How to change the IPESERVICE and IPEADMIN user accounts for TIBCO iProcess Engine (iPE) on Windows .
Article ID: KB0094122
Updated On:
| Products | Versions |
|---|---|
| TIBCO iProcess Engine (SQL) | - |
| Not Applicable | - |
Description
Description:
How to manually change the IPESERVICE and IPEADMIN user accounts for the iProcess engine on Windows.
Resolution
The following changes detail how to manually change the users and domain:
1). Stop iProcess Engine (iPE) processes, including the process sentinels. %SWDIR%/bin/swstop –p. Ensure that the processes are not running from the Task Manager.
2). Add the server to the new domain.
3). Modify the %SWDIR%\swdefs file on line 2 (IPESERVICE) and line 3 (IPEADMIN) to have the new names.
4). Ensure the IPESERVICE, IPEADMIN and all other required users are created on the domain in which iPE is now installed.
5). Update the iPE Administrators Group and iPE Users Group on the local machine to contain the new IPESERVICE, IPEADMIN and any other new/modified users, removing the old ones.
6). Add the new IPESERVICE user to the Local Administrators Group on the machine ( removing the old one ).
7). Give full permission to the new IPESERVICE user and "Everyone" in the %SWDIR% directory and its subdirectories.
a). Right click on the %SWDIR% directory - Security Tab -- Advanced -- Permissions tab. Check both checkboxes to allow inheritable permissions to child objects and to replace permissions on child objects.
b). Right click on the %SWDIR% directory - Security Tab -- Advanced –- Owners tab. Choose the new user as owner and select the checkbox to replace owner on sub-containers.
8). Ensure that the "Local Security Policy" settings documented in the iPE Installation Guide to reference the newly created users and groups.
9). In Windows Services (Start -- Run – services.msc), set the iProcess Sentinels service entry for the node to run as the new domain IPESERVICE user.
10). Update COM+ / DCOM access to the new domain IPESERVICE user.
a). Enable COM+ network access. See Chapter 4, Carrying out Post Installation Tasks - Enable COM+ Network Access of the iProcess Engine (SQL Server) for Windows Installation Guide.
b). Enable DCOM network access. See Chapter 2. Configuring the TIBCO iProcess Objects Server - To Check if DCOM is Enabled of the iProcess Objects Server Administrator's Guide.
c). Update the COM+ owner to the new domain IPESERVICE user (Start - Run - dcomcnfg -> Console Root - Component Services - Computers - My Computer - COM+ Applications - Staffware Events - (right click) Properties - Identity).
11). Give permissions on the file system to the %SWDIR% directory.
- Log in as the new user and run the fixperms command – ‘%SWDIR%/bin/fixperms –r –R –y %SWDIR%’
12_. Change the OS_USER_LOCATION attribute to point to the new domain -
0 ALL 0 OS_USER_LOCATIONS S MACHINENAME,D:<Domain Name>
Refer to the TIBCO iProcess Engine - Administrator's Guide for full instructions.
13). In the %SWDIR%/etc/staffpms file on Line #6, modify the old IPEADMIN account to be the new one and modify the old domain to be the new one.
14). Existing users may have their SW_DOMAIN value currently set to the old domain. You can check how many users may need to be updated with the following query:
select distinct n.user_name, v.attribute_value
from <schema>.user_names n, <schema>.user_attrib a, <schema>.user_values v
where n.user_id = v.user_id AND v.attribute_id = (select attribute_id from <schema>.user_attrib where attribute_name = 'SW_DOMAIN') AND n.user_type = 'U'
Use swutil USERINFO / USERINFO EXPORT to export the existing values and import the new ones (also issuing a MOVESYSINFO). You should leave the "R" at the top of the file when you import it so the new IPEADMIN user is created on import from the staffpms file changes in step #13.
15). If there are existing workitems in the UNDELIVERED queue, they will not be visible to the new IPEADMIN user. You can update any UNDELIVERED workitems so they are visible to the new IPEADMIN user with the following update statement:
update <schema>.staffo SET o_queuename = '<NEW IPEADMIN USER>' where o_queuename = '<OLD IPEADMIN USER>' and o_username IS NULL;
16). After the MOVESYSINFO has been completed, restart iPE and test that you can login with the new IPEADMIN user.
