IBM Support

Changing the default user passwords on IBM WebSphere Lombardi Edition

Troubleshooting


Problem

The standard installation and configuration guides have steps for changing the internal users' passwords in WebSphere Lombardi Edition 7.1 and 7.2. These steps work for most users, but additional steps are needed for tw_admin and tw_user or if you want to encrypt the passwords.

Symptom

You might see the following error:
com.ibm.websphere.wim.exception.PasswordCheckFailedException:
CWWIM4513E The password match failed

Resolving The Problem

Note: If you need to change the password for tw_author, see Instructions for changing the heartbeat user password on runtime server and process center after system has registered (Teamworks 7.0.1 and WebSphere Lombardi Edition 7.1).

Note: As you complete these steps, consider backing up the files, after they are altered, to a location outside of the installation directory. Some interim fixes and fix packs run a deployment script that might cause the changes from these steps to be lost.

Steps
To resolve this problem, complete the following steps:

  1. Change the passwords on the Process Admin Console.
    1. Navigate to the WebSphere Lombardi Edition Process Admin Console (http://host:port/ProcessAdmin).

    2. Go to User Management and select User Management.

    3. Search for "tw_" to bring up all internal users.

    4. Select a user, apply the new password, and password confirmation field, and update the user.

    5. Repeat the previous steps so that all user passwords are changed.

  2. Encrypt the new passwords.
    Navigate to the (WLE_HOME)\twinit\lib directory and run the following command:
    lib>..\..\AppServer\java\bin\java -cp utility.jar com.lombardisoftware.utility.EncryptPassword
    new_password



    If the previous command does not run on Microsoft Windows operating systems, then add the following entry to your PATH environment variable:
    (WLE_HOME)\was-iip-jdk\jre\bin

  3. Complete the following steps to update the WebSphere Lombardi Edition Configuration Files with encrypted passwords:
    1. Open the 100Custom.xml file from the (WLE_HOME)\process-center\config\ directory.

    2. Add the following code to the file to override the user settings with the encrypted passwords acquired in step 2 (you can leave out sections for any user whose password was not changed):
      <!-- Override 99Local.xml --> 
      <server merge="mergeChildren"> 
        <bpd-engine merge="mergeChildren"> 
         
      <system-lane-users merge="replace"> 
           
      <user login="tw_admin" password-encrypted="true" password="(encrypted tw_admin password)" /> 
         
      </system-lane-users> 
       
      </bpd-engine> 
       
      <webservices merge="mergeChildren"> 
          <guest-user merge="replace">tw_webservice</guest-user> 
         
      <guest-user-password merge="replace">(encrypted tw_webservice password)</guest-user-password> 
         
      <guest-password-encrypted merge="replace">true</guest-password-encrypted> 
       
      </webservices> 
        <repository-server-user merge="replace">tw_runtime_server</repository-server-user> 
       
      <repository-server-password merge="replace">(encrypted tw_runtime_server password)</repository-server-password> 
       
      <repository-server-designated-user merge="replace">tw_author
       </repository-server-designated-user>
       
        <repository-server-designated-password merge="replace"> (encrypted tw_author password)
       </repository-server-designated-password>
       
      </server> 
      <!-- Override 80EventManager.xml --> 
      <event-manager merge="mergeChildren"> 
       
      <login-name merge="replace">tw_admin</login-name> 
        <password merge="replace">(encrypted tw_admin password)
       </password>
       
       
      <password-encrypted merge="replace">true</password-encrypted> 
      </event-manager> 
      <!-- Override 50AppServer.xml --> 
      <common merge="mergeChildren"> 
        <security merge="mergeChildren"> 
          <runas-user merge="mergeChildren"> 
         
        <username merge="replace">tw_admin</username> 
         
        <password merge="replace">(encrypted tw_admin password)
           </password>
       
            <password-encrypted merge="replace">true</password-encrypted> 
          </runas-user> 
       
      </security> 
      </common>
    3. Restart all the WebSphere Lombardi Edition servers.

