How To

How do I change the amadmin and dsameuser passwords at the same time in AM/OpenAM (All versions)?

Last updated Jan 18, 2019

The purpose of this article is to provide assistance with changing the amadmin and dsameuser passwords at the same time in AM/OpenAM. This article also covers changing these passwords on multiple servers in a site configuration.


1 reader recommends this article

Overview

The amadmin user and dsameuser are special internal users and need to have their passwords changed in the correct order to avoid issues with logging in and using ssoadm. The individual articles for changing these passwords have more background information (How do I change the amadmin password in AM/OpenAM (All versions)? and How do I change the dsameuser password in AM/OpenAM (All versions)?) but the salient information about these users is: 

  • The amadmin user is stored in the configuration data store in AM/OpenAM rather than the user data store. This means you cannot apply a password policy (such as locking out the user after 3 failed attempts) to the amadmin user. 
  • If you use the embedded DS/OpenDJ configuration store, you must also update the LDAP bind password in AM/OpenAM, the cn=Directory Manager password in the embedded DS/OpenDJ and the global (replication) administrator password in the embedded DS/OpenDJ to match the new amadmin password. This ensures AM/OpenAM continues to function correctly, for example, you can access the configuration data store, log into the console as amadmin and add new servers to the existing deployment.
  • If you use the embedded DS/OpenDJ user store, you must also update the bind passwords to match the new amadmin password, this is necessary since AM/OpenAM by default binds to the embedded DS/OpenDJ using the credentials of the top level administrator (cn=Directory Manager) contained in the AM/OpenAM configuration store. You should update the LDAP bind passwords in the Identity Store, Services Policy configuration and LDAP authentication module.
  • The dsameuser is present in a global location (the SpecialRepo userstore with the amadmin and anonymous users) and in a local location (the service configuration for each server).
  • The dsameuser password in both these locations must match, else you will encounter a known issue with ssoadm, where subsequent authentications will fail: OPENAM-4292 (dsameuser authentication on /authservice differs at startup).
Note

By default, the dsameuser has the same password as amadmin and the Directory Manager if you are using an embedded configuration store. It is your choice whether the dsameuser password matches the amadmin password; they do by default, but do not need to. This article uses the same password to make the process simpler but highlights what you need to do if you want different passwords.

 The process you use to change these passwords differ according to your setup:

Caution

Once you have changed the amadmin password, you must also update any ssoadm scripts, password files or third-party applications that rely on the current amadmin password, else these scripts or applications will fail.

Single AM/OpenAM server with external DS/OpenDJ

You can change the amadmin and dsameuser passwords as follows:

  1. Take a backup of your configuration data as described in How do I make a backup of configuration data in AM/OpenAM (All versions)?
  2. Export the server configuration using the get-svrcfg-xml command, for example:
    $ ./ssoadm get-svrcfg-xml -u amadmin -f pwd.txt -s http://host1.example.com:8080/openam -o serverconfig.xml
    
  3. Encode the new password using encode.jsp or ampassword, for example:
    1. Create a file with the password in clear text:
      $ cat > newpassword.txt
      newPassword
      
    2. Encode the password:
      $ ./ampassword -e newpassword.txt
      
      AQICproF2sZsPQJlwBaVBFMj/423Ucpa5e8P
      
  4. Update the server configuration you exported in step 2 with the new encoded password. You need to change the DirPassword string for User 2 (cn=dsameuser,ou=DSAME Users,dc=openam,dc=forgerock,dc=org):
            <User name="User2" type="admin">
                <DirDN>
                    cn=dsameuser,ou=DSAME Users,dc=openam,dc=forgerock,dc=org
                </DirDN>
                <DirPassword>
                    AQICproF2sZsPQJlwBaVBFMj/423Ucpa5e8P
                </DirPassword>
            </User>
    
  5. Create a batch file with the following commands, where the first two commands update the amadmin and dsameuser passwords (you must specify these passwords in clear text), and the third command imports the updated server configuration (it is essential you keep these commands in this order, else you will encounter an error). For example:
    $ cat > update.batch
    set-identity-attrs -t User -e / -i amadmin -a userpassword=newPassword
    set-identity-attrs -t User -e / -i dsameuser -a userpassword=newPassword
    set-svrcfg-xml -s http://host1.example.com:8080/openam -X serverconfig.xml
  6. Run the do-batch command to apply the changes in your batch file, for example:
    $ ./ssoadm do-batch -u amadmin -f pwd.txt -Z update.batch
    
Note

This ssoadm command is performed against all data stores, meaning AM/OpenAM will send a password change request for the amadmin user to all data stores and therefore may report a failure if the user does not exist in a particular data store.