17). If there were existing workitems in the old IPEADMIN user queue, redirect the old IPEADMIN queue to the new IPEADMIN queue.
1). Stop iProcess Engine (iPE) processes, including the process sentinels. %SWDIR%/bin/swstop –p. Ensure that the processes are not running from the Task Manager.
2). Add the server to the new domain.
3). Modify the %SWDIR%\swdefs file on line 2 (IPESERVICE) and line 3 (IPEADMIN) to have the new names.
4). Ensure the IPESERVICE, IPEADMIN and all other required users are created on the domain in which iPE is now installed.
5). Update the iPE Administrators Group and iPE Users Group on the local machine to contain the new IPESERVICE, IPEADMIN and any other new/modified users, removing the old ones.
6). Add the new IPESERVICE user to the Local Administrators Group on the machine ( removing the old one ).
7). Give full permission to the new IPESERVICE user and "Everyone" in the %SWDIR% directory and its subdirectories.
a). Right click on the %SWDIR% directory - Security Tab -- Advanced -- Permissions tab. Check both checkboxes to allow inheritable permissions to child objects and to replace permissions on child objects.
b). Right click on the %SWDIR% directory - Security Tab -- Advanced –- Owners tab. Choose the new user as owner and select the checkbox to replace owner on sub-containers.
8). Ensure that the "Local Security Policy" settings documented in the iPE Installation Guide to reference the newly created users and groups.
9). In Windows Services (Start -- Run – services.msc), set the iProcess Sentinels service entry for the node to run as the new domain IPESERVICE user.
10). Update COM+ / DCOM access to the new domain IPESERVICE user.
a). Enable COM+ network access. See Chapter 4, Carrying out Post Installation Tasks - Enable COM+ Network Access of the iProcess Engine (SQL Server) for Windows Installation Guide.
b). Enable DCOM network access. See Chapter 2. Configuring the TIBCO iProcess Objects Server - To Check if DCOM is Enabled of the iProcess Objects Server Administrator's Guide.
c). Update the COM+ owner to the new domain IPESERVICE user (Start - Run - dcomcnfg -> Console Root - Component Services - Computers - My Computer - COM+ Applications - Staffware Events - (right click) Properties - Identity).
11). Give permissions on the file system to the %SWDIR% directory.
- Log in as the new user and run the fixperms command – ‘%SWDIR%/bin/fixperms –r –R –y %SWDIR%’
12_. Change the OS_USER_LOCATION attribute to point to the new domain -
0 ALL 0 OS_USER_LOCATIONS S MACHINENAME,D:<Domain Name>
Refer to the TIBCO iProcess Engine - Administrator's Guide for full instructions.
13). In the %SWDIR%/etc/staffpms file on Line #6, modify the old IPEADMIN account to be the new one and modify the old domain to be the new one.
14). Existing users may have their SW_DOMAIN value currently set to the old domain. You can check how many users may need to be updated with the following query:
select distinct n.user_name, v.attribute_value
from <schema>.user_names n, <schema>.user_attrib a, <schema>.user_values v
where n.user_id = v.user_id AND v.attribute_id = (select attribute_id from <schema>.user_attrib where attribute_name = 'SW_DOMAIN') AND n.user_type = 'U'
Use swutil USERINFO / USERINFO EXPORT to export the existing values and import the new ones (also issuing a MOVESYSINFO). You should leave the "R" at the top of the file when you import it so the new IPEADMIN user is created on import from the staffpms file changes in step #13.
15). If there are existing workitems in the UNDELIVERED queue, they will not be visible to the new IPEADMIN user. You can update any UNDELIVERED workitems so they are visible to the new IPEADMIN user with the following update statement:
update <schema>.staffo SET o_queuename = '<NEW IPEADMIN USER>' where o_queuename = '<OLD IPEADMIN USER>' and o_username IS NULL;
16). After the MOVESYSINFO has been completed, restart iPE and test that you can login with the new IPEADMIN user.
17). If there were existing workitems in the old IPEADMIN user queue, redirect the old IPEADMIN queue to the new IPEADMIN queue.
Issue/Introduction
How to change the IPESERVICE and IPEADMIN user accounts for TIBCO iProcess Engine (iPE) on Windows .
Feedback
Yes
No
Powered by