    4. Open the (WLE_HOME)\process-center\TeamWorksConfiguration.running.xml file and confirm that the previous changes in the 100Custom.xml file make it into the running configuration.


      Note: If you change the password for the tw_runtime_server user, you must ensure that the password for this user is identical between a Process Center and connected runtime servers. This password is taken from the configuration for the runtime server and sent along with its heartbeat to the Process Center. The Process Center checks the password against its own configuration, hence, they must match between these connected environments. See Instructions for changing the heartbeat user password for more details.

  4. Update the RunAs Users in the WebSphere Application Server Administrative Console
    • For tw_admin, change the password for the WebSphere runas users in the 'teamworks' web application by completing the following steps from the administrative console:
      1. Navigate to Applications > Application Types > WebSphere enterprise applications > teamworks.

      2. Under Detail Properties, select User RunAs roles.

      3. Enter tw_admin for the user name along with the new password, which you previously changed in the Process Admin Console.

      4. Verify the twem and twuser roles and click Apply.

      5. Click OK and Save directly to the master configuration at the top of the window to save the teamworks application changes.

    • For tw_user, change the password for the WebSphere runas users in the 'tracking' web application by completing the following steps in the administrative console:
      1. Navigate to Applications > Application Types > WebSphere enterprise applications > tracking.

      2. Under Detail Properties, select Security role to user/group mapping.

      3. Check the tw-loader role and click Map Users.

      4. Enter 'tw_user' in the search criteria and click Search.

      5. Select the tw_user user from the Available list and add the user to the Selected list on the right.

      6. Click OK.

      7. Click OK on the Security role to user/group mapping screen and click Save directly to the master configuration at the top of the window.

      8. Navigate to Applications > Application Types > WebSphere enterprise applications > tracking.

      9. Under Detail Properties, select User RunAs roles.

      10. Verify the tw-loader role and enter the tw_user username and the new password.

      11. Click OK.

      12. Click Save directly to the master configuration at the top of the window.

      13. Restart the WebSphere Lombardi Edition Process Center services and check the WebSphere Application Server SystemOut.log file to ensure that errors do not exist.

  5. Update the tw_admin password to be used for offline deployments. In the (WLE_HOME)/tools/process-installer/process-installer.properties file, change the following line to the new tw_admin encrypted password:
    pcs.encrypted=3Dwiqf0gXAEncccPiepuKg==:d8z7KU8hEhzilOxlVLqyuA==

  6. Change the value of the bootstrap.password property to the encrypted password in the twinit/tw-init.xml file.


    There are some cases where these steps do not affect the file system and manual file system changes are required. After you complete the previous steps, review the following files:
    • [INSTALL_DIR]\AppServer\profiles\Lombardi\installedApps\
      cell_name\tracking.ear\META-INF\ibm-application-bnd.xmi file 
    • [INSTALL_DIR]\AppServer\profiles\Lombardi\config\cells\
      cell_name\applications\tracking.ear\deployments\tracking
      \META-INF\ibm-application-bnd.xmi
    • [INSTALL_DIR]\AppServer\profiles\Lombardi\installedApps\
      cell_name\teamworks.ear\META-INF\ibm-application-bnd.xmi

  7. Review the following lines. The passwords in these code examples are the defaults. If they look like these examples, the changes did not take effect and you should start at Step 1 in the Additional Steps section. If they are different, proceed to step 11.


    For tw_user in the two tracking.ear files:
    <authData xmi:type="com.ibm.ejs.models.base.bindings.
    commonbnd:BasicAuthData" xmi:id="BasicAuthData_1295461950652"
    userId="tw_user" password="
    {xor}KygAKiw6LQ=="/>


    For tw_admin in two locations within the teamworks.ear file:
    <authData xmi:type="com.ibm.ejs.models.base.bindings.
    commonbnd:BasicAuthData" xmi:id="BasicAuthData_1295461821519" userId="tw_admin" password="
    {xor}KygAPjsyNjE="/>

    <authData xmi:type="com.ibm.ejs.models.base.bindings.
    commonbnd:BasicAuthData" xmi:id="BasicAuthData_1295461821520" userId="tw_admin" password="
    {xor}KygAPjsyNjE="/>

Additional Steps
  1. Find the soap.client.props file, which is located in the following directory:
    [INSTALL_DIR]\Lombardi7\AppServer\profiles\Lombardi\properties\

  2. Copy the file to another location. For example, you might copy it to the c:\ directory.

  3. Edit the copied soap.client.props file. Next to the com.ibm.SOAP.loginPassword= line, enter the clear text password for one of your users. If you need to make this change for multiple users, you will have to do it one at a time.

