Overview

Skill Level: Beginner

Intended for ICO administrators.

This recipe lists steps to ensure that the passwords in the deployment service environment match that of the users in your IBM Cloud Orchestrator environment. The ICO 2.4.0.4 upgrade process will fail if this condition is not met.

Ingredients

IBM Cloud Orchestrator v2.4.0.x

IBM Smartcloud Orchestrator v2.3.0.x

Step-by-step

  1. Password Rules

    Note: If any of the following rules are not met, make appropriate password changes to comply with these rules. This should be done before continuing with the upgrade process.

    1. Passwords can comprise of the following: [a – z], [A – Z], [0 – 9] and _.
    2. Passwords of the following users and keystore must be the same:
      1. The IBM Cloud Orchestrator administrator (admin).
      2. The OpenStack service users.
      3. The Business Process Manager DB user (bpmuser).
      4. The Business Process Manager administrator (bpm_admin).
      5. IBM HTTP Server keystore (key.kdb).
        Note: This password is used for the OrchestratorPassword parameter during the upgrade process. Depending on the template you have used, this password is also used by some other parameters.
    3. Passwords of the following DB2 users must be the same:
      1. DB2 administrator (db2das1).
      2. DB2 instance user (db2inst1).
      3. DB2 fenced user (db2fenc1).
        Note: This password is used for the WorkloadDeployerDBPassword parameter during the upgrade process.
  2. Scripts

    1. Located at /opt/<ico_install_2404>/installer/tools on deployment server.
    2. upgradePre-ReqCheck.sh – used to validate if passwords in the deployment service environment match that of the users in your IBM Cloud Orchestrator environment prior to starting the upgrade. Additionally, this script validates if the passwords comply with the passwords rules mentioned above. In case of a password mismatch, this script can also be used to update the passwords in the deployment service environment. Note that this script is not used to change passwords in the IBM Cloud Orchestrator environment.
    3. passwords.sh – used to change passwords in your IBM Cloud Orchestrator environment. This script can only be used in environments where existing passwords comprise of [a – z], [A – Z], [0 – 9] and _.
  3. Prerequisites

    1. Ensure that the ds job-list commands shows a list of the deployment jobs, including the job used in the Central Server installation. If any of the job in the list is in ERROR status, you must remove it.
    2. Ensure that the nologin feature is not enabled for users in the IBM® Cloud Orchestrator environment by following steps in the Security Hardening Guide.
    3. Ensure that users in the IBM® Cloud Orchestrator environment are unlocked and available for login.
    4. Log onto deployment server and create a temporary directory such as ~/tools.
    5. Navigate to /opt/<ico_install_2404>/installer/tools directory and copy its contents to ~/tools.
    6. If running as a non-root user, ensure that this user has adequate permissions to execute upgradePre-ReqCheck.sh and passwords.sh.
  4. Steps

    1. On deployment server, navigate to the ~/tools folder created in the ‘Prerequisites’ section above.
    2. Validate root user passwords by running the following command:

      ./upgradePre-ReqCheck.sh validate rootusers

      In case of a mismatch, you will be prompted for the current password. Enter the current password for the validation to continue.

      valRootUser1

      Once all root users are validated, you will see this message:

      valRootUser2

    3. Validate all user passwords by running the following command:

      ./upgradePre-ReqCheck.sh validate

      Users with mismatched passwords will be listed at the end of running this command.

      valAllUser1

      If all users pass validation, you will see this message:

      valAllUser2

    4. Update mismatched passwords into the deployment server by running the following command:

      ./upgradePre-ReqCheck.sh update

      In case of a mismatch, you will be prompted for current password as below:

      pwdMismatch

    5. Upgrade the deployment service by following the ‘Upgrading the Deployment Service’ section on the ICO 2.4.0.4 knowledge center.
    6. If the root user password of any IBM Cloud Orchestrator node was changed after the original IBM Cloud Orchestrator installation, update the node registration in the Deployment Service database by following steps in the ‘Replacing passwords for the nodes stored in the Deployment Service database’ section on the ICO 2.4.0.4 knowledge center.
    7. To identify the password parameters used in environment mapping, as they were defined in the deployment job templates, and update them in the deployment service database, follow steps in the ‘Replacing passwords used in environment mapping in the Deployment Service database’ section on the ICO 2.4.0.4 knowledge center.
    8. Log onto primary and secondary Central Server 2 (if ICO was migrated from v2.3 to v2.4, then log onto Central Server 4 instead of Central Server 2).

      1. On both the servers, verify if you can access the keystore by using the current IBM Cloud Orchestrator admin password by running the following command (on one line):

        /opt/IBM/HTTPServer/java/jre/bin/ikeycmd -cert -list -db /opt/IBM/HTTPServer/bin/key.kdb -pw <myICOadminPassword>

      2. If the keystore is not accessible with the latest password, change the keystore password by running the following command (on one line):

        /opt/IBM/HTTPServer/bin/gskcmd -keydb -changepw -db /opt/IBM/HTTPServer/bin/key.kdb -pw <old_password> -new_pw <myICOadminPassword>

        where <old_password> is passw0rd if it was not modified from the original installation, and <myICOadminPassword> is the current IBM Cloud Orchestrator password.

      3. Clean up the files in the /opt/ibm/BPM/ico/tmp directory.

    9. Run the following command to revalidate all users:

      ./upgradePre-ReqCheck.sh validate

    10. Remove the upgradePre-ReqCheck.sh-backup working directory and the upgradePre-ReqCheck.sh-log.log file from ~/tools folder.
    11. Continue with the upgrade steps in the ‘Upgrading the deployed IBM Cloud Orchestrator environment’ section on the ICO 2.4.0.4 knowledge center. If upgrading from v2.3.0.x, continue with upgrade steps in the ‘About this task’ section on the ICO 2.4.0.4 knowledge center.

     

Join The Discussion