What to do if you use IBM DataStage but change the root password
It so happened that, thanks to the interesting architecture of the entire system as a whole (which is called Information Server), DataStage is very sensitive to such a trivial procedure as changing the user password, under which, for example, editing etl-procedures ( so-called jobs ) or other operations.
This confusion also arises because there are many different places in the product where you can log in, create users, assign roles and specify their passwords. These are at least WAS - WebShere application server, Information Server Web Console , and actually the Designer , Director, and Administrator clients. Authentication procedures on the application server can be different and are selected based on the security policy of the company on whose servers DataStage is deployed. Problems arise if authentication is performed using the local operating system (roughly speaking, the username and password in the OS coincide with the usernames when entering the administrative console).
So, in this short post I will try to talk about how to restore the system after the procedure for changing the password of the OS user.
We force WebSphere to change all the password hashes of its users that have changed.
To do this,
run the script in the directory
(if the DataStage server is spinning under Windows, then .sh, of course, turns into .bat) You
will have to wait a while after running this script, the script does not work out all of a sudden.
By the way, it will probably be interesting for you that any passwords stored in any configuration files can be turned into hashes using a utility
syntax is simple
, and the value of the specified property should contain an unhashed password.
For example, if you need to change the value of a field
We run another script, depending on how IS access is configured - once or twice:
and \ or
You need to go to WAS under Security-> Global Security-> Authentication and change the password for the type of authentication that is used in your case. (E.g. LTPA). Remember to save your changes to Master Configuration.
After these steps, you need to
If after these steps the Designer, Director or Administrator clients still cannot connect to the server, then you need to share the Information Server & DataStage user repository (also using the Web console and the Administration-> DataStage credentials tab).
This confusion also arises because there are many different places in the product where you can log in, create users, assign roles and specify their passwords. These are at least WAS - WebShere application server, Information Server Web Console , and actually the Designer , Director, and Administrator clients. Authentication procedures on the application server can be different and are selected based on the security policy of the company on whose servers DataStage is deployed. Problems arise if authentication is performed using the local operating system (roughly speaking, the username and password in the OS coincide with the usernames when entering the administrative console).
So, in this short post I will try to talk about how to restore the system after the procedure for changing the password of the OS user.
Step 1
We force WebSphere to change all the password hashes of its users that have changed.
To do this,
%ISHOME%/ASBServer/binrun the script in the directory
./AppServerAdmin.sh -was -user ИМЯ_ПОЛЬЗОВАТЕЛЯ -password НОВЫЙ_ПАРОЛЬ(if the DataStage server is spinning under Windows, then .sh, of course, turns into .bat) You
will have to wait a while after running this script, the script does not work out all of a sudden.
By the way, it will probably be interesting for you that any passwords stored in any configuration files can be turned into hashes using a utility
%WASHOME%/AppServer/bin/PropFilePasswordEncoder.shwhose syntax is simple
./PropFilePasswordEncoder.sh ИМЯ_ФАЙЛА ИМЯ_СВОЙСТВА, and the value of the specified property should contain an unhashed password.
For example, if you need to change the value of a field
com.ibm.SOAP.loginPasswordin a file soap.client.props, then you need to do the following:- Delete the hash of the previous password. The hashes in the WAS configuration files are stored as
{АЛОГРИТМ}ХЕШ. By default, XOR encryption is used, which the {xor} line will indicate before the hash. Instead of this line, you can safely write the required password in clear text; - Run the script, in this example, like this:
./PropFilePasswordEncoder.sh "/opt/IBM/WebSphere/AppServer/profiles/default/properties/soap.client.props" com.ibm.SOAP.loginPassword
We run another script, depending on how IS access is configured - once or twice:
./DirectoryAdmin -user -userid ПОЛЬЗОВАТЕЛЬ -password ПАРОЛЬand \ or
./DirectoryAdmin -user -admin ПОЛЬЗОВАТЕЛЬ -password ПАРОЛЬStep 2
You need to go to WAS under Security-> Global Security-> Authentication and change the password for the type of authentication that is used in your case. (E.g. LTPA). Remember to save your changes to Master Configuration.
Step 3
After these steps, you need to
servername:9080change the password for the desired user in the Administration-> Users & Groups-> Users tab of the Information Server Web console (usually available at the address ) and save the changes. If after these steps the Designer, Director or Administrator clients still cannot connect to the server, then you need to share the Information Server & DataStage user repository (also using the Web console and the Administration-> DataStage credentials tab).