The user in connectionsAdmin role is very important for a working IBM Connections infrastructure. Many components of IBM Connections as well as add-ons are using this user identity for internal communication
between the components. Unfortunately, the combination of userid and password is kept at several places in the IBM Connections configuration. Typically, the password is not going to change ...

But what if it has to be changed ...

Before we have a look where to change the password of the user in connectionsAdmin role, an important remark about the characters you must not use in the password:

Avoid including the following special characters when entering passwords for WebSphere Application Server users:

&, ^, <, >, ", ', ), (, |, !, $, #, %

This list of critical characters is inconsistent to the list defined in WebSphere product documentation:

http://www-01.ibm.com/support/knowledgecenter/SSAW57_8.5.5/com.ibm.websphere.nd.multiplatform.doc/ae/csec_chars.html?lang=en-us&cp=SSAW57_8.5.5

However, the trigger for creating this article was a "!" in the password of the administrative user which led to failed configuration during the implementation of updates.

So, we had to change the password.

The steps below have been verified in an environment containing the following components:

• IBM Connections 5
• IBM Connections Content Manager 5
• IBM Docs 1.0.6
• IBM File Viewer 1.0.6
• IBM Cognos BI 10.1.1

All servers have been running on Microsoft Windows. Therefore, if the components in your environment are running on another support operating system, you need to adapt the directories in each step accordingly.

The LDAP user repository was Microsoft Active Directory.

The environment was configured for Windows desktop single sign-on using SPNEGO/Kerberos.

a) In WebSphere Integrated Solution Console, go to
Servers > Server Types > WebSphere application servers
b) Select all servers running IBM Connections components
c) Click "Stop"
d) Go to
System Administration > Nodes
e) Select all nodes where IBM Connections is running
f) Click "Stop"

Step 2: For Single Sign-On using SPNEGO/Kerberos: Create new keytab

As part of setting up single sign-on using Windows desktop login, one step was to set service principal name to an Microsoft Active Directory account:
http://www-01.ibm.com/support/knowledgecenter/SSYGQH_5.0.0/admin/secure/t_install_kerb_create_service_account.dita

If the Microsoft Active Directory account used for connectionsAdmin is also used as Service Principal Name (SPN) for setting up SPNEGO/Kerberos,
you have to created a new keytab file after the password change on the Active Directory account.
NOTE: It is not recommended to use the same AD account for SPN as well as connectionsAdmin user.

a) Remove SPN from account
b) Create new keytab file using commands similar like:

ktpass -princ HTTP/was01.example.com@EXAMPLE.COM -pType KRB5_NT_PRINCIPAL -out c:\temp\icconkerb.keytab

           -mapUser EXAMPLE.COM\icadmin -mapOp set -pass password

ktpass -princ HTTP/was02.example.com@EXAMPLE.COM -ptype KRB5_NT_PRINCIPAL -in c:\temp\icconkerb.keytab

           -out c:\temp\icconkerb.keytab -mapuser EXAMPLE.COM\icadmin -mapOp add -pass password

ktpass -princ HTTP/connect.example.com@EXAMPLE.COM -ptype KRB5_NT_PRINCIPAL -in c:\temp\icconkerb.keytab

           -out c:\temp\icconkerb.keytab -mapuser EXAMPLE.COM\icadmin -mapOp add -pass password

c:\temp\icconkerb.keytab is the new keytab file.

c) On each WebSphere node (including Deployment Manager), replace the current keytab file with the new one.

Step 3: Update J2C aliases

a) In WebSphere Integrated Solution Console, go to
Security > Global Security > Java Authentication and Authorization Service > J2C authentication data

b) Update the password of the following J2C aliases by clicking the userid

• connectionsAdmin
• cognosAdmin ... if you have Cognos installed and used the same userid as Cognos admin
• filenetAdmin ... if you have CCM installed and used the same userid as FileNet admin
• viewerAdmin ... if you have IBM Connections Viewer installed and used the same userid
• docsAdmin ... if you have IBM Docs installed and used the same userid as IBM Docs admin

c) To ensure that you have catched all J2C aliases with the same userid, use the filter function and filter by "User ID"

d) Back in "JAAS - J2C authentication data" overview listing all aliases, click "Apply" button at the top of the page
e) Save changes

Step 4: Update "Run As" user in Search application

a) In WebSphere Integrated Solution Console, go to
Applications > Application Types > WebSphere enterprise applications
b) In the list of applications, click on "Search"
c) Click on "User RunAs roles"
d) Select the "admin" user and click "Remove"
e) Type in userid and password, select the "admin" role and click "Apply"
f) Click "OK" and save changes

Step 5: Update CEMPBoot.properties in APP-INF/lib/props.jar in FileNetEngine app

This step is only necessary, if you have been upgraded IBM Connections Content Manager from a Connections Content Manager 4.5

Finally, this step is only required once. As soon as CEMPBoot.properties has been changed to use filenetAdmin J2C alias, password changes can be implemented easily in WebSphere (see step 3).

