Change administrative passwords
Authentication information is configured in...
- "Security Server ID" for the WAS JVM
- access ID for authenticated access to databases and LDAP servers
- WAS and WebSphere Portal administrative ID's
Often this means that the account passwords are stored in the WAS and WebSphere Portal bootstraps configuration files, which allows the authentication process to work.
If the password for any ID is changed (either through WebSphere Portal or through any other means, including directly through the LDAP administration interfaces), then the password value stored in the appropriate configuration file must be changed at the same time. The following instructions describe how to make the appropriate changes based on which account passwords might have changed.
If you reuse the same account ID/password for multiple purposes, such as using wpsbind as the administrative ID and the LDAP access ID, then you might have to do more than one of the following steps to accommodate the password change. Some changes, particularly changes made through the WAS Administrative Console, require that the WAS Administrative Console be open and the current ID/password logged in before actually making the password change in the registry. Carefully plan which steps are required and in what order to avoid not being able to bring up server processes or log in.
Use the following topics to change passwords to better secure your environment.
- Change the WebSphere Portal administrator password
- Change the WAS administrator password
- Change the WAS administrator password using WebSphere Portal
- Change the WAS administrator password in the LDAP server using the LDAP administration interface
- Replace the WAS administrator user ID
- Replace the WebSphere Portal administrator user ID
- Change the LDAP bind password
Change the WebSphere Portal administrator password
WebSphere Portal treats wpsadmin (the administrator) as any other user, just with more permissions granted. With a normal configuration, it is possible to change the wpsadmin or equivalent password through the user interface, just like any other user can manage their own password through the user interface. However, if the wpsadmin account is also used for more than just the administrator, then additional changes, outlined in other steps in this section, must be made to accommodate the change.
Follow these steps to change the administrator password:
- Log in to WebSphere Portal as the administrator.
- Click Edit My Profile.
- Change your password in the appropriate box.
- Click Continue.
You can also change the Administrator password, like any other user password, using an LDAP editor. After successfully changing your password, you will need to make additional changes to the RunAsRole passwords; see WebSphere Portal requires additional changes to the RunAsRole passwords for the EJBs to support password change for WPSAdmin and WASAdmin users for information.
Change the WAS administrator password
You can change the password for the IBM WAS administrator user ID using the WAS Administrative Console. For complete information about WAS security, including changing passwords for administrative accounts, see Administrative user password settings.
Use either the procedure to change the administrator password using WebSphere Portal or directly in LDAP as described in the next two sections to change the WAS administrator password.
After successfully changing your password, you will need to make additional changes to the RunAsRole passwords; see WebSphere Portal requires additional changes to the RunAsRole passwords for the EJBs to support password change for WPSAdmin and WASAdmin users for information.
Change the WAS administrator password using WebSphere Portal
To change the WAS administrator password using WebSphere Portal:
- Log in to WebSphere Portal as the WAS administrator and select Edit Profile.
- Type a new password and click OK.
Change the WAS administrator password in the LDAP server using the LDAP administration interface
These steps are valid for changing all passwords in LDAP. Follow these steps to change the WAS administrator password in LDAP if you are using IBM Tivoli Directory Server. If you are using a different LDAP server, refer to WebSphere Portal documentation for information about changing passwords:
The following directions assume an LDAP tree layout where the users are all in the cn=users,o=wps subtree in the directory server. You should adjust these directions based on your own LDAP server layout.
- Log in to the Tivoli Directory Server Web Administration Tool.
- Click Directory management > Manage entries.
- Select the o=wps RDN and click Expand.
- Select cn=users and click Expand.
- Select the WAS administrator user and click Edit Attributes.
- Click Other attributes.
- Enter the new password in the userPassword field.
- Click OK.
- Exit the Tivoli Directory Server Web Administration Tool.
Replace the WAS administrator user ID
Replace the WAS administrator user ID using the command line...
- Create a new user in the Manage Users and Groups portlet to replace the current WAS administrative user.
- Replace the old WAS administrative user with the new user...
cd WP_PROFILE/ConfigEngine
./ConfigEngine.sh wp-change-was-admin-user -DnewAdminId=newadminid –DnewAdminPw=newpasswordThis task verifies the user against a running server instance. If the server is stopped, add the -Dskip.ldap.validation=true parameter to the task to skip the validation.
- Verify that the task completed successfully. In a clustered environment, restart the deployment manager, the node agent(s), server1, and WebSphere_Portal servers. In a stand-alone environment, restart the server1 and WebSphere_Portal servers.
Replace the WAS administrator user ID the WAS Administrative Console...
- Create a new user in the Manage Users and Groups portlet to replace the current WAS administrative user.
- Replace the Primary administrative user name with the information for the new user. For the ID, retain the fully qualified server ID.
- Restart the server1 server.
If you use an external security manager such as Tivoli Access Manager manually remove the old administrator user ID from the external security manager.
Replace the WebSphere Portal administrator user ID
To replace the WebSphere Portal administrative user ID:
- Create a new user in the Manage Users and Groups portlet to replace the current WebSphere Portal administrative user.
- Replace the old WebSphere Portal administrative user with the new user...
cd WP_PROFILE/ConfigEngine directory
./ConfigEngine.sh wp-change-portal-admin-user -DnewAdminId=newadminid –DnewAdminPw=newpassword -DnewAdminGroupId=newadmingroupThis task verifies the user against a running server instance. If the server is stopped, add the -Dskip.ldap.validation=true parameter to the task to skip the validation.
- Verify that the task completed successfully. In a clustered environment, restart the deployment manager, the node agent(s), server1, and WebSphere_Portal servers. In a stand-alone environment, restart the server1 and WebSphere_Portal servers.
Change the LDAP bind password
If you are using an LDAP server as your user registry, adapt the LDAP bind user ID using the appropriate task to update the LDAP user registry. Choose the appropriate file to view for information on how to change the LDAP bind password:
Parent topic
Configure additional security features