How To
Archived

How do I change the amadmin password in AM 5.x?

Last updated Apr 12, 2021

The purpose of this article is to provide assistance with changing the amadmin password in AM. The amadmin user is stored in the configuration data store in AM. This article also covers changing the amadmin password on multiple servers in a site configuration.


1 reader recommends this article

Archived

This article has been archived and is no longer maintained by ForgeRock.

AM 7 and later

Since the embedded directory store is no longer supported in production environments, changing the amadmin password is much simpler and can also be done via secret stores. Refer to the documentation for the required processes:

AM 6.x

For AM 6.x, you should follow the documentation to change the amadmin password:

Overview

The amadmin account is stored in the configuration data store in AM which is separate to the user data store. You can change the password for the amadmin account but it cannot be disabled, deleted or renamed since it is hard-coded in the source code of several files; it also has separate requirements for password changes if AM is configured to use an embedded DS.

Embedded DS configuration store

If you use the embedded DS configuration store, you must also update the following passwords to match the new amadmin password:

  • The LDAP bind password in AM.
  • The cn=Directory Manager user password in the embedded DS.
  • The global (replication) administrator user password in the embedded DS. By default the global admin is created in the directory server by AM after a second AM server is added to the deployment.

These passwords must all match amadmin to ensure AM continues to function correctly, for example, you can access the configuration data store, log into the console as amadmin and add new servers to the existing deployment.

Embedded DS user store

If you use the embedded DS user store, you must also update the bind passwords to match the new amadmin password, this is necessary since AM by default binds to the embedded DS using the credentials of the top level administrator (cn=Directory Manager) contained in the AM configuration store:

  • LDAP bind passwords for the user store in AM. These must be updated in the following locations:
    • Identity Store
    • Services Policy configuration
    • LDAP authentication module

These passwords must all match amadmin to ensure continued access to the embedded user store. 

Note

By default, the dsameuser has the same password as amadmin and the Directory Manager if you are using an embedded configuration store. It is your choice whether the dsameuser password matches the amadmin password; they do by default, but do not need to. If you want to change the dsameuser password at the same time, refer to How do I change the amadmin and dsameuser passwords at the same time in AM 5.x or OpenAM 13.x? instead.

The process you use to change the amadmin password differs according to your setup:

Caution

Once you have changed the amadmin password, you must also update any ssoadm scripts, password files or third-party applications that rely on the current amadmin password, else these scripts or applications will fail.

One or more AM servers with external DS

The following process applies regardless of whether you have a single server or multiple servers in a site; if you have multiple servers, replication will update the password on the other servers in the site once it is updated on one server.

Note

Please observe the following when constructing REST calls:

  • Make the REST call to the actual AM server URL (not lb).
  • Change the name of the iPlanetDirectoryPro header to the name of your actual session cookie.
  • Set this session cookie header to the token returned when you authenticated.
  • Ensure the Accept-API-Version header contains valid resource versions.

See How do I avoid common issues with REST calls in AM (All versions)? for further information.

You can change the amadmin password as follows:

  1. Take a backup of your configuration data as described in How do I make a backup of configuration data in AM 5.x or 6.x?
  2. Update the amadmin password using either the console, REST or ssoadm:
    • Console: navigate to: Realms > Top Level Realm / > Subjects > User > amadmin > Password and click Edit. Enter your old password if necessary, your new password twice and then click OK to update your password.
    • REST:
      1. Authenticate as an admin user. For example:$ curl -X POST -H "X-OpenAM-Username: amadmin" -H "X-OpenAM-Password: cangetinam" -H "Content-Type: application/json" -H "Accept-API-Version: resource=2.1" http://host1.example.com:8080/openam/json/realms/root/authenticate?authIndexType=service&authIndexValue=adminconsoleserviceExample response:{ "tokenId": "AQIC5wM2LY4SfcxsuvGEjcsppDSFR8H8DYBSouTtz3m64PI.*AAJTSQACMDIAAlNLABQtNTQwMTU3NzgxODI0NzE3OTIwNAEwNDU2NjE0*", "successUrl": "/openam/console", "realm": "/" }
      2. Change the password for amadmin using the following curl command, replacing newpassword with your actual new password: $ curl -X PUT -H "iPlanetDirectoryPro: AQIC5wM2LY4Sfcxs...EwNDU2NjE0*" -H "Content-Type: application/json" -H "Accept-API-Version: protocol=1.0,resource=1.2" -H "olduserpassword: cangetinam" -d '{"userpassword":"newpassword"}' http://host1.example.com:8080/openam/json/users/amadmin
    • ssoadm: enter the following command: $ ./ssoadm set-identity-attrs -t User -e / -i amadmin -u [adminID] -f [passwordfile] -a userpassword=[newpassword] replacing [adminID], [passwordfile] and [newpassword] with appropriate values.
Note

This ssoadm command is performed against all data stores, meaning AM will send a password change request for the amadmin user to all data stores and therefore may report a failure if the user does not exist in a particular data store.

  1. Restart the web application container in which AM runs.
  2. Update the password file used by ssoadm, and any ssoadm scripts or third-party applications that rely on the current amadmin password.

