Introduction
For security purposes we sometimes must update the password of our Control M architecture.
This task seems to be easy, but you must be careful to update the passwords wherever they are used.
Today we will check how to update the password of our Control M infrastructure including application user and database owner for each of our databases.
Prerequisites
Be sure to have the old password to proceed easier.( not mandatory but easier for us to perform the update)
Be careful of credentials stored in other applications file or called in argument in a script it would generate side effect.
Control M version compatibility
Every version of Control M*(be careful of file encryption location)
There is some steps to follow in order to update the passwords everywhere, it can be:
- used from the Control M GUI/CCM
- used from Controlm utility
- used from the dedicated database of each users ctmuser and emuser.
The following method will show you how to update the password on an oracle and a postgres dabatase.
You can ask some help form a database administrator if you get some issues during this update.
The control M version we will use today is 9.0.00:
Don’t hesitate connect to BMC site to check documentation and case concerning password update on Control M.
https://bmcsites.force.com/casemgmt/sc_KnowledgeArticle?sfdcid=kA014000000dotuCAA&type=FAQ
Update emuser password
1)From Control-M Configuration Manager (CCM) 9.0.00 and higher from CTM GUI, go to Security menu -> Authorizations and choose the user to change the password
Once done you can connect to a shell and do the EM DBO Update
2)Stop all EM processes except EM database processes. (via root_menu)
serveurctmv919% root_menu Enter a CONTROL-M/EM DBO Username : emuser Enter the Password :
enter the old password (the one that will be updated further)
CONTROLM/EM Root Menu ----------------------- Select one of the following options: 1 - Activation Menu 2 - Troubleshooting Menu 3 - New Window 4 - Clean Database Schema 5 - Database Maintenance Menu 6 - Users Administration Menu q - Quit Enter option number ---> Enter option number ---> 1 Activation Menu --------------- Select one of the following options: 1 - Check All 2 - Start All 3 - Start Database Server 4 - Start CORBA Naming Service 5 - Start CONTROL-M/EM Configuration Agent 6 - Start CONTROL-M Configuration Server 7 - Stop All 8 - Stop Database Server 9 - Stop CORBA Naming Service 10 - Stop CONTROL-M/EM Configuration Agent 11 - Stop CONTROL-M Configuration Server p - Previous Menu q - Quit Enter option number
—> select the 3 choices 9/10/11 to stop these services
Indeed, the database must be up to make the emuser password update.
Stopping the CONTROL-M Configuration Server will prevent you from centrally managing CONTROL-M components! Are you sure you want to stop the CONTROL-M Configuration Server ? [y/n] : Shutting down the CONTROL-M/EM Configuration Agent will cause shutdown of all local CONTROLM/EM server components! Are you sure you want to continue ?? [y/n] : y ***********
Shutdown command has been issued to Config_Agent on serveurctmv919 *************************************** Naming service status: Stopped, serveurctmv919:13075 Shutting down the server ... PostgreSQL server stopped Press Enter to continue
Once the emserver is stopped we can connect to the database and update the password
(for this example my used database is a postgres version 9.2.8 one)
3)Actions regarding your database for:
–Oracle:
use the sqlplus command and log in as the SYSTEM account
–PostgreSQL:
Connect to posgres with the admin/postgres user:
Example for UNIX ==> em psql -U postgres -P <password>
4) Executes following SQL statements to change the EM DBO password for:
– Oracle:
SQL> alter user <EM_DBO> identified by <new_pass>;
example ====>
alter user emuser identified by NabilDBI12345 ;
Note:If you don’t have acces to dba admin account to update the password you can use the interactive sql command in root_menu option
You can use this command
alter user emuser identified by <NewPWD> replace <OldPWD>;
where NewPWD is the new password you want to give to emuser.
(Many thanks to my colleague Nabil LAABID for sharing this ,because dba admin access can be restricted depending your access level in your work environment )
In any case if you are stuck you can contact your dba Administrator to make the update.
