APM database passwords, specified in tess-db-cfg.xml, should encrypt upon EM restart if the property "plainTextPasswords" is set to "true". Should this not occur, this may due to introscope.enterprisemanager.tess.enabled=false is specified in the IntroscopeEnterpriseManager.properties file. This property disables certain CEM related process, including the encrypting of the APM database password in tess-db-config.xml. This property is true by default and should only be set to false for troubleshooting purposes when working with CA Support. It is extremely highly recommended not to have this property set to false in a production environment.