IBM Support

Methods for changing the ALBD password for albd_server.exe

Question & Answer


Question

How do you change the IBM Rational ClearCase Atria Location Broker Daemon (clearcase_albd) account on Microsoft Windows?

Cause

When the password for the server process account, clearcase_albd, has been changed on the Microsoft Windows Domain Controller, then the new password must be immediately propagated throughout the IBM Rational ClearCase environment on all hosts that are configured with VOB and view support, which have the Atria Location Broker Daemon (ALBD) running.

Answer

















Overview

Rational ClearCase utilizes a domain account to run the local service, Atria Location Broker Daemon (ALBD). By default, the account is clearcase_albd, but this can be changed when you are Configuring your installation:



Note: As seen above, the actual name of the service no longer includes Daemon, and this example is from a stand-alone configuration; hence, no domain qualifier in .\clearcase_albd, see technote 1149308 for more details.

The ALBD server process is denoted as albd_server.exe in the Windows Task Manager:

The ALBD service runs on every host that has been installed with View and VOB support. In ClearCase Doctor see the section, ClearCase Windows Configuration:


Note: View and VOB support can be installed on a ClearCase client or server.




Changing the clearcase_albd Password

The clearcase_albd account is a regular user account in the Windows environment, which generally means it must also adhere to the security policies in place for password requirements, such as changing it every 90 days.

For Rational ClearCase, this account is significant and serves a specialized function within the application. If your environment allots exemptions for such accounts, then it is best to never change the password or, at least, change it as infrequently as possible.

When the password must be changed, it is important to plan ahead to determine how this can be achieved with little or no fall-out. Given that this account is potentially in use on multiple servers and clients throughout the environment, you need to coordinate the changing of this account's password with refreshing it on all the machines that have albd_server.exe running.

Potential Problems

Changing the password of clearcase_albd without updating it on all the servers and clients accordingly can lead to issues such as locking the account, which can lead to downtime and lost production in the ClearCase development community.

Be advised that ClearCase functionality will not fail for any ClearCase host that has the ALBD service running while the password change occurs, but the issues will arise following a reboot of the host or when ClearCase is restarted on a host. These actions require the clearcase_albd account to attempt a login with the old password.

Note: For security purposes, it is advised that only ClearCase Administrators know the password for clearcase_albd, as this is a privileged account; see technote 1143292 for more information About ClearCase permissions on Windows.



Manually reset the ALBD service account's password

This method works best in small environments, where the time between changing the password for clearcase_albd and updating it on all the required machines is minimal.

After the password has been changed on the domain controller, then the password can be updated on each host that has the ALBD service running by using the below directions.

Windows 2000

  1. Click Start > Settings > Control Panel

  2. Double-click the Administrative Tools folder

  3. Double-click the Services icon

  4. Double-click Atria Location Broker service

  5. Select the Log On tab

  6. Change the Password and Confirm Password

  7. Click OK and then click X to close the Services window

  8. To test the change - restart the host and log on to confirm ClearCase is started

For more information specific to Windows 2000 refer to Microsoft KB article
259733.

Windows XP

  1. Click Start > Control Panel

  2. Double-click Administrative Tools folder

  3. Double-click the Services icon

  4. Double-click Atria Location Broker service

  5. Select the Log On tab

  6. Change the Password and Confirm Password

  7. Click OK and then click X to close the Services window

  8. To test the change - restart the host and log on to confirm ClearCase is started

For more information specific to Windows XP refer to Microsoft KB article
314357.

Windows Server 2003

  1. Click Start > Control Panel

  2. Double-click Administrative Tools folder

  3. Double-click the Services icon

  4. Double-click Atria Location Broker service

  5. Select the Log On tab

  6. Change the Password and Confirm Password

  7. Click OK and then click X to close the Services window

  8. To test the change - restart the host and log on to confirm ClearCase is started

For more information specific to Windows Server 2003 refer to Microsoft KB article 327545.





Update the ALBD service account's password in the release area (ClearCase 7.0.x and 2003.06)

Note: In ClearCase 7.1 or later the existing albd password can be changed when prompted during an upgrade using the IBM Installation Manager.



The sitedefs.dat file is created by the Site Preparation Tool that contains all of the Rational ClearCase settings you specified in the siteprep process. This is detailed more under
Creating a release area in IBM Rational ClearCase Installation and Upgrade Guide.

You cannot edit the sitedefs.dat file directly to change the ALBD password as it is encrypted. You must run siteprep.exe again in order to accomplish this task.

There are some things to keep in mind before attempting this task:

  • You must change the ALBD password on the Windows Domain Controller first before running the Site Preparation Wizard. Consult your System Administrator for assistance.

  • This change will effect every ClearCase server and client that has ALBD running with the old password. Only systems that have been installed with view (and VOB) support have the ALBD service running locally.

Once you are ready to make the change, perform the following steps:

1. Run siteprep.exe from your Rational ClearCase Release Area previously created.

2. Change the albd password in the siteprep wizard when prompted.

Screenshot from 2003.06.00 Siteprep:




This will update the sitedefs.dat file with the new password.