  1. Restart the web application container in which AM/OpenAM runs to apply these changes.
  2. Update the password file used by ssoadm, and any ssoadm scripts or third-party applications that rely on the current amadmin password.

Different passwords 

If you want to have different passwords for amadmin and dsameuser, you must follow the above steps with the following differences:

  • Encode the dsameuser password in step 3.
  • Specify different passwords in step 5 ensuring the dsameuser password matches the clear text password you encoded in step 3.

Multiple AM/OpenAM servers in a site with external DS/OpenDJ

You can change the amadmin and dsameuser passwords as follows:

  1. Take a backup of your configuration data as described in How do I make a backup of configuration data in AM/OpenAM (All versions)?
  2. Export the server configuration files for each server using the get-svrcfg-xml command, for example:
    $ ./ssoadm get-svrcfg-xml -u amadmin -f pwd.txt -s http://host1.example.com:8080/openam -o server1config.xml
    $ ./ssoadm get-svrcfg-xml -u amadmin -f pwd.txt -s http://host2.example.com:8080/openam -o server2config.xml
    
  3. Encode the new password using encode.jsp or ampassword, for example:
    1. Create a file with the password in clear text:
      $ cat > newpassword.txt
      newPassword
      
    2. Encode the password:
      $ ./ampassword -e newpassword.txt
      
      AQICproF2sZsPQJlwBaVBFMj/423Ucpa5e8P
      
  4. Update each of the the server configurations you exported in step 2 with the new encoded password. You need to change the DirPassword string for User 2 (cn=dsameuser,ou=DSAME Users,dc=openam,dc=forgerock,dc=org):
            <User name="User2" type="admin">
                <DirDN>
                    cn=dsameuser,ou=DSAME Users,dc=openam,dc=forgerock,dc=org
                </DirDN>
                <DirPassword>
                    AQICproF2sZsPQJlwBaVBFMj/423Ucpa5e8P
                </DirPassword>
           </User>
    
  5. Create a batch file with the following commands, where the first two commands update the amadmin and dsameuser passwords (you must specify these passwords in clear text), and the second two import the updated server configurations (it is essential you keep these commands in this order, else you will encounter an error). For example:
    $ cat > update.batch
    set-identity-attrs -t User -e / -i amadmin -a userpassword=newPassword
    set-identity-attrs -t User -e / -i dsameuser -a userpassword=newPassword
    set-svrcfg-xml -s http://host1.example.com:8080/openam -X server1config.xml
    set-svrcfg-xml -s http://host12.example.com:8080/openam -X server2config.xml
    
  6. Run the do-batch command to apply the changes in your batch file, for example:
    $ ./ssoadm do-batch -u amadmin -f pwd.txt -Z update.batch
    
Note

This ssoadm command is performed against all data stores, meaning AM/OpenAM will send a password change request for the amadmin user to all data stores and therefore may report a failure if the user does not exist in a particular data store.

  1. Restart the web application container in which AM/OpenAM runs to apply these changes.
  2. Update the password file used by ssoadm, and any ssoadm scripts or third-party applications that rely on the current amadmin password.

Different passwords 

If you want to have different passwords for amadmin and dsameuser, you must follow the above steps with the following differences:

  • Encode the dsameuser password in step 3.
  • Specify different passwords in step 5 ensuring the dsameuser password matches the clear text password you encoded in step 3.

Single AM/OpenAM server with an embedded DS/OpenDJ

The following process can be used to change the amadmin and dsameuser passwords if you have an embedded configuration store and optionally an embedded user store:

  1. Take a backup of your configuration data as described in How do I make a backup of configuration data in AM/OpenAM (All versions)?
  2. Export the server configuration using the get-svrcfg-xml command, for example:
    $ ./ssoadm get-svrcfg-xml -u amadmin -f pwd.txt -s http://host1.example.com:8080/openam -o serverconfig.xml
    
  3. Encode the new password using ampassword, for example:
    1. Create a file with the password in clear text:
      $ cat > newpassword.txt
      newPassword
      
