Tuesday Dec 15, 2009

If You Have To Change The amadmin Password Out of the Box

Since the password for amadmin is encoded and hashed it is hard to change the password once OpenSSO is installed as we don't offer the option or utility to encode and hash the password. Unofficially, there is a way to change the lost or forgotten password of amadmin. It's not supported and this is the only thing written on it so be sure not to lose or forget your password. But just in case...

BEFORE YOU BEGIN: The password for amadmin and Directory Manager of the configuration data store is the same by default. So before you can make any changes to the configuration data store, you will need to reset the password for the OpenDS Directory Manager. Use the ldappasswordmodify command as illustrated:

$ ldappasswordmodify -h localhost -p 1389 --authzID "dn:cn=Directory Manager" --currentPassword mypassword --newPassword mynewpassword

It should return:

The LDAP password modify operation was successful

Now follow these instructions to reconfigure the configuration data store using the new Directory Manager password when it is requested.

  1. Connect to the Configuration Data Store using an LDAPBROWSER client.
  2. Navigate to --> ou=Services --> ou=iPlanetAMPlatformService --> ou=1.0 --> ou=GlobalConfig --> ou=Default --> ou=com-sun-identity-servers --> ou=http://:/opensso.
  3. Select ou=http://:/opensso. Its different attributes and associated values are displayed on the right. Note the value of attribute sunKeyValue displays serverconfig=am.encryption.pwd=password1234. If there is another instance of OpenSSO that has the same value for am.encryption.pwd as this one, the passwords and encryptions are the same. Continue with step 5 to change the password. Otherwise, continue with step 4.
  4. Install an instance of OpenSSO in a test environment using the same value of am.encryption.pwd as the one above.
  5. Connect to the Configuration Data Store on the temporary instance using an LDAPBROWSER client.
  6. Navigate to to --> ou=Services --> ou= sunIdentityRepositoryService --> ou=1.0 --> ou=GlobalConfig --> ou=Default --> ou=users --> ou=amAdmin.
  7. Select ou=amAdmin. Its different attributes and associated values are displayed on the right. The value of sunKeyValue is displayed as userPassword=AQICGCVs587Ld67ZkiWlqauzaXQAqvx8g6YECMW/jzK62WNdhnBceHNEwg==.
  8. Navigate to the Configuration Data Store on which you want to change the password and replace the old value with this new one.
  9. Restart the web container.
  10. Login using the password of the temporary environment that was copied.
And now enjoy Wanda Jackson performing The Box That It Came In. She's pretty angry but it has nothing to do with the out-of-the-box password.

Wednesday Apr 01, 2009

OpenSSO Special Users Are No Killing Joke

Yesterday, I installed the ssoadm command line interface and exported the configuration data from the OpenSSO embedded configuration data store. I wanted to do this so I could go through the data and find the OpenSSO special users that were created during a fresh installation of the product. Here are the users I found and some information about each.
  • The OpenSSO administrative user (as we all know) is amadmin (uid=amAdmin,ou=People,dc=opensso,dc=java,dc=net). This top-level administrator has unlimited access to all entries managed by OpenSSO. During installation, you must provide a password for amadmin. To change the password after installation, use the OpenSSO console. The amadmin profile is a Subject under the top-level realm. You cannot change the default amadmin identifier.
  • amldapuser (cn=amldapuser,ou=DSAME Users,dc=opensso,dc=java,dc=net) has read and search access to all embedded data store entries; it is used when the OpenSSO schema extends the embedded data store schema. amldapuser binds to the directory to retrieve data for the LDAP and Membership authentication modules and the Policy Configuration Service. The default password for amldapuser is changeit. You can change the password by modifying the value of the AMLDAPUSERPASSWD property in the OpenSSO-Deploy-base/opensso/WEB-INF/classes/serviceDefaultValues.properties file BEFORE running the OpenSSO configurator. To change the amldapuser password after configuration, use ldapmodify (which is NOT supported). In the latter case, also modify the LDAP Authentication Service and Policy Configuration Service because amldapuser is the default user for these services. Make the changes in each realm in which these services are registered.
  • Proxy user (cn=puser,ou=DSAME Users,dc=opensso,dc=java,dc=net) is a proxy user that works behind the scenes for the legacy AMSDK. This user is created during installation and cannot be modified or found in the OpenSSO console.
  • UrlAccessAgent (as we all know) is the user that a web agent uses to login to OpenSSO but who is amService-UrlAccessAgent (cn=amService-UrlAccessAgent,ou=DSAME Users,dc=opensso,dc=java,dc=net)? Well, both users are the same. When entered as UrlAccessAgent on the server side, the Authentication Service prepends to it the string amService-. The Authentication Service then authenticates it is a special user with an entry in the data store. The password for UrlAccessAgent is defined during the OpenSSO configuration.
  • CN=Directory Manager,CN=Users,dc=opensso,dc=java,dc=net is the default top level administrator for Sun Directory Server with read and write access to all entries in the embedded configuration data store. This user would be used to bind to the embedded configuration data store if the OpenSSO schema is not installed.
  • CN=Administrator,CN=Users,dc=opensso,dc=java,dc=net is the default top level administrator for Microsoft Active Directory. This is similar to cn=Directory Manager for Sun Directory Server.
  • demo is the user used to demonstrate the federation-related features of OpenSSO. By default, its password is changeit. This user is displayed as a subject of the top-level realm in the OpenSSO console and its default password can be changed.
  • The test user is used to execute some OpenSSO samples. These samples would create the test user and test will be displayed as a subject of the top-level realm in the OpenSSO console after executing them. The default password for test is test.
  • dsameuser (cn=dsameuser,ou=DSAME Users,dc=opensso,dc-java,dc=net) binds to the embedded configuration data store when the OpenSSO SDK performs operations on it that are not linked to a particular user (for example, retrieving service configuration information).
  • anonymous is the default anonymous user. If the Anonymous authentication module is enabled, an anonymous user can log into OpenSSO without providing a password. You can define a list of anonymous users by adding user identifiers to the anonymous profile using the OpenSSO console.
Now, here's something for April Fools Day: Killing Joke and their song Change. Change was not on the original 1980 UK release of their debut album (eponymously titled Killing Joke) but it was on the original 1980 US release. I remember specifically buying the US release of this LP at a time when all I was buying were imports. Good times.




« June 2016