Removing References to a User Account
Prior to deleting a user account you need to update all of the locations in Integration Server that reference the user account, including execution users, certificate mappings, and outbound connection configurations. If you delete the user account before updating functionality that depends on the user account to execute successfully, Integration Server may experience failures.
Software AG recommends that you complete user-related updates in this order:
1. Change client certificate mappings. An imported client certificate or CA (Certificate Authority) signing certificate is mapped to a user account. Before you delete a user account that is mapped to a client certificate, do one of the following:
Remove the certificate mappings stored in the database table IS_CERTIFICATE_MAP of ISInternal JDBC Pool. Because a user can be mapped to more than one certificate, you might need to delete multiple mappings. You can use the following database DELETE statement to quickly remove any user certificate mappings:
DELETE FROM IS_CERTIFICATE_MAP WHRE CERT_USER = “username”
Where username is the user account that you intend to delete.
2. Change the user account assigned to execute tasks, services, and triggers. You might need to update one or more of the following:
Update this asset | Specifically | Using |
Scheduled tasks | Run As User value on the Server > Scheduling > User Tasks > Modify Tasks page | Integration Server Administrator. |
JMS triggers | Execution user property for the trigger | Designer |
webMethods messaging triggers that receive messages from Universal Messaging | Execution user property for the trigger | Designer |
webMethods messaging triggers that receive messages from Broker or messages published locally | Run Trigger Service As User field available on the Settings > Resources > Store Settings page | Integration Server Administrator |
Enterprise Gateway rule that uses a service as a custom filter. | Run As User field for the custom filter on the Security > Enterprise Gateway rules > Rules > rulename > Edit page | Integration Server Administrator on the Integration Server acting as the Enterprise Gateway Server |
Enterprise Gateway alerts that invoke a flow service to alert you of a rules violation. | Run As User field for the default alert options on the Security > Enterprise Gateway rules > Edit Default Alert Options page | Integration Server Administrator on the Integration Server acting as the Enterprise Gateway Server |
Email ports | Run services as user field on the Server > Ports > Edit Email Client Configuration page | Integration Server Administrator |
File polling ports | Run services as user field on the Server > Ports > Edit File Polling Configuration page | Integration Server Administrator |
Package subscriptions on the current server | Remote User Name field on the Packages > Publishing > Edit Subscriber page | Integration Server Administrator |
Package subscriptions on a remote server | Local User Name field on the Packages > Subscribing > Edit Subscription page | Integration Server Administrator |
WmCloud account settings | Run As User field on the webMethods Cloud > Accounts > Edit Account page | Integration Server Administrator |
Note:
The above list does not include execution users assigned for adapters.
3. Change server configuration parameters that specify a user as the value, including:
watt.server.cache.prefetchUser
watt.server.event.routing.runAsUser
watt.server.eventHandlerUser
Use the Extended Settings page in Integration Server Administrator to edit the server configuration parameters
Note:
The above list of server configuration parameters is not exhaustive and may not include parameters added via fixes or by a layered product such as an adapter.
4. Change outbound connection configurations. Any location in Integration Server, including any services, in which a user name is specified to establish an outbound connection. This may include the following:
Remote server alias, which is editable via
Integration Server Administrator.
Web service endpoint alias, which is editable via the
Settings > Web services > endpointAliasName > Edit page in
Integration Server Administrator.
Messaging connection aliases, including:
JMS connection alias, which is editable via the
Messaging > JMS settings > JMS Connection Alias > Edit JMS Connection Alias page of
Integration Server Administrator.
webMethods messaging connection alias, which is editable via the
Messaging > webMethods settings > Universal Messaging Connection Alias > Edit Universal Messaging Connection Alias page of
Integration Server Administrator Outbound HTTP calls such as those using
pub.client:http,
pub.client:soapClient, or web service connectors
5. Change configuration variables templates. A configuration variables template used with a Microservices Runtime image running in a Docker container or an on-premises Microservices Runtime might specify a user name for one of the key-value pairs. Using a text editor, edit the template to change the value of property key that specifies the user name you want to remove from Microservices Runtime. Property keys for a user name typically include the word “user” or “principal”.
Note:
If a Docker image for an Microservices Runtime includes application.properties template, then each Docker container created from the image contains the template too. The template is removed when the Docker container gets destroyed. If the containers do not get recycled periodically, you can attach to the container file system and scrub the user names from the application.properties template.
Note:
The configuration variables template feature is included in Microservices Runtime by default. An Integration Server equipped with an Microservices Runtime license can use the configuration variables feature as well.
6. Delete the user from Integration Server.
7. Repeat steps 2–7 for each Integration Server on which the user name exists. For example, if you use a cluster of Integration Servers, you need to repeat the steps for all servers in the cluster.
Note:
Client certificate mappings are stored in a database which is shared by a cluster. You do not need to repeat step 1 for every Integration Server in the cluster.
8. Recreate any Docker images for the affected Integration Server instances.