How to change Data Protection system passwords

Document ID : KB000015804
Last Modified Date : 24/08/2018
Show Technical Document Details
Introduction:
CA Data Protection uses different system user accounts. 

(a) Windows service accounts (used for running Windows Services) 
(b) the Data Protection database user accounts (used to connect with the Database). 
(c) Data Protection Administrator account. 

The potential impact of arbitrary security changes is huge, so it is recommend that changes are only made where there is a clear and defined security risk
Question:

How do you change the system passwords for CA Data Protection?

Answer:
1. Changing Windows service accounts (used for running Windows Services) 

If the services are executed locally (i.e. if an Importer Service and Policy Engine service both reside on a single machine) the "LocalSystem" account will suffice, otherwise a Windows Service Account is used to access resources across the network. 

The Windows service user account is used to start all the CA Data Protection Services (i.e. CA Data Protection Infrastructure, CA Data Protection Policy Engine Service etc.). 

You may also see the Policy Engine Hub (WgnPhub.exe) running under a local system account. This is acceptable if the policy engine domain user credential are cached using the "wgnphub -SetCredentials" command (see the link below for more information). 

https://docops.ca.com/ca-data-protection/15-2/en/integrating/archives/import-policy/hub-mode 

2. Changing the Database User Accounts.

To change the primary user (By default named "WgnUSer") password on the Database, follow the steps below: 

Option A. For CMS Only.

If the password has been changed on the database server (for example, for security reasons), you must supply CA Data Protection with the new password. You can do this directly from the Administration console.

Follow these steps:

1. Log on to the Administration console using an account that has the 'Admin: Manage security models' privilege.
2. While the CA Data Protection system is running and you are logged into the Admin console (as per step 1), update\change the password in the Database.
3. To reflect the new password in Data Protection admin console 

Click Tools, 
Set Database Primary User Password.
Enter the new password in the Set Database Primary User Password dialog.

Once complete restart the CA Data Protection Infrastructure and check the activity logs to ensure that the CMS has started without any errors.

Option B - CMS and Gateways Command Line update.

1.First change the password for your database primary user on the Database, it must be changed here before making the changes to your Gateways or CMS.

For example: Update the Wgn_User password under the global SQL -> Security -> Logins folder .  Depending on whether you upgraded to a newer version you may also need to update the individual Gateway DB users as well. Those users will look like WgnUser_<Machine_Name> (If server is ABC-123 , then the account is WgnUser_ABC-123) and will be seen under the that servers database in the logins folder. 

2. Update the Gateways with the new users password. use the command below from the %wgnInstallDir%\system folder on each individual gateway to update the DB password. 

wgninfra -exec wigan/schema/Schema UpdateDBPassword "<DBpassword>" 

"<DBpassword>" is where you will put in your new password, so if your new password is Safe your command would look wgninfra -exec wigan/schema/Schema UpdateDBPassword "Safe". Once you have updated your password you will need to restart the Infrastructure in services. The system will cache your password so these changes will not take effect till after you restart the service. One the service is restarted you can check the activity logs to see if there are any DB connection errors. The logs folder is found in the data directory (%wgndatadir%\logs). 
 

How to change other db user credentials.

WGNSEARCH database account is automatically associated with the default database security model, Management Group (Standard). But if you enable additional security models on your CMS, each will require its own, unique Search User. 

1) To change the wgnsearch user will first need to do the change the password in the Database. This user is found in database under security -> Logins. 
2) Once changed in the Database the security model user accounts we would need to updated on the CMS in the Admin Console->Tools -> Manage Security Models. The default security model is Management Group (Standard). Select the security model you wish to update and select modify -> set credentials. 
How to change the Reports User  

External reporting applications (such as BusinessObjects Enterprise) use this database account to connect to the Data Warehouse and CMS database. You specify the Reporting User if you enable data warehousing when installing a CMS. 

To change the WGNREPORTS Password you must

1) First change the user in the Database. For example in SQL this user is found in database under security -> Logins. 

2) Update the DB password in the CMS. Log into the Admin Console then use Tools -> Set Reporting Users Credentials option.<>

3. Changing the CA Data Protection Administrator account. 

This is an internal admin account used for administrating the Data Protection deployment (by default named Administrator).  This is also known as the first admin user which is called by the installer during installation and upgrade process. You cannot change the password for this account, you can however create an alternative Administrator account, delete the original account and then update the underlying Wigan system with the new user details for the installer using the following syntax executed from a command prompt in the %wgninstalldir%\system folder (syntax is case sensitive).

wgninfra -exec wigan/schema/Schema StoreAdminUser <user> <password>
 

Additional Information:
***************
WARNINGS
***************
1. We  strongly suggest that you take full backups before making any changes you should also test all processes in a UAT or test environment before attempting these steps in a production environment. 
2. In a busy Enterprise environment we recommend that you only update the Service Account login details outside of normal working hours to minimize disruption
3. Changing the CMS Primary user account details is dangerous and if the process above is not followed the system may become inoperable.
4. We do not recommend changing the Primary DB user on a Gateway machine as these servers are transient in nature.  Specifically data is purged as soon as it is replicated upstream.
5. Deleting\ changing the Data Protection 'Administrator' user account details is dangerous and if the process above is not followed the system may become inoperable.