Changing Siebel Administrator Account Password on Windows

To increase the security of your Siebel implementation, it is recommended that you change the Siebel administrator account (SADMIN) password at regular intervals. You might also have to change the password for the Siebel service owner account, which is the Windows user who starts the Siebel Server system service - see Changing the Password for the Siebel Service Owner Account. For more information about setting up these accounts for initial use, see Siebel Installation Guide.

Use the following procedure to modify the password for the Siebel administrator database account on Microsoft Windows. You must change the corresponding password parameter for Siebel Enterprise, then delete the Siebel Server system service and re-create it using the new password. This procedure applies to Siebel CRM 18.11 Update and later releases – and where stated from Siebel CRM 17.x Update and later.

To change the Siebel administrator account (SADMIN) password on Windows

End all client sessions and shut down Siebel Servers, for example, as follows:
1. Go to Control Panel and double-click Computer Management.
2. Expand Services and Applications in the Computer Management panel that appears, and then click Services.
3. Right-click the Siebel Server system service that you want in the details panel, and then click Stop.
  
  Windows stops the Siebel Server system service. This operation might take a few seconds. Repeat these steps as required to stop all servers in the Siebel Enterprise.
Use Server Manager to change the SADMIN password as follows:
1. Log in at the Enterprise level:
```
srvrmgr -g SiebelGatewayHostName:TLS_Port# -e EnterpriseServerName -u UserName -p Password 
```
2. At the Server Manager prompt, enter the following command:
```
change enterprise param Password=NewPassword
```
If using this SADMIN user and password on another profile, such as the Application Interface or Migration profiles, then it will be revised for those profiles as well.
Change the password for SADMIN in the database. For more information, refer to your RDBMS documentation on changing passwords.
On each Siebel Server in your Siebel Enterprise, delete the existing Siebel Server system service (svc file) and then re-create the Siebel service with the new administrator database account password (SADMIN) as follows:
1. To delete the existing Siebel service file, go to $ses\siesrvr\bin> at the command prompt and enter the following command:
```
siebctl -d -S siebsrvr -i "<SiebelServiceFileName>"
```
  For example:
```
siebctl -d -S siebsrvr -i "ses_app01" 
```
2. To recreate the Siebel service file with the new SADMIN password, go to siebsrvr\bin and enter the following command:
```
siebctl -h SIEBSRVR_ROOT -S siebsrvr -i "EnterpriseName_SiebelServerName" -a -g "-g GatewayServerHostname:TLS_Port# -e EnterpriseName -s SiebelServerName -u sadmin" -e NewPassword -u NTAccount -p NTPassword
```
  where:
  - SIEBSRVR_ROOT is the full path to the Siebel Server installation directory
  - EnterpriseName is the name of your Siebel Enterprise
  - SiebelServerName is the name of the Siebel Server
  - GatewayServerHostname is the name of the Siebel Gateway host
  - TLS_Port# is the port number of the Siebel Gateway
  - sadmin is the administrator user ID
  - NewPassword is the new Siebel administrator password in plaintext. The siebctl utility encrypts the password.
  - NTAccount is the Siebel service owner account name. For example: companydomain\SADMIN.
    
    It is recommended that the Siebel service owner account be part of a Windows domain (and not a local domain) so that services are operated under the same account on all the Windows servers. For more information on creating the Siebel service owner account, see Siebel Installation Guide.
  - NTPassword is the Siebel service owner account password
  For example:
```
D:\ses\siebsrvr\BIN> siebctl -h "d:\siebel\ses\siebsrvr" -S siebsrvr -i "ENTP_TRN:SIEBSRV2" -a -g "-g GTWNOVA04:2020 -e ENTP_TRN -s SIEBSRV -u sadmin" -e sadmin1 -u companydomain\SADMIN -p xxxxxxxx
```
  The siebctl utility re-creates the Siebel service file (svc file) with the new encrypted password value. Make sure the Siebel service file is created without any errors.
Restart Siebel Gateway registry by starting the Siebel Gateway system service as follows (the application container for the Cloud Gateway should be running as well):
1. Go to Control Panel and double-click Computer Management.
2. Expand Services and Applications in the Computer Management panel that appears, and then click Services.
3. Right-click the Siebel Gateway Name Server that you want in the details panel, and then click Start.
  
  Windows starts the Siebel Gateway Name Server system service. This operation might take a few seconds.
Connect to the Server Manager (srvmgr) with the new password to verify the password change:
```
srvrmgr -g SiebelGatewayHostName:TLS_Port# -e EnterpriseServerName -s SiebelServerName -u SADMIN -p NewPassword 
```
If Step 6 is successful, start the Siebel Server system service:
1. Go to Control Panel and double-click Computer Management.
2. Expand Services and Applications in the Computer Management panel that appears, and then click Services.
3. Right-click the Siebel Server system service that you want in the details panel (the enterprise name and Siebel Server name are indicated within brackets), and then click Start.
  
  Windows starts the Siebel Server system service. This operation might take a few seconds.
For further information on administering the Siebel Server system service on Windows, see Siebel System Administration Guide.

Note: The remaining steps in this procedure apply to Siebel CRM 17.x Update and later releases.
Update the AuthToken value in the applicationinterface.properties file as follows:
1. Run the following command (certutil is required):
```
certutil -encode pw.txt encoded.txt
```
2. Copy the output string. For example:
```
$AI/jre/bin/java -jar/siebel/sai/applicationcontainer/webapps/siebel/WEB-INF/lib/EncryptString.jar$token
```
Note: Even though you will still be able to access the application and srvrmgr if you do not update the AuthToken value, the SADMIN account will be locked out if the SADMIN profile at the database level is set with an invalid password login attempt limit.
Copy the output string from step 8 and update the encrypted string output in $SAI/applicationcontainer/webapps/applicationinterface.properties.

Copy the value to all Application Interface nodes, for AuthToken Value, and restart all nodes.
Update the migration profile in Siebel Management Console if you are using SADMIN credentials in the migration profile:
1. Undeploy the Application Interface and migration profile in Siebel Management Console.
2. Stop the Application Interface container (tomcat).
3. Remove the value set to the AuthToken parameter in the migration.properties file.
4. Remove the value set to the MigrationProfile parameter in the migration.properties file.
5. Start the Application Interface container and verify that the SADMIN password is not locked
6. Log in to Siebel Management Console and redeploy the Application Interface Profile.
7. Restart the Application Interface container and check that the SADMIN password is not locked.
8. Log in to Siebel Management Console and redeploy the migration profile.
9. Restart the Application Interface container and check that the SADMIN password is not locked.
Recreate the Application Interface profile.

Note the following:
- Since the ZK node /Config/Profiles/SWSM/<name> will have the previous password hard coded as a base64 string, this will cause an invalid login and lead to the SADMIN account being locked.
- To prevent this from happening, replace authtoken in applicationinterface.properties and update the value of GatewayIdentity:Authtoken in zookeeper with the modified password.
- Either generate a new value (echo 'SADMIN:<SADMINPASSWORD>' | base64) and use zkui to manually update the /Config/Profiles/SWSM/<name> OR delete and recreate the swsm/AI profile using Siebel Management Console.
To validate application access, log in to Siebel as SADMIN (with the new Siebel administrator account password) and verify the password change.

Note: Depending on how your Siebel administrator account (SADMIN) is configured, you may be locked out of your SADMIN account if you exceed a specified number of failed login attempts.