    2. Encode the password:
      $ ./ampassword -e newpassword.txt
      
      AQICproF2sZsPQJlwBaVBFMj/423Ucpa5e8P
      
  4. Update the server configuration you exported in step 2 with the new encoded password. You need to change the DirPassword string for both User 2s:
            <User name="User2" type="admin">
                <DirDN>
                    cn=dsameuser,ou=DSAME Users,dc=openam,dc=forgerock,dc=org
                </DirDN>
                <DirPassword>
                    AQICproF2sZsPQJlwBaVBFMj/423Ucpa5e8P
                </DirPassword>
           </User>
    ...
           <User name="User2" type="admin">
                <DirDN>
                    cn=Directory Manager
                </DirDN>
                <DirPassword>
                    AQICproF2sZsPQJlwBaVBFMj/423Ucpa5e8P
                </DirPassword>
            </User>
    
  5. Create a batch file with the following commands, where the first two commands update the amadmin and dsameuser passwords (you must specify these passwords in clear text), and the third one imports the updated server configuration (it is essential you keep these commands in this order, else you will encounter an error). For example:
    $ cat > update.batch
    set-identity-attrs -t User -e / -i amadmin -a userpassword=newPassword
    set-identity-attrs -t User -e / -i dsameuser -a userpassword=newPassword
    set-svrcfg-xml -s http://host1.example.com:8080/openam -X serverconfig.xml
    
    The amadmin password must not contain only a single " (double quote mark) as this will cause the command to fail and not update the password. Either do not use quote marks at all or encase the password in quotes, for example, "Passw0rd1".
  6. Run the do-batch command to apply the changes in your batch file, for example:
    $ ./ssoadm do-batch -u amadmin -f pwd.txt -Z update.batch
    
Note

This ssoadm command is performed against all data stores, meaning AM/OpenAM will send a password change request for the amadmin user to all data stores and therefore may report a failure if the user does not exist in a particular data store.

  1. Encode the new amadmin password using the DS/OpenDJ encode tool, for example:
    $ cd $HOME/[am_instance]/opends/bin
    $ ./encode-password --storageScheme SSHA512 --clearPassword newPassword
    
    {SSHA512}RypyBA65dxSQP0Zd2HZ2Ue7C2/FEQ/7YU0FU59jhD8kirLXToEaMelrY90/21QJcr3mfyB1KXPSZjCgq6OcQqIOsklOGlXOH
    
  2. Stop the web application container in which AM/OpenAM runs.
  3. Update the rootUser.ldif file (located in the $HOME/[am_instance]/opends/db/rootUser directory) in AM 6 and later or the config.ldif file (located in the $HOME/[am_instance]/opends/config directory) in pre-AM 6 with this new encoded password (the server must not be running when you edit these files). You need to change the password for dn: cn=Directory Manager (this is shown as dn=Directory Manager,cn=Root DNs,cn=config in pre-AM 6), for example:
    dn: cn=Directory Manager
    objectClass: top
    objectClass: person
    objectClass: organizationalPerson
    objectClass: inetOrgPerson
    givenName: Directory
    sn: Manager
    ...
    cn: Directory Manager
    userPassword: {SSHA512}RypyBA65dxSQP0Zd2HZ2Ue7C2/FEQ/7YU0FU59jhD8kirLXToEaMelrY90/21QJcr3mfyB1KXPSZjCgq6OcQqIOsklOGlXOH
    
  4. Restart the web application container in which AM/OpenAM runs to apply these changes.
  5. Update the global admin password to match the new amadmin password using ldappasswordmodify (this is needed to ensure you can add new AM/OpenAM nodes in the future without password conflicts). For example:
    $ ./ldappasswordmodify --hostname ds1.example.com --port 1389 --bindDN "cn=Directory Manager" --bindPassword password --useStartTLS --authzID "cn=admin,cn=Administrators,cn=admin data" --newPassword newPassword
  6. Update the password file used by ssoadm, and any ssoadm scripts or third-party applications that rely on the current amadmin password.
  7. Only applicable if you have an embedded user store as well:
    1. Create a batch file with the following commands to update all the required user store bind passwords. You must update each of these passwords in every realm that uses the embedded user store. For example:
      $ cat > userstore.batch
      update-datastore -e / -m embedded -a sun-idrepo-ldapv3-config-authpw=newPassword
      set-realm-attrs -e / -s iPlanetAMPolicyConfigService -a iplanet-am-policy-config-ldap-bind-password=newPassword
      update-auth-instance -e / -m LDAP -a iplanet-am-auth-ldap-bind-passwd=newPassword
      
