CCM – Product error when changing filenetAdmin Password

CCM – Product error when changing filenetAdmin Password

 

Hi all,

last week we had to deal with a very strange migration issue when migrating IBM Connections 4.5 to 5.

We followed the instructions how to migrate the filenet encryption keys.

After we did that we were not able to use Libraries in the new 5 environment. The following error showed up in the SystemOut.log:

CCM1

The password for the filenetAdmin (ICAdmin) does not fit although the j2CC Alias for the filenetAdmin was correctly set to the new password (we normally change the ICAdmin & filenetAdmin Passwords when setting up a new environment or doing a side-by-side migration – this turns out to be not a good idea in terms for Filenet).

A little bit of history:

In IBM Connections 4.5 the filenetAdmin user and password for the ContentEngine application was stored directly in the application (FileNetEngine). In terms of administration this is really the hell – if our developers would do something like this I would beat them 😉

IBM changed this in IBM Connections 5 to simply use the j2cc Alias „filenetAdmin“ from the IBM Connections Cell. VERY GOOD!

So changing passwords in IBM Connections 5 does not require reconfiguring the bootstrap config and then redeploying the application.

But we found out about a product error that is not visible as long as you do not change the filenetAdmin Password!

This is what happens:

The authentication data for Filenet to be used against IBM Connections is stored in a file called „props.jar“. In this file there is a property file „CEMPBoot.properties“.

In IBM Connections 5 the content looks like this (j2calias is used as gcd.Username):

CCM2

And in IBM Connections 4.5 it looks like this (Admin User + Admin Password is used):

CCM3

So here you can see the difference “com.filenet.gcd.Username”:

IC5 uses the j2CC Alias, IC4.5 directly the user with the encrypted password.

When you now migrate the encryption keys (as described here) the following happens:

java -jar BootstrapConfig.jar -e temp1_device/Engine-ws.ear -j temp2_device/Engine-ws.ear

With –e you specify the „old“ IC4.5 Engine-ws.ear.
With –j the „new“ IC5 Engine-ws.ear.
The above command does not only migrate the encryption keys but also all other information from the CEMPBoot.properties file.

After you`ve deployed this file, the CEMPBoot.properties looks like this in IBM Connections 5:

The good idea to use the j2cc Alias is simply overwritten! IBM Connections 5 now uses the old user and the old password.
This is not nice and you will run in major trouble if the password was changed.

So IBM did an error when designing the encryption key migration task!

Anyway we found a way how to solve this:

1)   Stop the Cell

2)   Run the encryption key migration task:

java -jar BootstrapConfig.jar -e temp1_device/Engine-ws.ear -j temp2_device/Engine-ws.ear

3)  Unzip the IC5 file temp2_device/Engine-ws.ear and change to APP-INF/lib

4)   Then unzip the props.jar file

5)   Change the file CEMPBoot.properties and replace the property

com.filenet.gcd.Username

with the j2cc Alias:

The property

com.filenet.gcd.EncryptedPassword

is of no interest, when you specify the j2cc Alias

6)   Zip the props.jar file again

8)   Zip the Engine-ws.ear again

9)   Continue with the regular migration tasks (e.g. copy the Engine-ws.ear and deploy it, clean the WAS temp directories) as described here (LINK)

Remark: Instead of steps 3 – 8 you can also use the following command, that simplifies the procedure (thanks to Martin Vogel – in the comment section):

 java –jar c:\IBM\Connections\ContentEngine\lib\BootStrapConfig.jar –e Engine-ws.ear –username j2calias=filenetAdmin –password

 

If you want to change the filenetAdmin Password after you migrated IBM Connections, you can also use this way to proceed:

1)   Stop the Cell

2)   Change to the Filenet AppServer directory:

(CELLNAME)/installedApps/FileNetEngine/APP-INF/lib

3)   Extract the props.jar file

4)   Change the file CEMPBoot.properties and replace the Admin User with the J2CC Alias:

5)   Zip the props.jar again

6)   Clean the AppServer temp directories

7)   Start  the Cell

There was a PMR open for this issue. Sadly IBM was not a great help and we had to understand the whole problem by our own – which is good, as we now know how the Content Engine app works in terms of users / passwords and encryption keys.

Update:

Michael Urspringer (www.urspringer.de) reminded me of another important, undocumented task after deploying / migrating the Engine-ws.ear… You need to manually reinstall the sonata / waltz jars in order to make the system work again!

7 thoughts on “CCM – Product error when changing filenetAdmin Password

  1. Thank you, Julius, for sharing this!

    Actually, I had the situation today that password was changed for connectionsAdmin / filenetAdmin. After that, CCM was no longer working, printing LDAP errors that authentication failed. It was migrated last year from IBM Connectiosn 4.5 to IBM Connections 5.0. Your blog post was the answer to the missing place, where the password was still in use …

    1. Hi Maik,

      good to hear that this also solved your problems.

      Julius

  2. Thank you Julius for your blog post.
    In my situation username and password have changed.

    I found a KB article how you can replace username and password with one command.

    java –jar c:\IBM\Connections\ContentEngine\lib\BootStrapConfig.jar –e Engine-ws.ear –username j2calias=filenetAdmin –password

    http://www-01.ibm.com/support/docview.wss?uid=swg21442694

    1. Hi Martin,

      Thanks for your comment.
      That`s good to know 😉 I will update this blog post with your simplified command.

      Julius

    1. Hi Amir,

      great that it helped you!!!
      And many thanks for your blog post. Actually I was just in this situation and changed all permissions manually (which is the hell as there is no permission inheritance). If you do not mind I`d like to promote your post via my blog as this is a vers important information for all CCM admins 😉

Leave a Reply

Your email address will not be published. Required fields are marked *