Kudos go to http://techblog.gis-ag.info/2015/04/14/ccm-product-error-when-changing-filenetadmin-password/

In IBM Connectios Content Manager 4.5, the userid/password combination of FileNet admin has been stored in CEMPBoot.properties in APP-INF/lib/props.jar inside the FilenetEngine app.
In IBM Connectios Content Manager 5.0, a change has been introduced to use J2C alias "filenetAdmin".

However, as part of the encryption key migration during the migration from CCM 4.5 to CCM 5.0, the old setup gets introduced again.
So, we have to manually update CEMPBoot.properties, using the following steps:

a) In WebSphere Integrated Solution Console, go to
Applications > Application Types > WebSphere enterprise applications

b)  In the list of applications, select "FileNetEngine"
c) Click "Export file"
d) From the list of files, select
APP-INF/lib/props.jar/CEMPBoot.properties
e) Click "Export"

f) Save file on your local disk

g) Edit CEMPBoot.properties
h) Change the line

   com.filenet.gcd.Username=icadmin

   com.filenet.gcd.Username=j2calias\=filenetAdmin

i) In WebSphere Integrated Solution Console, in the list of applications, select "FileNetEngine"
j) Click "Update"

k) Select "Replace or add a single file"
l) Specify the relative path as "APP-INF/lib/props.jar/CEMPBoot.properties"
m) Specify the path to the file on local file system
n) Click OK to update the file inside the application

Step 6: Stop Deployment Manager

a) In WebSphere Integrated Solution Console, go to
System Administration > Deployment Manager

b) Click "Stop"
c) Click "OK" to confirm to stop the deployment manager

Step 7: Update Windows services for IBM Connections

Consider all servers where components of your IBM Connections infrastructure are installed, including

• Deployment Manager
• all nodes running IBM Connections
• IBM Connections Viewer components
• IBM Docs components
• IBM Cognos BI

To remove a service, use ...

D:\IBM\WebSphere\AppServer\bin\wasservice.exe -remove <service-name>

To re-add a service, use ...

D:\IBM\WebSphere\AppServer\bin\wasservice.exe -add "service-name" -servername "<service-name>"

       -profilePath "D:\\IBM\\WebSphere\\AppServer\\profiles\\AppSrv01"

       -logRoot "D:\\IBM\\WebSphere\\AppServer\\profiles\\AppSrv01\\logs\\<service-name>"

       -stopArgs "-username <userid> -password <password>" -encodeParams

All in one line.

Replace
... service-name by the name of the appserver, e.g. ActivitiesCluster_server1
... userid by the userid
... password by the password

Step 8: Start Deployment Manager

a) On server running deployment manager, open a DOS command window
b) Change directory to
D:\IBM\WebSphere\AppServer\profiles\DMgr01\bin\
c) Execute startManager.bat

Step 9: Synchronize nodes using syncNode.bat

a) On server running IBM Connections, change directory to
D:\IBM\WebSphere\AppServer\profiles\AppSrv01\bin\

b) Execute the following command
nodeSync.bat 8879

c) Provide administrative userid/password

d) Repeat the steps a-c on servers running IBM Cognos BI, IBM Docs or IBM Connections Viewer components (viewer or conversion service).

a) On server running IBM Connections, change directory to
D:\IBM\WebSphere\AppServer\profiles\AppSrv01\bin\

b) Execute startNode.bat

c) Start all application servers running IBM Connections

d) Start IBM Connections Viewer components

e) Start IBM Cognos BI

Step 11: Update FileNet configuration

This step is only required once. As soon as Config1 and Config2 have been cleared, FileNet is going to use connectionsAdmin J2C alias and password changes can be implemented easily in WebSphere (see step 3).

a) Open Administration Console for Content Platform Engine (ACCE) on the FileNet system with a web browser
https://connections.example.com/acce
b) Login with administrative userid and password

c) Go to
ICDomain > Object Stores > ICObjectStore

d) Click "Search"
e) Click "New Object Store Search"
f) On the New Object Store Search > Simple view inner tab, select "Collaboration Configuration" from the Class dropdown, and then click Run.

g) Click the result link in the ID column to open it for viewing and editing
h) Click the Properties inner tab

i) In the list of properties, look for "Config 1"
j) Click the arrow and select "Display or edit value"
k) Clear the value and click OK

l) In the list of properties, look for "Config 2"
j) Click the arrow and select "Display or edit value"
k) Clear the value and click OK

l) Click Save

=> Config 1 holds password for the Connections user defined in the Config 2 property.
=> Config2 holds the login name of a Connections user

If Config2 is left blank, the connectionsAdmin J2C alias will be used when FileNet contacts the Connections Activity Stream.

