How to change IS Administrator password using CC (in command line)

Hi,

After installing new Integration Server and its Platform Manager, I would like to change the default password for Administrator account using Command Central in command line. How do I do that?

Thanks.

Hi Marco,

as IS and Platform Manager/Command Central are using different User Stores, you will have to change the passwords separately.

For Platform Manager/Command Central it is internaluserrepo.sh, for the IS you will have to go to IS Admin.

Additionally you should take a look in the Command Central and Platform Manager Command Reference.

Regards,
Holger

Hi Holger,

Thanks for the info, but what I need are the instructions to modify the password as stored in the IS. I know I can modify it using the IS Admin console but what I’m trying to do is have a script that will do that. I’ve previously created users using the CC command by uploading an XML file containing the parameters for creating the user. What I was wondering is if the process is similar when wanting to update the password.

Thanks.

Starting with webM 9.7, Command Central unified local user management for IS, MWS, UM and all common platform runtime based products which include CCE, SPM, CTP, InfraDC.
There is no need to use IS Admin or internaluserrepo.sh, everything can be done consistently using CC Web UI, CLI.

Moreover, it is recommended to do it via CC because CC will update its outbound credentials at the same time so that the connection is not affected (if connection still relies on BASIC auth).

This is from CC online help
Search for “Using Unix Shell Scripts to Change Connection Credentials for Managed Products”


NODE_ALIAS=local
USERNAME=Administrator
PASSWORD=manage456
RCID=integrationServer-default
# RCID=MwsProgramFiles-default
# RCID=Universal-Messaging-nirvana
# RCID=OSGI-CTP
# RCID=OSGI-InfraDC
 
cc get configuration data $NODE_ALIAS $RCID COMMON-LOCAL-USERS-Administrator -o administrator.xml
sed "s,/>,><Password>${PASSWORD}</Password></User>,g" administrator.xml > administrator_new.xml
cc update configuration data $NODE_ALIAS $RCID COMMON-LOCAL-USERS-Administrator -o administrator_new.xml
 
# verify connection
cc get monitoring runtimestatus $NODE_ALIAS $RCID -e ONLINE

From CC help “Using a Unix Shell Script to Change the Administrator Password for Platform Manager”


NODE_ALIAS=local                  
PASSWORD=secret                  
RCID=OSGI-SPM                  
                  
cc get configuration data $NODE_ALIAS $RCID COMMON-LOCAL-USERS-Administrator -o administrator.xml                  
sed "s,/>,><Password>${PASSWORD}</Password></User>,g" administrator.xml > administrator_new.xml                  
cc update configuration data $NODE_ALIAS $RCID COMMON-LOCAL-USERS-Administrator -o administrator_new.xml                  
# verify connection                  
cc list inventory components nodeAlias=$NODE_ALIAS -e $RCID -w 0 refresh=true

Thanks,
Sergei

Thanks Sergei. You even managed to answer a question I hadn’t asked yet… Its great that SPM updates its outbound credentials to connect to the IS when we modify Administrator password thru CC.

1- So if I understand correctly, the first example is to modify the password used by SPM to connect to the IS (or other managed products)?
2- …and the second example is to modify the password used by Command Central to connect to the SPM?
3- Is it possible to have SPM use a different account than Administrator to connect to the IS?
4- One comment : it would be nice to simplify the interface to Command Central by not requiring us to download/modify/upload configuration files when wanting to make some simple configuration changes. I started storing some xml files to be used as templates, so at least I don’t have to download them each time. Is there a specific reason for this design decision?

Thanks.

  1. This is an example to change password of the internal user used by a managed runtime instance of IS, MWS, CTP, etc AND update SPM outbound credentials for this component IF SPM uses BASIC authentication to connect to this component. Starting with 9.8 some products like IS and OSGi, and with 9.9 also MWS, support TRUSTED authentication that does NOT require basic username/password credentials and thus does not have to be updated when you change passwords for the users on the managed product. Other products like UM, TC, Broker either do not use authentication by default or it is not supported by SPM (TC and Broker).

  2. Yes, with the save as above note. It actually updates the Administrator password on the target SPM and updates outbound credentials in CCE to connect to this SPM.
    CCE to SPM connection still relies on BASIC auth and does not support TRUSTED or DELEGATED auth at the moment.

