Change Amadmin Password
By gc on Jul 23, 2009
Someone might want to change the password of the super user amadmin on Access Manager (AM) 7.0 or 7.1 for various reasons. Be careful. It is tricky. If you try to change it directly on Directory Server (DS) by modifying the userpassword attribute, you would find that you can not login as amadmin any more.
Amadmin is not an ordinary user, but one of the predefined AM special users. Unlike AM 6.x, 7.x stores special users' password in two places, one is the under the user entry (uid=amadmin,ou=people,dc=com, suppose dc=com is the root_suffix) as userpassword attribute, another copy is under ou=amadmin,ou=users,ou=default,ou=GlobalConfig,ou=1.0,ou=sunIdentityRepositoryService,ou=services,dc=com as sunkeyvalue, like userPassword=_encrypted_and_hashed_password_
Currently there is no option of cli tool ampassword to generate this encrypted and hashed password. I added an option --hashencrypt or -c as the fix of bug 6850818 (will be part of 7.1patch4). Then you can directly change this sunkeyvalue in DS by using ldapmodify or other DS tools.
Though there is a solution if you run into this trouble, I would recommend to change password by only using AM console. It is simple and hassle free. I normally create a new user and grant the power amadmin has to it. In case any unexpected happens, I have a backup.