It's all about the answers!

Ask a question

CLM: Best way to handle the password change for database user?


Frank Ning (50023111131) | asked Feb 17 '13, 10:11 a.m.

Hello,

These days, we need to make user's password expire every 90 days. This policy certainly affect the database access needed by CLM applications.

Great if you could share your best practice to deal with the password change of database user accounts in CLM configuration.

1) Do we have a best/quick way to update CLM configurations to use the new password quickly?

2) Any tool to generate encrypted password to use inside team.properties file?

3) Which properties file deals with the database password for the warehouse database? I can manually update team.properties to use the new password but I am not aware of a tool to encrypt the password. I also don't know which properties file define the password for the warehouse database. I tried to change password in ccm, qm and jts team.properties file. However, the password value for DW did not get changed in CLM configuration since when I later run jts/setup, the warehouse setup page said the password is invalid even I changed all those three team.properties file. The CCM/QM/JTS setup pages were OK with the new password updated in team.properties file.

4) Is running jts/setup again the only quick way to redefine and encrypt the password?

Thanks and regards

2 answers



permanent link
Guido Schneider (3.3k137699) | answered Feb 17 '13, 1:55 p.m.

We are using two service accounts for this, so we can swap and are not in a hurry when the password is changed. Otherwise it can happen, that you are getting locked out if you dont change all passwords correctly in a short time. (Depends on your lockout policy)

In V.4.0.1 the ETL jobs can run with oauth. With this you may not change the password every 90 days, because it should not depend on a user.

The most challanging part is the user/password you need for the LDAP connect (if you are using this). If you change the password you are not able to login into Websphere console to change the password there. So you have either use two accounts or login first in WAS, change the password, and the change it in the WAS config.

I never use the setup again. I also never edit the properties files for this. I always do it with the admin pages of the application or the advanced properties pages in the application.


Comments
Frank Ning commented Feb 17 '13, 8:40 p.m.

Hi Guido,

Thanks for the response.

1) What did you mean "two service accounts for this"? Did you set those two accounts to expire at different dates so that one of them works while you reset/change password? How did you set two accounts for database access in JTS/CCM/QM/DW configuration?

2) Yes, I knew the alternate to set ETL with customer keys, which will avoid password expire issue.

3) I use LDAP. In WAS, I use federated repository and thus the password expired in LDAP does not affect my login WAS with its local file repository account. With LDAP, you can not change password of LDAP users within WAS.

4) When database users have password expired, the JTS, CCM and QM's admin pages can not be opened. This happened to me. Thus I had no choice but used team.properties or jts/setup.

5) Do you know which utility can be used to encrypt the password so that I can use the encrypted password inside team.properties (manually)?

Regards


Arun K Sriramaiah commented Feb 24 '14, 8:59 a.m.

 Hi Guido,


How do we achieve the above solution for Oracle database.  The database schema will be prefixed with user id.
Is thr any impact on Database transaction, ETL jobs and active services,

Regards,
Arun.


permanent link
Krzysztof Kaźmierczyk (7.3k34391) | answered Feb 27 '14, 2:41 p.m.
There is also interesting topic here:
https://jazz.net/forum/questions/143793/can-i-change-the-db-password-in-the-web-ui-for-jazz-applications-without-restarting-the-server

Your answer


Register or to post your answer.