–PostgreSQL:
1>alter user <EM_DBO> with password ‘<new_pass>’;
example ====>
em900=#alter user emuser with password 'NabilDBI12345' ;
Example for my configuration :
serveurctmv919% uname -a Linux serveurctmv919 4.18.0-147.3.1.el8_1.x86_64 #1 SMP Fri Jan 3 23:55:26 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux serveurctmv919% psql --version psql (PostgreSQL) 9.2.8
serveurctmv919%
serveurctmv919% em psql -U postgres Password for user postgres: psql (9.2.8) Type "help" for help. em900=# em900=# alter user emuser with password 'NabilDBI12345' ; ALTER ROLE em900=#
Note: No need to commit the action.
5) Login with EM DBO to sql prompt with the new EM DBO password to verify the change has been made.
[root@serveurctmv919 ~]# su - emuser serveurctmv919% em psql -U emuser Password for user emuser: ==>(with the old password) psql: FATAL: password authentication failed for user "emuser" serveurctmv919% em psql -U emuser Password for user emuser: ==>(with updated password) psql (9.2.8) Type "help" for help. em900=>
Now EM DBO password is upated in the database.
If you get any issue with the db password update please check it with your database administrator, you can also let him do the db password update and get the password from him after that.
6)After having updated the EM DBO password you have to encrypt it in a file used by emserver to check and run the services:
It is the mcs.ini file.
Update new EM DBO password into ‘mcs.ini‘ on all EM installations that have a database client. This file existed on EM server(s) and EM client installation with Reporting Facility.
*make a backup of mcs.ini file you can also make a “diff” between the old and the updated mcs.ini file encrypted to see if the change was effective.
% ecs cryptocli <username> <newpassword> $HOME/ini/mcs.ini
Example:
ecs cryptocli emuser NabilDBI12345 /home/emuser/ctm_em/ini/mcs.ini
7) Restart the Control-M/Enterprise Manager components –
you can start it from root_menu utility or start_all from emuser home directory
Restart CCM GUI to use the new password.
Update ctmuser password
If you know the current password for the Control-M/Server DBO user, then you can use the ‘ctmpasswd‘ utility to update the password in the database and the encrypted password that is saved.
Example:
serveurctmv919% ctmpasswd
Please enter the old password for ctmuser account:
Please enter the new password for ctmuser account:
Enter again to verify:
Password was successfully changed.
serveurctmv919% psql -U ctmuser
Password for user ctmuser:
psql (9.2.8)
Type “help” for help.
If you do NOT know the current password, then you can use the following steps:
1) stop the Control-M/Server configuration agent and the Control-M/Server.
You can use the ctm_menu utility or shut the configuration agent and ctm from the commands shut_ctm and shut_ca ( used by ctm_menu by the way)
serveurctmv919% shut_ctm ------------------------ Shutting down CONTROL-M. ------------------------ Waiting ... serveurctmv919% shut_ca --------------------------------------------------- Shutting down CONTROL-M/Server Configuration Agent --------------------------------------------------- Waiting ... CONTROL-M/Server Configuration Agent is down
2) log into the database as the database Administrator (DBA) account:
-Oracle:
Use the sqlplus / as sysdba command and log in as the SYSTEM account
-PostgreSQL:
Use the command: psql
Example :
serveurctmv919% psql -U postgres
3) Next, run the following SQL commands:
-Oracle:
SQL> alter user {USERNAME.EN_US} identified by {new_pass};
where:
{USERNAME.EN_US} is the userid of the DBO account that you want to change its password (default: ctmuser)
{new_pass} is the new password value.