    2. Run the do-batch command to apply the changes in your batch file, for example:
      $ ./ssoadm do-batch -u amadmin -f pwd.txt -Z userstore.batch

Different passwords 

If you want to have different passwords for amadmin and dsameuser, you must follow the above steps with the following differences:

  • Repeat step 3 for both the amadmin and dsameuser passwords.
  • Use the encoded amadmin password for cn=Directory Manager in step 4 and the encoded dsameuser password for cn=dsameuser,ou=DSAME Users,dc=openam,dc=forgerock,dc=org in step 4.
  • Specify different passwords in step 5 ensuring your passwords match the clear text passwords you encoded in step 3.
  • Encode the amadmin password in step 7.

Multiple AM/OpenAM servers in a site with embedded DS/OpenDJ

The following process can be used to change the amadmin and dsameuser passwords if you have an embedded configuration store and optionally an embedded user store:

  1. Take a backup of your configuration data as described in How do I make a backup of configuration data in AM/OpenAM (All versions)?
  2. Export the server configuration files for each server using the get-svrcfg-xml command, for example:
    $ ./ssoadm get-svrcfg-xml -u amadmin -f pwd.txt -s http://host1.example.com:8080/openam -o server1config.xml
    $ ./ssoadm get-svrcfg-xml -u amadmin -f pwd.txt -s http://host2.example.com:8080/openam -o server2config.xml
    
  3. Encode the new password using ampassword, for example:
    1. Create a file with the password in clear text:
      $ cat > newpassword.txt
      newPassword
      
    2. Encode the password:
      $ ./ampassword -e newpassword.txt
      
      AQICproF2sZsPQJlwBaVBFMj/423Ucpa5e8P
      
  4. Update each of the the server configurations you exported in step 2 with the new encoded password. You need to change the DirPassword string for both User 2s:
            <User name="User2" type="admin">
                <DirDN>
                    cn=dsameuser,ou=DSAME Users,dc=openam,dc=forgerock,dc=org
                </DirDN>
                <DirPassword>
                    AQICproF2sZsPQJlwBaVBFMj/423Ucpa5e8P
                </DirPassword>
           </User>
    ...
           <User name="User2" type="admin">
                <DirDN>
                    cn=Directory Manager
                </DirDN>
                <DirPassword>
                    AQICproF2sZsPQJlwBaVBFMj/423Ucpa5e8P
                </DirPassword>
            </User>
    
  5. Create a batch file with the following commands, where the first two commands update the amadmin and dsameuser passwords (you must specify these passwords in clear text), and the second two import the updated server configurations (it is essential you keep these commands in this order, else you will encounter an error). For example:
    $ cat > update.batch
    set-identity-attrs -t User -e / -i amadmin -a userpassword=newPassword
    set-identity-attrs -t User -e / -i dsameuser -a userpassword=newPassword
    set-svrcfg-xml -s http://host1.example.com:8080/openam -X server1config.xml
    set-svrcfg-xml -s http://host12.example.com:8080/openam -X server2config.xml
    
    The amadmin password must not contain only a single " (double quote mark) as this will cause the command to fail and not update the password. Either do not use quote marks at all or encase the password in quotes, for example, "Passw0rd1".
  6. Run the do-batch command to apply the changes in your batch file, for example:
    $ ./ssoadm do-batch -u amadmin -f pwd.txt -Z update.batch
    
Note

This ssoadm command is performed against all data stores, meaning AM/OpenAM will send a password change request for the amadmin user to all data stores and therefore may report a failure if the user does not exist in a particular data store.

  1. Encode the new amadmin password using the DS/OpenDJ encode tool. Ensure that the first server you change the directory manager password on, is the same server in which you ran the ssoadm do-batch command on in step 6 , for example:
    $ cd $HOME/[am_instance]/opends/bin
    $ ./encode-password --storageScheme SSHA512 --clearPassword newPassword
    
    {SSHA512}RypyBA65dxSQP0Zd2HZ2Ue7C2/FEQ/7YU0FU59jhD8kirLXToEaMelrY90/21QJcr3mfyB1KXPSZjCgq6OcQqIOsklOGlXOH
    
