In this serie, I completed the passwords I wanted to talk about on the Content Server. Therefore in this blog, I will talk about the only Database Account that is relevant for Documentum: the Database Schema Owner. Since there are a few steps to be done on the Content Server, I’m just doing everything from there… In this blog, I will assume there is one Global Registry (GR_DOCBASE) and one normal Repository (DocBase1). Each docbase has a different Database Schema Owner of course but both Schemas are on the same Database and therefore the same SID will be used.
In High Availability setups, you will have to execute the steps below for all Content Servers. Of course, when it comes to changing the password inside the DB, this needs to be done only once since the Database Schema Owner is shared between the different Content Servers of the HA setup.
In this blog, I’m using a CS 7.2. Please note that in CS 7.2, there is a property inside the dfc.properties of the Content Server ($DOCUMENTUM_SHARED/config/dfc.properties) that defines the crypto repository (dfc.crypto.repository). The repository that is used for this property is the one that Documentum will use for encryption/decryption of passwords and therefore I will use this one below to encrypt the password. By default, the Repository used for this property is the last one created… I tend to use the Global Registry instead, but it’s really up to you.
As said before, I’m considering two different repositories and therefore two different accounts and two different passwords. So, let’s start with encrypting these two passwords:
[dmadmin@content_server_01 ~]$ read -s -p "Please enter the NEW GR_DOCBASE Schema Owner's password: " new_gr_pw; echo Please enter the NEW GR_DOCBASE Schema Owner's password: [dmadmin@content_server_01 ~]$ [dmadmin@content_server_01 ~]$ read -s -p "Please enter the NEW DocBase1 Schema Owner's password: " new_doc1_pw; echo Please enter the NEW DocBase1 Schema Owner's password: [dmadmin@content_server_01 ~]$ [dmadmin@content_server_01 ~]$ iapi `cat $DOCUMENTUM_SHARED/config/dfc.properties | grep crypto | tail -1 | sed 's/.*=//'` -Udmadmin -Pxxx << EOF > encrypttext,c,${new_gr_pw} > encrypttext,c,${new_doc1_pw} > EOF EMC Documentum iapi - Interactive API interface (c) Copyright EMC Corp., 1992 - 2015 All rights reserved. Client Library Release 7.2.0150.0154 Connecting to Server using docbase GR_DOCBASE [DM_SESSION_I_SESSION_START]info: "Session 010f12345605ae7b started for user dmadmin." Connected to Documentum Server running Release 7.2.0160.0297 Linux64.Oracle Session id is s0 API> ... DM_ENCR_TEXT_V2=AAAAEH7UNwFub2ubf92h+21/rc8HEc3rd1C82hc52c8bz2cFl1cQ721zex2nxWDEegwqgdotwncZVVqgZlDLmfflWK6+f8AGf0dSRzi5rr3h3::GR_DOCBASE API> ... DM_ENCR_TEXT_V2=AAAAEGBQ6Zy7FxQ10idQdFj+Gn20nFlif02ieMx+AGBHLz+vQfmGu2GAiv8KeIN2PhPOf1oiF9u2fP98zEFhhuBAmxY+d5AoBCGNf61ZRavpa::GR_DOCBASE API> Bye [dmadmin@content_server_01 ~]$
If you have more repositories, you will have to encrypt those too, if you want to change them of course. Once the new password has been encrypted, we can change it on the Database. To avoid any issues and error messages, let’s first stop Documentum (the docbases at the very least) and then printing the Database Connection information:
