BPM, Workflow, and Case

 View Only

[21.0.3 or later release]Update CP4BA Workflow deployment after the password of LDAP bind or admin user is changed

By PING MEI posted 13 days ago

  
[21.0.3 or later release]Update CP4BA Workflow deployment after the password of LDAP bind or admin user is changed

1. How to update CP4BA Workflow deployment if LDAP bind password is changed
1) Login in your LDAP server to update your LDAP bind password, the following is an example for IBM Security Directory Server

2) Access the IAM console to update LDAP bind password for your existing settings
a. Use the following command to get the URL to access the IBM Cloud Platform Common Services console:
oc get route -n ibm-common-services cp-console -o jsonpath=‘{.spec.host}’

Following is a sample output: ‘cp-console.apps.test-q2.os.fyre.ibm.com’
Based on the example output, your console URL would be https://cp-console.apps.test-q2.os.fyre.ibm.com

b. Console username and password
The default username to access the console is admin. You can get the default username by running the following command:
oc -n ibm-common-services get secret platform-auth-idp-credentials -o jsonpath='{.data.admin_username}' | base64 -d && echo

You can get the password for the default username by running the following command:
oc -n ibm-common-services get secret platform-auth-idp-credentials -o jsonpath='{.data.admin_password}' | base64 -d

c. Login IAM console to update LDAP bind password, the following picture is an example, click save

3) Update LDAP bind password in the secret "ibm-bind-secret" under your namespace

4) Wait for operator to reconcile and recreate CPE pod

5) You can see the LDAP bind password is updated in the following XML file of the configMaps "icp4adeploy-cpe-config" under your namespace


2.How to update CP4BA Workflow deployment if LDAP admin user password is changed
1) Login in your LDAP server to update your LDAP admin user passw0rd, the following is an example for IBM Security Directory Server


2) Log in to the Administration Console for Content Platform Engine by your LDAP admin user and the updated password in the above step, you can find the login url from the configMaps "icp4adeploy-cp4ba-access-info" under your namespace, for example, https://cpd-test1.apps.mp55.cp.fyre.ibm.com/cpe/acce/

3)
Open the domain properties page for the FileNet P8 domain

4) Update the password for LDAP admin user as step 1, the following picture is an example

5) Continue to update the password in Process Engine Component Manager in ACCE
Find your TOS object store -> expand Administrative -> expand Workflow System -> expand Isolated Regions -> expand the isolated region that you are using ->  expand Component Queues -> select the queues, for example, ICM_RuleOperations, ICM_Operations -> in the right pane, select Adapter tab, under JAAS credentials, update password -> save


6) Scale down the cp4ba operator deployment

7) Scale down the following deployment, wait for Kubernetes (OpenShift) to terminate the existing pods, the pod terminations might take several minutes. You can monitor the status of your pods by using the Open Shift or Kubernetes command "
oc get pods -w"
 - CPE
 - Navigator
 - Workflow server 

8) Update appLoginPassword with the new password in the secret "ibm-fncm-secret" and "ibm-ban-secret

9) Scale up the cp4ba operator deployment,
wait for Kubernetes (OpenShift) to create the new pods, the pod creations might take several minutes. You can monitor the status of your pods by using the Open Shift or Kubernetes command "oc get pods -w"

Note: once the pods of CPE, Navigator and Workflow server are ready, you can check the following configuration is updated
a. cpeAppLoginPasswordEncoded in the secret "icp4adeploy-workflow-authoring-baw-server-encrypt-secret" is updated
b. use the command "oc exec -it icp4adeploy-workflow-authoring-baw-server-0 bash" to enter workflow pod and check the env CPE_PASSWORD is updated with the new password by inputting the command "env|grep CPE_PASSWORD", it should be same with the value of cpeAppLoginPasswordEncoded in the secret "icp4adeploy-workflow-authoring-baw-server-encrypt-secret"

10) Go to the navigator pod by running the command "oc exec -it <navigator_pod> bash", for example, oc exec -it icp4adeploy-navigator-deploy-5669544494-n76ls bash, then delete the file "config.ok" under /opt/ibm/plugins/properties

11) Delete the job baw-case-init-job, wait for operator to reconcile and recreate a new job to reconfig, the example is below.
oc delete jobs icp4adeploy-workflow-authoring-baw-case-init-job

Now CP4BA Workflow deployment is ready, have a fun.

Permalink