  2. Wait! You must allow enough time at this point for replication to complete.
  3. Stop the web application container in which AM/OpenAM runs.
  4. Update the rootUser.ldif file (located in the $HOME/[am_instance]/opends/db/rootUser directory) in AM 6 and later or the config.ldif file (located in the $HOME/[am_instance]/opends/config directory) in pre-AM 6 with this new encoded password (the server must not be running when you edit these files). You need to change the password for dn: cn=Directory Manager (this is shown as dn=Directory Manager,cn=Root DNs,cn=config in pre-AM 6), for example:
    dn: cn=Directory Manager
    objectClass: top
    objectClass: person
    objectClass: organizationalPerson
    objectClass: inetOrgPerson
    givenName: Directory
    sn: Manager
    ...
    cn: Directory Manager
    userPassword: {SSHA512}RypyBA65dxSQP0Zd2HZ2Ue7C2/FEQ/7YU0FU59jhD8kirLXToEaMelrY90/21QJcr3mfyB1KXPSZjCgq6OcQqIOsklOGlXOH
    
  5. Restart the web application container in which AM/OpenAM runs to apply these changes. 
  6. At this point, the bootstrap file will have been changed, and you should be able to login to server 1.
  7. Repeat steps 7 to 11 on all the remaining servers. Ensure to stop the server before performing the steps.
  8. You should now see the bootstrap files for the remaining servers have also been updated and you can login with your new password.
  9. Update the global admin password to match the new amadmin password using ldappasswordmodify (this is needed to ensure you can add new AM/OpenAM nodes in the future without password conflicts). You only need to do this on one server as replication will copy the password change to other replicas. For example:
    $ ./ldappasswordmodify --hostname ds1.example.com --port 1389 --bindDN "cn=Directory Manager" --bindPassword password --useStartTLS --authzID "cn=admin,cn=Administrators,cn=admin data" --newPassword newPassword
  10. Update the password file used by ssoadm, and any ssoadm scripts or third-party applications that rely on the current amadmin password.
  11. Only applicable if you have an embedded user store as well:
    1. Create a batch file with the following commands to update all the required user store bind passwords. You must update each of these passwords in every realm that uses the embedded user store. For example:
      $ cat > userstore.batch
      update-datastore -e / -m embedded -a sun-idrepo-ldapv3-config-authpw=newPassword
      set-realm-attrs -e / -s iPlanetAMPolicyConfigService -a iplanet-am-policy-config-ldap-bind-password=newPassword
      update-auth-instance -e / -m LDAP -a iplanet-am-auth-ldap-bind-passwd=newPassword
      
    2. Run the do-batch command to apply the changes in your batch file, for example:
      $ ./ssoadm do-batch -u amadmin -f pwd.txt -Z userstore.batch
      
    3. Repeat steps 17.a and 17.b on all remaining servers that use the embedded user store.

Different passwords 

If you want to have different passwords for amadmin and dsameuser, you must follow the above steps with the following differences:

  • Repeat step 3 for both the amadmin and dsameuser passwords.
  • Use the encoded amadmin password for cn=Directory Manager in step 4 and the encoded dsameuser password for cn=dsameuser,ou=DSAME Users,dc=openam,dc=forgerock,dc=org in step 4.
  • Specify different passwords in step 5 ensuring your passwords match the clear text passwords you encoded in step 3.
  • Encode the amadmin password in step 7.

See Also

How do I change the amadmin password in AM/OpenAM (All versions)?

How do I change the dsameuser password in AM/OpenAM (All versions)?

How do I change the password for the configuration store in AM/OpenAM (All versions)?

How do I create an admin user in AM/OpenAM (All versions) with amadmin privileges?

Administrator and user accounts in AM/OpenAM

Administration Guide › Resetting Administrator Passwords 

Reference › ampassword

Related Training

N/A

Related Issue Tracker IDs

OPENAM-10175 (Remove dsameuser password from bootstrap file / keystore)

OPENAM-6956 (ssoadm import-svc-cfg fails after changing amadmin password)

OPENAM-4292 (dsameuser authentication on /authservice differs at startup)

OPENAM-4280 (ampassword -a (admin) doesn't work)

OPENAM-3187 (Updating a special user's password fails if there is an AD data store configured in the root realm)

OPENAM-1228 (Inability to rename/ replace the 'amAdmin' account)



Copyright and TrademarksCopyright © 2019 ForgeRock, all rights reserved.
Loading...