Step 12: Update ConfigEngine

a) On Deployment Manager, edit the following file
D:\IBM\Connections\ConfigEngine\properties\wkplc.properties
b) Update the line
WasPassword

c) On Deployment Manager, edit the following file
D:\IBM\WebSphere\AppServer\profiles\Dmgr01\ConfigEngine\properties\wkplc.properties
d) Update the line
WasPassword

e) On Deployment Manager, edit the following file
D:\IBM\WebSphere\AppServer\profiles\Dmgr01\ConfigEngine\properties\wkplc_comp.properties
f) Verify, that each line containing "adminuser.password"  has "PASSWORD_REMOVED", like
communities.adminuser.password=PASSWORD_REMOVED

Step 13: Update Cognos

This step is only required if you have used the same user for Cognos administrator.

a) Change to directory where IBM Cognos is installed (e.g. D:\IBM\Cognos)
b) Edit cognos-setup.properties and update the following properties:
- dm.adminuser.id
- dm.adminuser.password
- cognos.admin.username
- cognos.admin.password

c) Run cognos-configure-update.bat

Step 14: Verifying SystemOut.log logfiles

If the wrong userid/password combination is still used by any application, you might see one of the following errors in the logfiles:

1. "javax.naming.AuthenticationException" with LDAP error code 49 and "data 52e"

SECJ0369E: Authentication failed when using LTPA.

The exception is com.ibm.websphere.wim.exception.PasswordCheckFailedException:

CWWIM4529E  The password verification for the 'icadmin' principal name failed.

Root cause: 'javax.naming.AuthenticationException:

[LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1 ];

Resolved object: 'com.sun.jndi.ldap.LdapCtx@48a1ef56'

=> Password verification failed

2. "javax.naming.AuthenticationException" with LDAP error code 49 and "data 775"

SECJ0369E: Authentication failed when using LTPA.

The exception is com.ibm.websphere.wim.exception.PasswordCheckFailedException:

CWWIM4529E  The password verification for the 'icadmin' principal name failed.

Root cause: 'javax.naming.AuthenticationException:

[LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 775, v1db1 ];

Resolved object: 'com.sun.jndi.ldap.LdapCtx@154a1018

=> Account is locked in LDAP

A list of common error codes of Microsoft Active Directory is documented in this technote:
http://www-01.ibm.com/support/docview.wss?uid=swg21290631

In step 5 we have updated CEMPBoot.properties in APP-INF/lib/props.jar in FileNetEngine app. This update was applied to the currently installed application.

However, there is a copy of the bootstrapped FileNetEngine application, which is used to apply updates via IBM FileNet Configuration Manager.
This copy is located at

D:\IBM\Connections\addons\ccm\ContentEngine\tools\configure\profiles\CCM\ear\Engine-ws.ear

You need to update this copy as well to avoid to introduce the wrong CEMPBoot.properties with the next update.

a) Copy D:\IBM\Connections\addons\ccm\ContentEngine\tools\configure\profiles\CCM\ear\Engine-ws.ear to a temporary directory, e.g. D:\temp\filenet

b) Change filetype of Engine-ws.ear to Engine-ws.zip

c) Extract Engine-ws.zip to D:\temp\filenet\Engine-ws\

d) Change to D:\temp\filenet\Engine-ws\APP-INF\lib

e) Copy props.jar to D:\temp\filenet

f) Change filetype of props.jar to props.zip

g) Open props.zip and edit CEMPBoot.properties

If direct editing of file is not possible, you have to extract the file at first, change it (see next step) and re-add it again.

h) Change

com.filenet.gcd.Username=j2calias\=filenetAdmin

and save CEMPBoot.properties

i) Copy updated props.jar to D:\temp\filenet\Engine-ws\APP-INF\lib

j) Re-create Engine-ws.zip by compressing all files under D:\temp\filenet\Engine-ws\

Do not include the directory "Engine-ws" itself!

k) Rename Engine-ws.zip to Engine-ws.ear

l) Backup D:\IBM\Connections\addons\ccm\ContentEngine\tools\configure\profiles\CCM\ear\Engine-ws.ear by renaming

m) Copy D:\temp\filenet\Engine-ws.ear to D:\IBM\Connections\addons\ccm\ContentEngine\tools\configure\profiles\CCM\ear\

IBM Installation Manager stores information about installed components at

C:\ProgramData\IBM\Installation Manager\installed.xml

and

C:\ProgramData\IBM\Installation Manager\installRegistry.xml

Both files contain userid and password of the administrative user account for WebSphere and each application of IBM Connections, like

    [...]

    <property name='user.was.adminuser.id' value='icadmin'/>

    <property name='user.was.adminuser.password' value='fufgZbY47EfxLYarBAIxeQ=='/>

    <property name='user.activities.adminuser.id' value='icadmin'/>

    <property name='user.activities.adminuser.password' value='fufgZbY47EfxLYarBAIxeQ=='/>

    [...]

Now, to generate the encoded string of the new password, you have to use the tool imcl.exe included in IBM Installation Manager:

D:\IBM\Installation Manager\eclipse\tools>imcl.exe  encryptString newpassword

l5/HTlmz1qhjUaZSHCPnNA==

Update all "adminuser.password" properties in installed.xml and installRegistry.xml like

    [...]

    <property name='user.was.adminuser.id' value='icadmin'/>

    <property name='user.was.adminuser.password' value='l5/HTlmz1qhjUaZSHCPnNA=='/>

    <property name='user.activities.adminuser.id' value='icadmin'/>

    <property name='user.activities.adminuser.password' value='l5/HTlmz1qhjUaZSHCPnNA=='/>

    [...]