[dmadmin@content_server_01 ~]$ service documentum stop ** JMS stopped ** DocBase1 stopped ** GR_DOCBASE stopped ** Docbroker stopped [dmadmin@content_server_01 ~]$ [dmadmin@content_server_01 ~]$ cat $ORACLE_HOME/network/admin/tnsnames.ora <sid> = (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP)(HOST = <database_hostname>)(PORT = <database_port>)) ) (CONNECT_DATA = (SERVICE_NAME = <service_name>) ) ) [dmadmin@content_server_01 ~]$
Once you know what the SID is, you can now login to the database to change the password so I will do that for both repositories. This could also be scripted to retrieve the list of docbases, create new passwords for them, encrypt them all automatically and then connect to each database using different SQL scripts to change the passwords, however I will use here manual steps:
[dmadmin@content_server_01 ~]$ sqlplus GR_DOCBASE@<sid> SQL*Plus: Release 12.1.0.2.0 Production on Sat Jul 22 15:05:08 2017 Copyright (c) 1982, 2014, Oracle. All rights reserved. Enter password: -->> Enter here the OLD GR_DOCBASE Schema Owner's password Last Successful login time: Sat Jul 22 2017 15:04:18 +00:00 Connected to: Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 - 64bit Production With the Partitioning, OLAP, Advanced Analytics, Real Application Testing and Unified Auditing options SQL> PASSWORD Changing password for GR_DOCBASE Old password: -->> Enter here the OLD GR_DOCBASE Schema Owner's password New password: -->> Enter here the NEW GR_DOCBASE Schema Owner's password Retype new password: -->> Re-enter here the NEW GR_DOCBASE Schema Owner's password Password changed SQL> quit Disconnected from Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 - 64bit Production With the Partitioning, OLAP, Advanced Analytics, Real Application Testing and Unified Auditing options [dmadmin@content_server_01 ~]$ [dmadmin@content_server_01 ~]$ sqlplus DocBase1@<sid> SQL*Plus: Release 12.1.0.2.0 Production on Sat Jul 22 15:08:20 2017 Copyright (c) 1982, 2014, Oracle. All rights reserved. Enter password: -->> Enter here the OLD DocBase1 Schema Owner's password Last Successful login time: Sat Jul 22 2017 15:07:10 +00:00 Connected to: Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 - 64bit Production With the Partitioning, OLAP, Advanced Analytics, Real Application Testing and Unified Auditing options SQL> PASSWORD Changing password for DocBase1 Old password: -->> Enter here the OLD DocBase1 Schema Owner's password New password: -->> Enter here the NEW DocBase1 Schema Owner's password Retype new password: -->> Re-enter here the NEW DocBase1 Schema Owner's password Password changed SQL> quit Disconnected from Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 - 64bit Production With the Partitioning, OLAP, Advanced Analytics, Real Application Testing and Unified Auditing options [dmadmin@content_server_01 ~]$
At this point, the passwords have been changed in the database and we encrypted them properly. The next step is therefore to update the password files for each repository with the encrypted password so that the repositories can start again:
