Note: If any of the following rules are not met, make appropriate password changes to comply with these rules. This should be done before continuing with the upgrade process.
- Passwords can comprise of the following: [a â€“ z], [A â€“ Z], [0 â€“ 9] and _.
- Passwords of the following users and keystore must be the same:
- The IBM Cloud Orchestrator administrator (admin).
- The OpenStack service users.
- The Business Process Manager DB user (bpmuser).
- The Business Process Manager administrator (bpm_admin).
- IBM HTTP Server keystore (key.kdb).
Note: This password is used for the OrchestratorPassword parameter during the upgrade process. Depending on the template you have used, this password is also used by some other parameters.
- Passwords of the following DB2 users must be the same:
- DB2 administrator (db2das1).
- DB2 instance user (db2inst1).
- DB2 fenced user (db2fenc1).
Note: This password is used for the WorkloadDeployerDBPassword parameter during the upgrade process.
- Located at /opt/<ico_install_2404>/installer/tools on deployment server.
- upgradePre-ReqCheck.sh â€“ used to validate if passwords in the deployment service environment match that of the users in your IBM Cloud Orchestrator environment prior to starting the upgrade. Additionally, this script validates if the passwords comply with the passwords rules mentioned above. In case of a password mismatch, this script can also be used to update the passwords in the deployment service environment. Note that this script is not used to change passwords in the IBM Cloud Orchestrator environment.
- passwords.sh â€“ used to change passwords in your IBM Cloud Orchestrator environment. This script can only be used in environments where existing passwords comprise of [a â€“ z], [A â€“ Z], [0 â€“ 9] and _.
- Ensure that the ds job-list commands shows a list of the deployment jobs, including the job used in the Central Server installation. If any of the job in the list is in ERROR status, you must remove it.
- Ensure that the nologin feature is not enabled for users in the IBMÂ® Cloud Orchestrator environment by following steps in the Security Hardening Guide.
- Ensure that users in the IBMÂ® Cloud Orchestrator environment are unlocked and available for login.
- Log onto deployment server and create a temporary directory such as ~/tools.
- Navigate to /opt/<ico_install_2404>/installer/tools directory and copy its contents to ~/tools.
- If running as a non-root user, ensure that this user has adequate permissions to execute upgradePre-ReqCheck.sh and passwords.sh.
- On deployment server, navigate to the ~/tools folder created in the â€˜Prerequisitesâ€™ section above.
- Validate root user passwords by running the following command:
./upgradePre-ReqCheck.sh validate rootusers
In case of a mismatch, you will be prompted for the current password. Enter the current password for the validation to continue.
Once all root users are validated, you will see this message:
Validate all user passwords by running the following command:
Users with mismatched passwords will be listed at the end of running this command.
If all users pass validation, you will see this message:
Update mismatched passwords into the deployment server by running the following command:
In case of a mismatch, you will be prompted for current password as below:
- Upgrade the deployment service by following the â€˜Upgrading the Deployment Serviceâ€™ section on the ICO 18.104.22.168 knowledge center.
- If the root user password of any IBM Cloud Orchestrator node was changed after the original IBM Cloud Orchestrator installation, update the node registration in the Deployment Service database by following steps in the â€˜Replacing passwords for the nodes stored in the Deployment Service databaseâ€™ section on the ICO 22.214.171.124 knowledge center.
- To identify the password parameters used in environment mapping, as they were defined in the deployment job templates, and update them in the deployment service database, follow steps in the â€˜Replacing passwords used in environment mapping in the Deployment Service databaseâ€™ section on the ICO 126.96.36.199 knowledge center.
Log onto primary and secondary Central Server 2 (if ICO was migrated from v2.3 to v2.4, then log onto Central Server 4 instead of Central Server 2).
On both the servers, verify if you can access the keystore by using the current IBM Cloud Orchestrator admin password by running the following command (on one line):
/opt/IBM/HTTPServer/java/jre/bin/ikeycmd -cert -list -db /opt/IBM/HTTPServer/bin/key.kdb -pw <myICOadminPassword>
If the keystore is not accessible with the latest password, change the keystore password by running the following command (on one line):
/opt/IBM/HTTPServer/bin/gskcmd -keydb -changepw -db /opt/IBM/HTTPServer/bin/key.kdb -pw <old_password> -new_pw <myICOadminPassword>
where <old_password> is passw0rd if it was not modified from the original installation, and <myICOadminPassword> is the current IBM Cloud Orchestrator password.
Clean up the files in the /opt/ibm/BPM/ico/tmp directory.
Run the following command to revalidate all users:
- Remove the upgradePre-ReqCheck.sh-backup working directory and the upgradePre-ReqCheck.sh-log.log file from ~/tools folder.
- Continue with the upgrade steps in the â€˜Upgrading the deployed IBM Cloud Orchestrator environmentâ€™ section on the ICO 188.8.131.52 knowledge center. If upgrading from v2.3.0.x, continue with upgrade steps in the â€˜About this taskâ€™ section on the ICO 184.108.40.206 knowledge center.