  4. Save the modified soap.client.props file.

  5. From the command line, go to the [INSTALL_DIR]\IBM\Lombardi7\AppServer\profiles\Lombardi\bin\ directory.

  6. Run the following command, which points to your file:


    PropFilePasswordEncoder.bat "C:\soap.client.props"
    com.ibm.SOAP.loginPassword

  7. Go to the soap.client.props file and search for com.ibm.SOAP.loginPassword= line.
    This value will be set to your encrypted password. If you need to change multiple users, return to step 3 and change it for the other users. Use this copied version of the file to get encrypted passwords; do not change the file in its original location.

  8. Copy the encrypted version of the password from your copied version of the soap.client.props file.

  9. Back up the following files to a directory outside of your installation directory.

    • For tw_user:
      • [INSTALL_DIR]\AppServer\profiles\Lombardi\installedApps\cell_name\tracking.ear\META-INF\ibm-application-bnd.xmi file

      • [INSTALL_DIR]\AppServer\profiles\Lombardi\config\cells\
        cell_name\applications\tracking.ear\deployments\tracking\
        META-INF\ibm-application-bnd.xmi

    • For tw_admin:
      • [INSTALL_DIR]\AppServer\profiles\Lombardi\installedApps\cell_name\teamworks.ear\META-INF\ibm-application-bnd.xmi

  10. Modify the following lines in the original versions of the files that you just backed up. Change the bold face value to your new encrypted password from the soap.client.props file:
    • For tw_user in the two tracking.ear files:
      • <authData xmi:type="com.ibm.ejs.models.base.bindings.
        commonbnd:BasicAuthData" xmi:id="BasicAuthData_1295461950652"
        userId="tw_user" password="
        {xor}KygAKiw6LQ=="/>

    • For tw_admin in two locations within in the teamworks.ear file:
      • <authData xmi:type="com.ibm.ejs.models.base.bindings.
        commonbnd:BasicAuthData" xmi:id="BasicAuthData_1295461821519" userId="tw_admin" password="
        {xor}KygAPjsyNjE="/>

      • <authData xmi:type="com.ibm.ejs.models.base.bindings.
        commonbnd:BasicAuthData" xmi:id="BasicAuthData_1295461821520" userId="tw_admin" password="
        {xor}KygAPjsyNjE="/>

  11. For tw_user, update the password in the following additional files:
    • [INSTALL_DIR]\AppServer\profiles\Lombardi\config\cells\
      cell_name\security.xml


    • [INSTALL_DIR]\bin\properties\soap.client.props

  12. Restart all WebSphere Application Server and WebSphere Lombardi Edition servers for the changes to take effect.
    • For stand-alone environment, start the WebSphere Application Server and WebSphere Lombardi Edition servers.

    • For clustered environment:
      • Start the Deployment Manager by running the startManager command. For more information about starting Deployment Manager, refer to startManager command.

      • After the Deployment Manager starts, synchronize each node, one at a time by using syncNode command.
        Note: If you have modified the default Deployment Manager SOAP port, you must specify it in the previous commands immediately after the host name for the primary node. For more information about synchronizing nodes, refer to syncNode command.

      • Start all the nodes, the Process Server and the Performance Data Warehouse for your entire cluster environment.

[{"Product":{"code":"SSFPRP","label":"WebSphere Lombardi Edition"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Security","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"7.2;7.1","Edition":"All Editions","Line of Business":{"code":"LOB45","label":"Automation"}}]

Product Synonym

WLE Lombardi

Document Information

Modified date:
15 June 2018

UID

swg21448216