Reset Amadmin Password

It is not straight forward to change amadmin password on an Access Manager 7.1 setup. If you simply change it on subject tab of AM console, you would fail to login once you logout.

This is due to the factor that amadmin's password is saved in a separate entry of Directory Server. You need to save the new password into this entry after changing it on the console. But the password is not saved as is but needs both encrypted and hashed. Unfortunately, the current cli tool ampassword does not help.

Actually this issue had been noticed by the team and the fix - new option to do both encrypt and hash of ampassword - will be available in the next patch 7.1p4. You don't have to wait for the official release though. Here is the alternative:

1) Save the following java code in a file say PasswordHashEncryption.java.

import com.iplanet.services.util.Crypt;
import com.iplanet.services.util.Hash;

class PasswordHashEncryption {
public static void main(String[] args) {
if (args.length != 1) {
System.out.println("Usage: PasswordHashEncryption ");
System.exit(1);
}
String st = Hash.hash(args[0]);
st = Crypt.encode(st);
System.out.println(st);
}
}

2) Compile this java file with am_sdk.jar in the classpath.

3) Run this class to generate encrypted/hashed new password
$JAVA_HOME/bin/java -cp .:/etc/opt/sun/identity/config:/opt/sun/identity/lib/am_sdk.jar:/opt/sun/private/share/lib/jss4.jar PasswordHashEncryption

Note you need to set LD_LIBRARY_PATH=/opt/sun/private/lib to have libjss4.so in the library path. Path of jss4.jar and libjss4.so vary on different platform, so does the path to am_sdk.jar and AMConfig.properties file.

Now it is time to delete old password and add the new one from entry ou=amAdmin,ou=users,ou=default,ou=GlobalConfig,ou=1.0,ou=sunIdentityRepositoryService,ou=services,dc=com (suppose the DS root suffix is dc=com). You can run ldapmodify tool

ldapmodfy -D "cn=directory manager" -w $pass -h $host -p $port << EOF
dn: ou=amAdmin,ou=users,ou=default,ou=GlobalConfig,ou=1.0,ou=sunIdentityRepositoryService,ou=services,dc=com
changetype: modify
delete: sunkeyvalue
sunkeyvalue: userPassword=AQICNeg4ahYuOLkq55f219SBUvgydjJXnlyb7+BMP1L1cC/sLnAZjZLaEw==
EOF

and add the new one
ldapmodfy -D "cn=directory manager" -w $pass -h $host -p $port << EOF
dn: ou=amAdmin,ou=users,ou=default,ou=GlobalConfig,ou=1.0,ou=sunIdentityRepositoryService,ou=services,dc=com
changetype: modify
add: sunkeyvalue
sunkeyvalue: userPassword=AQICNeg4ahYuOLnYDk3c09QDPsBJZzbdXUxPINUAUAtYNNuHKh59AIjTSw==
EOF

The last step is to restart AM server. Then you should be able to login to AM with new amadmin password.

Comments:

Thanks. I tried this on Windows and it worked. I don't even have any of the JSS4 stuffs installed.

Posted by Katsumi INOUE on September 12, 2009 at 04:39 AM PDT #

hahahahaha im so yabang haha

Posted by 2333wwwwwwww on November 17, 2010 at 01:10 PM PST #

Post a Comment:
Comments are closed for this entry.
About

gc

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today