Some customers would like to make the 2 passwords distinct. And some even want the passwords to be changed every 90 days based on their corporate security policies.
Assumption
1. OpenAM Configuration Directory : /home/openam10/var/openam
2. Perform Step 1 to 3 while OpenAM server is shutdown
How to change the password of cn=Directory Manager?
Step 1: Create a class to generate the encoded password for bootstrap file
[openam10@am10 crypt]$ java -cp .:../ssoadmin/lib/opensso-sharedlib.jar:../ssoadmin/lib/amserver.jar AZCrypt password
AQIC5wM2LY4SfczLlj6134qMTx0nkE5XiFMg (old password)
[openam10@am10 crypt]$ java -cp .:../ssoadmin/lib/opensso-sharedlib.jar:../ssoadmin/lib/amserver.jar AZCrypt P@ssw0rd
AQIC5wM2LY4SfcyUmw%2B6K%2FG%2FBYPuMDaX2Tj3 (new password)
[openam10@am10 ~]$ cd /home/openam10/var/openam
[openam10@am10 openam]$ cp bootstrap bootstrap.BAK.20121109
[openam10@am10 openam]$ vi bootstrap
Replace the existing password (AQIC5wM2LY4SfczLlj6134qMTx0nkE5XiFMg) with the new one (AQIC5wM2LY4SfcyUmw%2B6K%2FG%2FBYPuMDaX2Tj3).
Step 2: Change encoded password for OpenDJ Configuration file
[openam10@am10 ~]$ cd /home/openam10/var/openam/opends/bin
[openam10@am10 bin]$ ./encode-password -s SSHA512 -c P@ssw0rd
Encoded Password: "{SSHA512}rPyik4bSqX68JnmpWolSIn/IL6SpKyuThh1yho3fPSFDR6qYS+RcKKgfqZ5zVdVXt4S34nE7syBQSXQQxrO9+DgdeaUV2Uf5"
[openam10@am10 ~]$ cd /home/openam10/var/openam/opends/config
[openam10@am10 config]$ cp config.ldif config.ldif.BAK.20121108
[openam10@am10 config]$ vi config.ldif
Replace userPassword with the one generated by encode-password as shown above.
Step 3: Change encoded password for Directory Server Configuration in OpenAM
[openam10@am10 ~]$ cd /home/openam10/var/openam/opends/bin
[openam10@am10 bin]$ ./start-ds
Navigate to the following dn with a LDAP tool like Apache Studio:
dn: ou=http://am10.sg.azlabs:9080/openam,ou=com-sun-identity-servers,ou=default,ou=GlobalConfig,ou=1.0,ou=iPlanetAMPlatformService,ou=services,dc=opensso,dc=java,dc=net
Replace DirPassword with the one generated by encode-password as shown above in Step 2.
At this moment, let's do a check-point...
If the above steps are not executed correctly, you'll see the famous OpenAM Configuration Options Page when the OpenAM server is next started.
Otherwise, everything should be good and you'll see the OpenAM Login Page as expected.
Step 4: Change password for Policy Configuration in OpenAM
This last step can be configured when the OpenAM server is up and running with the new password for cn=Directory Manager. Of course, it's definitely possible to change the password via a LDAP tool like Step 3. (But I'm just lazy to do it after hacking for so long. Ha!)
.
.
Did you know that using the Servers and sites -> server -> Directory Configuration page, when you update the password, it will update the bootstrap file as well? The only caveat is that you need to perform this change for every single server in yuor environment.
ReplyDeleteWith OpenAM 10.0.0 OPENAM-1371 (or its root cause really) can break this feature, so watch out.
So, I think the sequence is important here...
Delete* Ignore Step 1
* Ignore Step 3
* Perform Step 4 first (since OpenAM can still talk to OpenDJ, this step will save the new password successfully)
* Update password via Sites > Server > Directory Configuration (at this moment, connection from OpenAM to OpenDJ will still be valid using the old password)
* Shutdown OpenAM. (this will stop OpenDJ as well)
* Perform Step 2
* Startup OpenAM (new password will be used now)