig.sh -DPassword=new_password wmm-encrypt

        • Windows:

          WPSconfig.bat -DPassword=new_password wmm-encrypt

        • i5/OS:

          From the UserData directory:

          WPSconfig.sh -profileName wp_profile -DPassword=new_password wmm-encrypt

        The script returns a value for the ASCII encrypted string.

     3. Choose one of the following steps:

        • If you have a Base installation, open...

          portal_server_root/wmm/wmmWASAdmin.xml

        • If you have a Network Deployment, refer to Setting up a cluster.

     4. Copy the value from the ASCII encrypted string and paste it in the logonPassword field of the wmmWASAdmin.xml file.

     5. Adapt the admin logon and uniqueUserid fields to the distinguished name of the new user.

3. Replace the Security Server ID and Security Server Password with the new user account information from step 1. For the ID, retain the fully qualified server ID.

4. Restart WAS.

The following steps are required if you are using a database user registry or an LDAP user registry with realm support where the "local mode" is set to file, by default on wmmWASAdmin.xml.

Check this information under custom properties in the database user registry in the WAS Administrative Console. If the database user registry's local mode is configured for LDAP, these steps are not required.

1. From the command prompt, change to...

   portal_server_root/config

   For i5/OS change to the UserData path of...

   portal_server_root_user/config

2. Encrypt the new password...

   • Linux:

     ./WPSconfig.sh -DPassword=new_password wmm-encrypt

   • Windows:

     WPSconfig.bat -DPassword=new_password wmm-encrypt

   • i5/OS:

     From the UserData directory:

     WPSconfig.sh -profileName wp_profile -DPassword=new_password wmm-encrypt

   The script returns a value for the ASCII encrypted string.

3. Choose one of the following steps:

   • If you have a Base installation, open...

     portal_server_root/wmm/wmmWASAdmin.xml

   • If you have a Network Deployment, refer to Setting up a cluster.

4. Copy the value from the ASCII encrypted string and paste it in the logonPassword field of the wmmWASAdmin.xml file.

5. Adapt the admin logon and uniqueUserid fields to the distinguished name of the new user.

6. Restart WebSphere Portal Express.

If you use an external security manager such as Tivoli Access Manager, manually remove the old administrator user ID from the external security manager.

 

Change the LDAP administrator password within the Member Manager configuration

When you run the appropriate configuration tasks to enable security, WebSphere Portal encrypts your database and/or LDAP administrative passwords and stores them in portal_server_root/wmm/wmm.xml.

If you change the database password, update the datasource information using the WebSphere Portal Administrative Console.

Follow these steps to change the Member Manager repository administrator password:

If you change the LDAP administrator password, update the wmm.xml file with the new encrypted password.

1. Required if you configured WebSphere Portal in a clustered environment: The Member Manager files are stored on the deployment manager machine. Before you can change the file, extract the file from the deployment manager machine. Run the following command from the portal_server_root/config directory of the any node to extract the wmm.xml file:

   • Linux:

     ./WPSconfig.sh check-out-wmm-cfg-files-from-dmgr

   • Windows:

     WPSconfig.bat check-out-wmm-cfg-files-from-dmgr

   • i5/OS:

     From the UserData directory:

     WPSconfig.sh -profileName wp_profile check-out-wmm-cfg-files-from-dmgr

2. Change to...

   portal_server_root/config

   For i5/OS, change to...

   portal_server_root_user/config

3. Encrypt the new password by entering the appropriate command:

   • Linux:

     ./WPSconfig.sh -DPassword=new_password wmm-encrypt

   • Windows:

     WPSconfig.bat -DPassword=new_password wmm-encrypt

   • i5/OS:

     From the UserData directory:

     WPSconfig.sh -profileName wp_profile -DPassword=new_password wmm-encrypt

   The script returns a value for the ASCII encrypted string.

4. Open the portal_server_root/wmm/wmm.xml file with a text editor.

5. Copy the value from the ASCII encrypted string and paste it in the adminPassword field of the wmm.xml file.

6. Required if you configured WebSphere Portal in a clustered environment: Run the following command from the portal_server_root/config directory of the node to check the wmm.xml file back into the deployment manager machine:

   Use the same node that you used to check the file out.

   • Linux:

     ./WPSconfig.sh check-in-wmm-cfg-files-to-dmgr

   • Windows:

     WPSconfig.bat check-in-wmm-cfg-files-to-dmgr

   • i5/OS:

     From the UserData directory:

     WPSconfig.sh -profileName wp_profile check-in-wmm-cfg-files-to-dmgr

 

Change the LDAP bind password

If you are using LDAP as your user registry and did not configure Member Manager custom user registry, adapt the LDAP bind user ID using the WAS Administrative Console. For complete information about the WAS security, including changing passwords for administrative accounts, see the WAS documentation.

Follow these steps to change the LDAP bind password:

1. Confirm that the WAS Administrative Server and Administrative Console are running.

2. From the WAS Administrative Console, click...

   Security | Global Security | User registries | LDAP

3. Change the Bind Password to the new value and save the change.

4. Restart WAS.

 

Change the i5/OS password

Run the CL command..

wrkusrprf username

 

Related information

• Database user registry
• Access Control
• WebSphere Portal Express logs

 

Parent topic:

Keeping your environment secure

---