1. Security Guide
  2. Changing Siebel Administrator Account Password on UNIX

Changing Siebel Administrator Account Password on UNIX

To increase the security of your Siebel implementation, it is recommended that you change the Siebel administrator account (SADMIN) password at regular intervals. For more information about setting up this account for initial use, see Siebel Installation Guide.

Use the following procedure to modify the password for the Siebel administrator database account on UNIX. You must change the corresponding password parameter for Siebel Enterprise, then rename the Siebel Server system service and re-create it using the new password. This procedure applies to Siebel CRM 18.11 Update and later releases – and where stated from Siebel CRM 17.x Update and later.

To change the Siebel administrator account (SADMIN) password on UNIX

  1. End all client sessions and shut down Siebel Servers using the following command: 

    SIEBSRVR_ROOT/bin/stop_server all

    You must run this command on all Siebel Server computers to stop all servers in the Siebel Enterprise.

  2. Use Server Manager to change the SADMIN password as follows:

    1. Log in at the Enterprise level: 

      srvrmgr -g SiebelGatewayHostName:TLS_Port# -e EnterpriseServerName -u UserName -p Password

    2. At the Server Manager prompt, enter the following command: 

      change enterprise param Password=NewPassword

    If using this SADMIN user and password on another profile, such as the Application Interface or Migration profiles, then it will be revised for those profiles as well.

  3. Change the password for SADMIN in the database. For more information, refer to your RDBMS documentation on changing passwords.

  4. On each Siebel Server in your Siebel Enterprise, rename the existing Siebel Server system service (svc file) and then recreate the Siebel service with the new administrator database account password (SADMIN) as follows:

    Caution: Do not edit the svc file manually as doing so can corrupt the file. Instead, make a backup copy of the existing svc file, then re-create the svc file with the new password using the siebctl utility. Do not store the backup copy of the svc file in the same directory as the original file as this may interfere with normal server startup.

    1. To rename the existing Siebel service file, navigate to the $siebsrvr/sys directory and rename the file. To avoid issues when starting up the environment, store the renamed svc file in a different location to $siebsrvr/sys. The Siebel service file name is in a format similar to the following, where siebsrvrname is the name of the Siebel Server: 

      svc.siebsrvr.siebel:siebsrvrname

    2. To recreate the Siebel service file with the new SADMIN password, run the following command in the $siebsrvr/bin directory: 

      siebctl -r "SIEBSRVR_ROOT" -S siebsrvr -i EnterpriseName:SiebelServerName -a -g "-g GatewayServerHostName:TLS_Port# -e EnterpriseName -s SiebelServerName -u sadmin" -e NewPassword -L ENU

      where:

      • "SIEBSRVR_ROOT" is the installation directory of the Siebel Server

      • EnterpriseName is the name of your Siebel Enterprise

      • SiebelServerName is the name of the Siebel Server

      • GatewayServerHostname is the name of the Siebel Gateway host

      • TLS_Port# is the port number of the Siebel Gateway

      • sadmin is the administrator user ID

      • NewPassword is the new Siebel administrator password (in plaintext). The siebctl utility encrypts the password.

      For example: 

      siebctl -r "/data/siebel/ses/siebsrvr" -S siebsrvr -i ENTP_TRN:SIEBSRV2 -a -g "-g GTWNOVA04:2020 -e ENTP_TRN -s SIEBSRV2 -u sadmin" -e sadmin1 -L ENU

      The siebctl utility re-creates the Siebel service file (svc file) with the new encrypted password value. Make sure the Siebel service file is created without any errors.

  5. Restart Siebel Gateway and Siebel Server system service (the application container for the Cloud Gateway should be running as well).

    • To stop and restart Siebel Gateway:

      $SIEBEL_ROOT/SiebelGatewayName/bin/stop_ns 
$SIEBEL_ROOT/SiebelGatewayName/bin/start_ns
    • To start the Siebel Server system service:

      1. On the Siebel Server, log in as the Siebel Service owner user.

      2. Run the siebenv.sh or siebenv.csh script to set Siebel environment variables.

      3. Run the ps command and check whether the application container for the Siebel Server is running. Start it if necessary.

      4. Enter the following command, where siebel_server_name is the name of the Siebel Server: 

         start_server siebel_server_name

      For further information on administering the Siebel Server system service on UNIX, see Siebel System Administration Guide.

  6. Connect to the Server Manager (srvmgr) with the new password to verify the password change: 

    srvrmgr -g SiebelGatewayHostName:TLS_Port# -e EnterpriseServerName -s SiebelServerName -u SADMIN -p NewPassword

  7. If Step 6 is successful, start Siebel Server. To restart all Siebel Servers:

    $SIEBEL_ROOT/ServerName/bin/start_server all
    Note: The remaining steps in this procedure apply to Siebel CRM 17.x Update and later releases.

  8. Update the AuthToken value in the applicationinterface.properties file as follows:

    1. Run the following command in any linux box: 

      echo -n 'sadmin:<newsadminpassword>' | base64

      Alternatively, use the online base64 encoding tool (https://www.base64encode.org/) to encode 'sadmin:<newsadminpassword>'.

    2. Copy the output string. For example: 

      $AI/jre/bin/java -jar/siebel/sai/applicationcontainer/webapps/siebel/WEB-INF/lib/EncryptString.jar$token
    Note: Even though you will still be able to access the application and srvrmgr if you do not update the AuthToken value, the SADMIN account will be locked out if the SADMIN profile at the database level is set with an invalid password login attempt limit.

  9. Copy the output string from step 8 and update the encrypted string output in $SAI/applicationcontainer/webapps/applicationinterface.properties.

    Copy the value to all Application Interface nodes, for AuthToken Value, and restart all nodes.

  10. Update the migration profile in Siebel Management Console if you are using SADMIN credentials in the migration profile:

    1. Undeploy the Application Interface and migration profile in Siebel Management Console.

    2. Stop the Application Interface container (tomcat).

    3. Remove the value set to the AuthToken parameter in the migration.properties file.

    4. Remove the value set to the MigrationProfile parameter in the migration.properties file.

    5. Start the Application Interface container and verify that the SADMIN password is not locked

    6. Log in to Siebel Management Console and redeploy the Application Interface Profile.

    7. Restart the Application Interface container and check that the SADMIN password is not locked.

    8. Log in to Siebel Management Console and redeploy the migration profile.

    9. Restart the Application Interface container and check that the SADMIN password is not locked.

  11. Recreate the Application Interface profile.

    Note the following:

    • Since the ZK node /Config/Profiles/SWSM/<name> will have the previous password hard coded as a base64 string, this will cause an invalid login and lead to the SADMIN account being locked.

    • To prevent this from happening, replace authtoken in applicationinterface.properties and update the value of GatewayIdentity:Authtoken in zookeeper with the modified password.

    • Either generate a new value (echo 'SADMIN:<SADMINPASSWORD>' | base64) and use zkui to manually update the /Config/Profiles/SWSM/<name> OR delete and recreate the swsm/AI profile using Siebel Management Console.

  12. To validate application access, log in to Siebel as SADMIN (with the new Siebel administrator account password) and verify the password change.

    Note: Depending on how your Siebel administrator account (SADMIN) is configured, you may be locked out of your SADMIN account if you exceed a specified number of failed login attempts.