How to change Bootstrap admin password

This procedure describes how to change the password for the Content Engine system user (also known as the bootstrap admininstrator, or ce_bootstrap_admin). The credentials for this account are entered during Content Engine configuration. Configuration Manager places this user name and its password into the Content Engine bootstrap file and subsequently into the GCD. Here are the locations that this procedure will describe:

• The Content Engine's bootstrap file. In this location ce_bootstrap_admin is called the Content Engine system user.
• On WebLogic and WebSphere, the Content Engine installation program grants this account the role of application server administrator, also called the application server's console administrator. (JBoss has no similar requirement.)
• The Content Engine installation process gives this account Full Control access to the GCD, which defines the FileNet P8 domain. It will appear in Enterprise Manager's domain root property sheet, on the Security tab. In this location this account is the GCD Administrator (gcd_admin).
• Many installations will also enter this account into the Configuration Manager as the directory service user account, the account that Content Engine uses to bind to the directory server (also called the LDAP). Configuration Manager places the account into the application server's authentication configuration location, where it is referred to as the directory service user (ce_service_user).

Changing ce_bootstrap_admin's password in the directory server means that you must at the same time change it in these several locations. If you do not, the bootstrap file will not be able to authenticate to the LDAP and Content Engine will not be able to start. You can also lock yourself out from Enterprise Manager. Follow this procedure carefully to avoid this scenario.

This procedure requires access to the Content Engine location, to the application server console, and to the directory server. Because of the relative complexity of this procedure, unless there is an overriding reason to change the password of this important account, you should consider exempting the Content Engine system user account from your password change policy.

Some steps below will be different for installations using JBoss, as JBoss does not have an administrative console or the need to log in as an administrator.

To change the Content Engine system user password

1. Backup the Engine-##.ear file, where ws denotes WebSphere, wl denote WebLogic, and jb denotes JBoss. You can then revert to last good known EAR file in case changing the password fails.
2. On the server containing Content Engine, start the IBM FileNet Configuration Manager. See Configuration Manager reference for information.
   1. Load the Configuration Manager profile that describes your installation.
   2. Click Configuration Bootstrap Properties. Do not change anything yet. The Bootstrap user password is the field you will change later in this procedure.
   Leave this window open while doing the following steps.
3. Log in to Enterprise Manager as GCD administrator.
   1. In Enterprise Manager, right-click the Root Folder, and then click Properties
   2. Click the Directory Configuration tab.
   3. Select the row that represents the configuration parameters pointing to the LDAP location that the Content Engine system user belongs to, and click Edit.
   4. When the Modify Directory Configuration dialog box opens, view the value for the Directory Service User.
      
      If this account is the same as the Content Engine system user identified in step 1, do all the steps that follow. If it is different, then use just this step by itself to change its password if and only if it is being changed on the LDAP.
   5. Do not change anything yet. Leave the dialog box open while doing the remaining steps.
4. (WebLogic and WebSphere) Log in to your application server console.
   1. Stop the application server.
   2. Navigate to the authentication provider panel containing the ID and password for the directory service user account.
      • WebLogic: this will be the value of the Principal field in the Authentication Provider for the WebLogic domain containing Content Engine.
      • WebSphere: this will be the bind user account in the Profile containing Content Engine.
      • JBoss: the directory service user account is contained in the login-config.xml file.
   3. Do not change anything yet. Leave the console open while doing the remaining steps.
5. Log in to your directory server.
   1. Navigate to the location containing the account for the Content Engine system user.
   2. Change its password.
   3. Save and apply.
6. Return to your application server console.
   1. Change the password of the directory service user account (also known as the bind account) to the new password .
   2. Save and apply.
   3. Do not restart the application server until instructed to do so below.
7. Return to Enterprise Manager dialog box.
   1. Change the directory service user's password to the new password.
   2. Click Apply and OK to close the dialog box.
8. Return to the window containing Configuration Manager. See Editing the configure bootstrap properties settings for reference.
   1. In the Configure Bootstrap Properties task, set the Bootstrap Operation property to Modify Existing.
   2. Confirm that the Bootstrapped EAR file property contains the path to the bootstrap file you need to edit.
   3. Change the Bootstrap user password. Use Configuration Manager's features to save and run the task.
   4. Run Configuration Manager's Deploy Application.
   5. Manually restart the application server.
9. Restart the application server.
10. Verify the change by logging on to Enterprise Manager as a GCD administrator (gcd_admin) and performing a user and group look up. See Modify an object's security for one way to do this.