  3. Yes, it is possible to use any valid account with BASIC auth, but if this account is NOT an Administrative account then SPM will likely fail to perform most operations as they are admin level operations/services.
    If TRUSTED auth is used then it is always Administrator account, but you don’t have to worry about password changes as the authentication from SPM to IS is handled via SAML 2.0 signed assertions.

  4. download/modify/upload workflow simplification is on the road map and it may look like this


cc modify configuration data $NODE_ALIAS $RCID COMMON-LOCAL-USERS-Administrator Password=newPassword

where Password is a property derived from translation of the XML/JSON representation into a map like structure, similar what we do for Configuration Compare service/UI.

The main reason it’s not in, because we’ve been focusing on composite template based provisioning and less on the CLI enhancements.

Another feature on the road map is to allow configuration updates for more than one component, for example change Administrator password for all IS’s/MWS’s/SPM’s in the given environment using a single service all, e.g.


cc modify configuration data environmentAlias=prod1 configurationInstanceId=COMMON-LOCAL-USERS-Administrator Password=newPassword

Thanks
Sergei

Thanks for the detailed answer. Looking forward to the workflow simplification. It will also be useful to be able to affect multiple instances with one command.

Small problem… Using CC (REST interface), I modified the Administrator password for IS using parameters similar to the examples you mentioned above. It worked, I tested it in IS Console and in CC (user interface). But in the IS log at the begining of every hour we started receiving “Access denied” errors for user Administrator (coming from localhost). I went to the CC UI, I scrolled to the IS instance : IS_default, I clicked on component “Integration Server”. In the Overview tab, sections details, I modified “Authentication” field and put the new password for Administrator account. I waited an hour and we still got the error. Then I used the script “internaluserrepo.bat” to modify the Administrator password and now we don’t get the error anymore.

Any ideas? Is this normal behavior? If this is normal is there a way to solve this problem using CC (script)

Thanks.

Hi Marco,
most probably SPM monitoring tries to connect to IS JMX port and that’s where this exception comes from.
I see that you’ve changed credentials for “Integration Server” component using the UI but I think you need to change it for both the process and engine e.g. for ID_default
Using command line tool you can execute:
cc get security credentials nodeAlias=local runtimeCoponentId=OSGI-IS_default -f xml -o creds.xml
this command will retrieve the credentials for OSGI-IS_default and will save it as a file called creds.xm

then open the file and put the new password inside

after this execute:
cc add security credentials nodeAlias=local runtimeComponentId=OSGI-IS_default -i creds.xml -f xml
This will propagate the file with the new password to the node called local and will save these credentials inside SPM’s internal credential store

Then repeat these steps for runtimeComponentId=integrationServer-default

Best Regards,
Veselin

Hi Veselin,

I tried it but it didn’t work. At the same time, I don’t think it’s related to JMX. The error I’m seeing is in the server.log of the Integration Server, from a request to the primary port.

Thanks.

In this case it might be ISContext in IS SPM plugin that expires every hour and then gets first login attempt as a failure.

Do you get the same issue when you use TRUSTED auth for both OSGI-IS_ and integrationServer- components?

If yes, please file a support ticket for Integration Server product/plugin.

Thanks
Sergei

Hi Sergei,

I just want to clarify. As mentioned previously, if I execute the following line it solves the problem:

	>>Run internaluserrepo.bat on user.txt file located in <installDir>\profiles\SPM\configuration\security\

When I install an IS, after I change the Administrator password using CC, I could add a call to “internaluserrepo.bat” command. But you mentioned previously that when we modify the password using CC (which I do), CC should update its outbound credentials, and it seems to work for one type of call (which happens every 5 minutes), but not for calls happening every hour. My impression is that for calls initiated from SPM to the managed product (IS), outbound credentials are updated correctly, but not for calls initiated from CC to managed product.

Additional Info:

The interval at which the problem occurs (every hour by default) is controlled by this parameter “periodic.configuration” in this file on Command Central directory:

File : profiles/CCE/configuration/com.softwareag.platform.config.propsloader/com.softwareag.platform.management.client.core.periodic.ScheduledEventService.properties

Thanks.

Marco.

IS team will check.

There is a very similar looking issue that is tracked as PIE-38281 and to be included into the IS_9.9_SPM_Fix2

Thanks.