[dmadmin@content_server_01 ~]$ cd $DOCUMENTUM/dba/config [dmadmin@content_server_01 ~]$ [dmadmin@content_server_01 ~]$ for i in `ls -d *`; do echo " ** dbpasswd.txt for ${i} **"; cat ./${i}/dbpasswd.txt; echo; done ** dbpasswd.txt for GR_DOCBASE ** DM_ENCR_TEXT_V2=AAAAEH7UNwFgncubfd1C82hc5l1cwqgdotwQ7212c8bz2cFZVVqgZub2zex8bz2cFWK92h+21EelDLmffl2/rc82c8bz2cFf0dSRazi5rr3h3::GR_DOCBASE ** dbpasswd.txt for DocBase1 ** DM_ENCR_TEXT_V2=AAAAQ10idQdFj+Gn2EGBPZy7e0niF9uQfAGBHLz+vv8KQ62fP98zE+02iFhhuBAmxY+FFxeMxIN2Phl1od5AoBCGNf61ZRifmGu2GAiOfavpa::GR_DOCBASE [dmadmin@content_server_01 ~]$ [dmadmin@content_server_01 ~]$ for i in `ls -d *`; do cp ./${i}/dbpasswd.txt ./${i}/dbpasswd.txt_bck_$(date +"%Y%m%d-%H%M%S"); done [dmadmin@content_server_01 ~]$ [dmadmin@content_server_01 ~]$ echo "DM_ENCR_TEXT_V2=AAAAEH7UNwFub2ubf92h+21/rc8HEc3rd1C82hc52c8bz2cFl1cQ721zex2nxWDEegwqgdotwncZVVqgZlDLmfflWK6+f8AGf0dSRzi5rr3h3::GR_DOCBASE" > ./GR_DOCBASE/dbpasswd.txt [dmadmin@content_server_01 ~]$ echo "DM_ENCR_TEXT_V2=AAAAEGBQ6Zy7FxQ10idQdFj+Gn20nFlif02ieMx+AGBHLz+vQfmGu2GAiv8KeIN2PhPOf1oiF9u2fP98zEFhhuBAmxY+d5AoBCGNf61ZRavpa::GR_DOCBASE" > ./DocBase1/dbpasswd.txt [dmadmin@content_server_01 ~]$ [dmadmin@content_server_01 ~]$ for i in `ls -d *`; do echo " ** dbpasswd.txt for ${i} **"; cat ./${i}/dbpasswd.txt; echo; done ** dbpasswd.txt for GR_DOCBASE ** DM_ENCR_TEXT_V2=AAAAEH7UNwFub2ubf92h+21/rc8HEc3rd1C82hc52c8bz2cFl1cQ721zex2nxWDEegwqgdotwncZVVqgZlDLmfflWK6+f8AGf0dSRzi5rr3h3::GR_DOCBASE ** dbpasswd.txt for DocBase1 ** DM_ENCR_TEXT_V2=AAAAEGBQ6Zy7FxQ10idQdFj+Gn20nFlif02ieMx+AGBHLz+vQfmGu2GAiv8KeIN2PhPOf1oiF9u2fP98zEFhhuBAmxY+d5AoBCGNf61ZRavpa::GR_DOCBASE [dmadmin@content_server_01 ~]$
Once the dbpasswd.txt files have been updated with the new encrypted password that has been generated at the beginning of this blog, then we can restart Documentum and verify that the docbases are up&running. If they are, then the password has been changed properly!
[dmadmin@content_server_01 ~]$ service documentum start ** Docbroker started ** GR_DOCBASE started ** DocBase1 started ** JMS started [dmadmin@content_server_01 ~]$ [dmadmin@content_server_01 ~]$ ps -ef | grep "documentum.*docbase_name" ... [dmadmin@content_server_01 ~]$ [dmadmin@content_server_01 ~]$ grep -C3 "DM_DOCBROKER_I_PROJECTING" $DOCUMENTUM/dba/log/GR_DOCBASE.log 2017-07-22T15:28:40.657360 9690[9690] 0000000000000000 [DM_SERVER_I_START]info: "Sending Initial Docbroker check-point " 2017-07-22T15:28:40.671878 9690[9690] 0000000000000000 [DM_MQ_I_DAEMON_START]info: "Message queue daemon (pid : 9870, session 010f123456000456) is started sucessfully." 2017-07-22T15:28:40.913699 9869[9869] 010f123456000003 [DM_DOCBROKER_I_PROJECTING]info: "Sending information to Docbroker located on host (content_server_01) with port (1490). Information: (Config(GR_DOCBASE), Proximity(1), Status(Open), Dormancy Status(Active))." Tue Jul 22 15:29:38 2017 [INFORMATION] [AGENTEXEC 10309] Detected during program initialization: Version: 7.2.0160.0297 Linux64 Tue Jul 22 15:29:44 2017 [INFORMATION] [AGENTEXEC 10309] Detected during program initialization: Agent Exec connected to server GR_DOCBASE: [DM_SESSION_I_SESSION_START]info: "Session 010f123456056d00 started for user dmadmin." [dmadmin@content_server_01 ~]$
When the docbase has been registered to the Docbroker, you are sure that it was able to contact and log in to the database so that the new password is now used properly. To be sure that everything in Documentum is working properly however, I would still check the complete log file…