Let's say you ignore the porting of the embedded OpenDJ to an external one. Let's only assume you want to only change the Bind DN and Password of the default "cn=Directory Manager" for security reason.
Ludo has a good article on how to create Multiple Directory Administrators. Of course, you can create a more restrictive proxy administrator for OpenAM.
Now, if you are on OpenAM 10.0.1, then no problem. You simply change the default "cn=Directory Manager" and its corresponding password to one which you have newly created.
A restart of OpenAM will modify the bootstrap file to reflect the new Bind DN. (Of course, I still do not know when OpenAM will auto-magically modify the bootstrap file as-and-when changes are made via the OpenAM console; and when it will require a restart in order for the bootstrap file to be modified)
However, if you are on OpenAM 10.0.0, then no luck. Sorry. No matter how you change the Bind DN/Password via the OpenAM console, a restart of OpenAM will flush away the entries and replaced with the original ones. The bootstrap file is also not modified with the new pair of Bind DN/Password.
Why? I spent some time trying to figure out. In the end, I found out that the problem was with the LDAP update when entries are modified on OpenAM console.
I opened OpenDJ control panel and observed ou=com-sun-identity-servers, ou=default, ou=GlobalConfig, ou=1.0, ou=iPlanetAMPlatformService, ou=Services, ....
When I was modifying the entries in OpenAM 10.0.1, I did managed to see that the DirDN was changed from "cn=Directory Manager" to "cn=Admin2, dc=cdemo, dc=sg" when I clicked SAVE on OpenAM console.
The same was not happening when I did the experiment on OpenAM 10.0.0. Do you have a clue? I dun.