For example:
SQL> alter user ctmuser identified by newpassword;
-PostgresSQL:
1>ALTER USER {CTMUSER.EN_US} WITH PASSWORD ‘{new_pass}’;
ALTER USER controlm WITH PASSWORD ‘NabilDBI12345’;
– Oracle:
===> sqlplus /as sysdba
SQL> alter user ctmuser identified by <new_pass>;
–PostgreSQL:
1>alter user ctmuser with password ‘<new_pass>’;
alter user ctmuser with password 'NabilDBI12345';
Example:
ctrlm900=# alter user ctmuser with password 'NabilDBI12345'; ALTER ROLE ctrlm900-# \q serveurctmv919% psql -U ctmuser Password for user ctmuser: psql (9.2.8) Type "help" for help. ctrlm900=> \q serveurctmv919%
Note no commit needed
4) Exit the sql prompt (type “exit”), and try to log back into SQL with the DBO account and its new password, to check if the change has worked.
serveurctmv919% psql -U ctmuser Password for user ctmuser: psql (9.2.8) Type "help" for help. ctrlm900=>
Seems that the password update worked!
5) For Control M DBO there is also an encryption of the password that is stored in different files regarding the Control M version we have:
Change the saved encrypted password that the Control-M processes use to connect to the database:
- For 9.0.18 and lower : This is saved in the file .controlm located here :/home/controlm/.controlm
- For 9.0.19 and higher : It is saved .ctmpdo/.ctmpda located here : /home/controlm/ctm_server/data/keys/
The ‘ctminterface’ command saves the encrypted password to the above files file for the Control-M Server utilities to use.
Executing ctminterface does NOT change the password in the database. It only updates the encrypted password in the .controlm or .ctmpdo/.ctmpda files.
Run teh command below:
ctminterface -SET_PASSWORD PRIMARY <DBO_Password>
example :
ctminterface -SET_PASSWORD PRIMARY NabilDBI12345
we can check if the encryption was effective by consulting the file before our command.
As I am on control v9.0.00 the file concerned is the hidden file named.controlm:
[root@serveurctmv919 ~]# su - controlm serveurctmv919% cat /home/controlm/.controlm serveurctmv919% 50-85-1050-350-14-1110-280-890-8900960-500118008501170-8300-3
Then we can do the command:
serveurctmv919% ctminterface -SET_PASSWORD PRIMARY NabilDBI12345
As result we can see that the encryption chain was updated:
serveurctmv919% cat /home/controlm/.controlm serveurctmv919% 700220-250127-123-1020-9500-700-200270-59007000640115-1210078
Note: There will not be any confirmation that what you typed was correct or incorrect or that it was accepted.
Try to start the CONTROL-M/Server and if it doesn’t start, the password entered was likely incorrect.
6) Restart the Control-M/Server
serveurctmv919% start_ctm Starting CONTROL-M/Server at mar. fvr. 11 09:30:28 CET 2020 CONTROL-M/Server Pause mode is N serveurctmv919% start_ca Starting CONTROL-M/Server Configuration Agent at mar. fvr. 11 09:30:36 CET 2020 serveurctmv919%
Conclusion
You have now updated your Control M credentials concerning the applicative users and the Control M /EM database owner.
Remember that you must be careful about updating theses passwords if used by other scripts or called in a variable file that you must update also!
Troubleshooting
During this update and sometime in other cases you may have some weird message concerning mcs.ini file when restarting Control M/EM services:
Sometimes you can have this message when you perform the “root_menu” utility:
The message displays:
“wrong number of parms in mcs.ini 1”
To get rid of this issue you must edit the mcs.ini file:
Indeed, there is one or more hidden line that is generating a wrong message when perform the EM services check or launch.
You have to delete the empty line at the bottom of the file located following this path:
/home/emuser/ctm_em/ini/mcs.ini
Then, when you do the “check_all” utility again,you will see that the issue isn’t here anymore.
![Thumbnail [60x60]](https://www.dbi-services.com/blog/wp-content/uploads/2022/05/Middleware-TO_Final-wpcf_173x250.png)
![Thumbnail [90x90]](https://www.dbi-services.com/blog/wp-content/uploads/2022/08/DWE_web-min-scaled.jpg)