• Sun
    September 11, 2009

Reset Amadmin Password

Guest Author
It is not straight forward to change amadmin password on an Access Manager 7.1 setup. If you simply change it on subject tab of AM console, you would fail to login once you logout.
This is due to the factor that amadmin's password is saved in a separate entry of Directory Server. You need to save the new password into this entry after changing it on the console. But the password is not saved as is but needs both encrypted and hashed. Unfortunately, the current cli tool ampassword does not help.
Actually this issue had been noticed by the team and the fix - new option to do both encrypt and hash of ampassword - will be available in the next patch 7.1p4. You don't have to wait for the official release though. Here is the alternative:
1) Save the following java code in a file say PasswordHashEncryption.java.
import com.iplanet.services.util.Crypt;
import com.iplanet.services.util.Hash;
class PasswordHashEncryption {
public static void main(String[] args) {
if (args.length != 1) {
System.out.println("Usage: PasswordHashEncryption ");
String st = Hash.hash(args[0]);
st = Crypt.encode(st);
2) Compile this java file with am_sdk.jar in the classpath.
3) Run this class to generate encrypted/hashed new password
$JAVA_HOME/bin/java -cp .:/etc/opt/sun/identity/config:/opt/sun/identity/lib/am_sdk.jar:/opt/sun/private/share/lib/jss4.jar PasswordHashEncryption
Note you need to set LD_LIBRARY_PATH=/opt/sun/private/lib to have libjss4.so in the library path. Path of jss4.jar and libjss4.so vary on different platform, so does the path to am_sdk.jar and AMConfig.properties file.
Now it is time to delete old password and add the new one from entry ou=amAdmin,ou=users,ou=default,ou=GlobalConfig,ou=1.0,ou=sunIdentityRepositoryService,ou=services,dc=com (suppose the DS root suffix is dc=com). You can run ldapmodify tool
ldapmodfy -D "cn=directory manager" -w $pass -h $host -p $port << EOF
dn: ou=amAdmin,ou=users,ou=default,ou=GlobalConfig,ou=1.0,ou=sunIdentityRepositoryService,ou=services,dc=com
changetype: modify
delete: sunkeyvalue
sunkeyvalue: userPassword=AQICNeg4ahYuOLkq55f219SBUvgydjJXnlyb7+BMP1L1cC/sLnAZjZLaEw==
and add the new one
ldapmodfy -D "cn=directory manager" -w $pass -h $host -p $port << EOF
dn: ou=amAdmin,ou=users,ou=default,ou=GlobalConfig,ou=1.0,ou=sunIdentityRepositoryService,ou=services,dc=com
changetype: modify
add: sunkeyvalue
sunkeyvalue: userPassword=AQICNeg4ahYuOLnYDk3c09QDPsBJZzbdXUxPINUAUAtYNNuHKh59AIjTSw==
The last step is to restart AM server. Then you should be able to login to AM with new amadmin password.

Join the discussion

Comments ( 2 )
  • Katsumi INOUE Saturday, September 12, 2009

    Thanks. I tried this on Windows and it worked. I don't even have any of the JSS4 stuffs installed.

  • 2333wwwwwwww Wednesday, November 17, 2010

    hahahahaha im so yabang haha

Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.