Note: If you did not delete the sitedefs.dat file, click Finish after making the password change. All other options previously selected will remain in the sitedefs.dat file.

3. Reinstall ClearCase on any servers and clients that have the albd service running from the updated release area to obtain the new password.

Note: The uninstall and install should be completed throughout the ClearCase environment after the password for the clearcase_albd account has been changed. On host can't re-install reinstall, then you can manually change the albd password, as detailed above in the previous section.



Remotely change the ALBD service account's credentials

The following directions advise you on how the ALBD service account's credentials can be changed remotely using the Windows sc tool.

This method is implementing a second clearcase_albd account in the ClearCase environment. They cannot have the same name, so clearcase_albd1 and clearcase_albd2, for example. Also, only one is in use in the environment at a time.

This method provides some redundancy, should the first account's password expire or if it were to become locked out, then the downtime can be minimized by switching to the second account, and propagating the change accordingly in the environment.

Note: Without introducing a second clearcase_albd account, you may be able to revise the below directions to only change the ALBD service account's password, such as detailed in Microsoft KB article 317142.

To implement this method you need the following:

  1. Domain Administration rights. The sc command requires that you have administrative rights on any Windows host you are attempting to stop and start services on.

  2. Two ClearCase clearcase_albd accounts: (With different names, such as 1 and 2)
  • The second must be a member of all the groups the first is, and
  • In an Interop environment, the second needs to be mapped exactly the same was as the first.
  • The second ALBD account in this case should be locked until needed.

    Note: The best way to prevent users with the wrong password from continually locking out the ALBD account is to switch ALBD accounts periodically.

  • 1. All Windows ClearCase hosts must at least be powered on, though ClearCase does not need to be running or started.

    2. Central Registry or License server for all Windows Client Hosts.


Windows sc tool

The primary tool for remotely changing service credentials is the standard Windows sc tool. The sc commands used here are:

  • sc [server] {servicename} config -- Changes the configuration of a service (persistent).
  • sc [server] {servicename} stop -- stops a service
  • sc [server] {servicename} start -- starts a service

ClearCase Client List

You need collect the client lists by running and parsing the output of the cleartool lsclient command, which requires the registry or license server in question to be running.

However, if the server is down at the start of this operation, then you can run the below sc commands against it individually to allow the process to continue. If this is done, then you need to modify the command run by the for commands from:

cleartool lsclient -host reg_lic_svr -type all | findstr Windows

to

cleartool lsclient -host reg_lic_svr -type all | findstr Windows | findstr /V reg_lic_svr

This will prevent the registry/license server from being restarted in steps 5 and 7 under the Switching ALBD accounts section below, and will allow you to skip step 6.

If the registry/license server is running an OS other than Microsoft Windows, you can skip step 6.

Switching ALBD Accounts

Disclaimer

All source code and/or binaries attached to this document are referred to here as "the Program". IBM is not providing program services of any kind for the Program. IBM is providing the Program on an "AS IS" basis without warranty of any kind. IBM WILL NOT BE LIABLE FOR ANY ACTUAL, DIRECT, SPECIAL, INCIDENTAL, OR INDIRECT DAMAGES OR FOR ANY ECONOMIC CONSEQUENTIAL DAMAGES (INCLUDING LOST PROFITS OR SAVINGS), EVEN IF IBM, OR ITS RESELLER, HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

When the ALBD account password expires or becomes locked, one useful process for recovering is:

  1. Unlock the "second" ALBD account.

  2. Lock the first ALBD account if it is not already locked.

  3. Set the password for the second ALBD account.

  4. Use the following for command to reset all the Windows host ALBD usernames and passwords:

    for /f "delims=:" %x in ('cleartool lsclient -host reg_lic_svr -type all ^| findstr Windows') do sc \\%x config albd password= newpassword obj= DOMAIN\clearcase_albd2

    Note:
    The spaces after "password=" and "obj=" are required.

  5. Stop the ALBD's by running the following command:

    for /f "delims=:" %x in ('cleartool lsclient -host reg_lic_svr -type all | findstr Windows') do sc \\%x stop albd

  6. Start the registry and license servers by running the following:

    sc \\reg_lic_svr start albd

  7. Start the ALBD's on all Windows hosts by running the following command:

    for /f "delims=:" %x in ('cleartool lsclient -host reg_lic_svr -type all | findstr Windows') do sc \\%x start albd


Documentation

For more information on the albd_server process and other server processes, see Rational ClearCase Server Processes under Rational ClearCase network planning and administration in IBM Rational ClearCase Administrator's Guide.

[{"Product":{"code":"SSSH27","label":"Rational ClearCase"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"ALBD","Platform":[{"code":"PF033","label":"Windows"}],"Version":"2003.06.00;7.0;7.0.1;7.1;7.1.1","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
16 June 2018

UID

swg21146207