Single AM server with an embedded DS

The following process can be used to change the amadmin password if you have an embedded configuration store and optionally an embedded user store:

  1. Take a backup of your configuration data as described in How do I make a backup of configuration data in AM 5.x or 6.x?
  2. Export the server configuration using the get-svrcfg-xml command, for example: $ ./ssoadm get-svrcfg-xml -u amadmin -f pwd.txt -s http://host1.example.com:8080/openam -o serverconfig.xml
  3. Encode the new amadmin password using encode.jsp or ampassword, for example:
    1. Create a file with the password in clear text: $ cat > newpassword.txt newPassword
    2. Encode the password: $ ./ampassword -e newpassword.txt AQICproF2sZsPQJlwBaVBFMj/423Ucpa5e8P
  4. Update the server configuration you exported in step 2 with the new encoded password. You need to change the DirPassword string for User 2 (cn=Directory Manager):      <User name="User2" type="admin">             <DirDN>                 cn=Directory Manager             </DirDN>             <DirPassword>                 AQICproF2sZsPQJlwBaVBFMj/423Ucpa5e8P             </DirPassword>         </User>
  5. Create a batch file with the following commands, where the first command updates the amadmin password (you must specify this password in clear text) and the second command imports the updated server configuration (it is essential you keep these commands in this order, else you will encounter an error). For example: $ cat > update.batch set-identity-attrs -t User -e / -i amadmin -a userpassword=newPassword set-svrcfg-xml -s http://host1.example.com:8080/openam -X serverconfig.xml
  6. Run the do-batch command to apply the changes in your batch file, for example: $ ./ssoadm do-batch -u amadmin -f pwd.txt -Z update.batch
Note

This ssoadm command is performed against all data stores, meaning AM will send a password change request for the amadmin user to all data stores and therefore may report a failure if the user does not exist in a particular data store.

  1. Encode the new amadmin password using the DS encode tool, for example: $ cd /path/to/openam/opends/bin $ ./encode-password --storageScheme SSHA512 --clearPassword newPassword {SSHA512}RypyBA65dxSQP0Zd2HZ2Ue7C2/FEQ/7YU0FU59jhD8kirLXToEaMelrY90/21QJcr3mfyB1KXPSZjCgq6OcQqIOsklOGlXOH
  2. Stop the web application container in which AM runs.
  3. Update the config.ldif file (located in the /path/to/openam/opends/config directory) with this new encoded password (the server must not be running when you edit this file). You need to change the password for dn: cn=Directory Manager,cn=Root DNs,cn=config, for example: dn: cn=Directory Manager,cn=Root DNs,cn=config objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson givenName: Directory sn: Manager ... cn: Directory Manager userPassword: {SSHA512}RypyBA65dxSQP0Zd2HZ2Ue7C2/FEQ/7YU0FU59jhD8kirLXToEaMelrY90/21QJcr3mfyB1KXPSZjCgq6OcQqIOsklOGlXOH
  4. Restart the web application container in which AM runs to apply these changes.
  5. Update the global admin password to match the new amadmin password using ldappasswordmodify (this is needed to ensure you can add new AM nodes in the future without password conflicts). For example: $ ./ldappasswordmodify --hostname ds1.example.com --port 1389 --bindDN "cn=Directory Manager" --bindPassword password --useStartTLS --authzID "cn=admin,cn=Administrators,cn=admin data" --newPassword newPassword
  6. Update the password file used by ssoadm, and any ssoadm scripts or third-party applications that rely on the current amadmin password.
  7. Only applicable if you have an embedded user store as well:
    1. Create a batch file with the following commands to update all the required user store bind passwords. You must update each of these passwords in every realm that uses the embedded user store. For example: $ cat > userstore.batch update-datastore -e / -m embedded -a sun-idrepo-ldapv3-config-authpw=newPassword set-realm-attrs -e / -s iPlanetAMPolicyConfigService -a iplanet-am-policy-config-ldap-bind-password=newPassword update-auth-instance -e / -m LDAP -a iplanet-am-auth-ldap-bind-passwd=newPassword
    2. Run the do-batch command to apply the changes in your batch file, for example: $ ./ssoadm do-batch -u amadmin -f pwd.txt -Z userstore.batch

Multiple AM servers in a site with embedded DS

The following process can be used to change the amadmin password if you have an embedded configuration store and optionally an embedded user store.

  1. Take a backup of your configuration data as described in How do I make a backup of configuration data in AM 5.x or 6.x?
  2. Export the server configuration files for each server using the get-svrcfg-xml command, for example: $ ./ssoadm get-svrcfg-xml -u amadmin -f pwd.txt -s http://host1.example.com:8080/openam -o server1config.xml $ ./ssoadm get-svrcfg-xml -u amadmin -f pwd.txt -s http://host2.example.com:8080/openam -o server2config.xml
  3. Encode the new amadmin password using encode.jsp or ampassword, for example:
    1. Create a file with the password in clear text: $ cat > newpassword.txt newPassword
    2. Encode the password: $ ./ampassword -e newpassword.txt AQICproF2sZsPQJlwBaVBFMj/423Ucpa5e8P
  4. Update each of the server configurations you exported in step 2 with the new encoded password. You need to change the DirPassword string for User 2 (cn=Directory Manager):      <User name="User2" type="admin">             <DirDN>                 cn=Directory Manager             </DirDN>             <DirPassword>                 AQICproF2sZsPQJlwBaVBFMj/423Ucpa5e8P             </DirPassword>         </User>
  5. Create a batch file with the following commands, where the first command updates the amadmin password (you must specify this password in clear text) and the second two commands import the updated server configurations (it is essential you keep these commands in this order, else you will encounter an error). For example: $ cat > update.batch set-identity-attrs -t User -e / -i amadmin -a userpassword=newPassword set-svrcfg-xml -s http://host1.example.com:8080/openam -X server1config.xml set-svrcfg-xml -s http://host12.example.com:8080/openam -X server2config.xml
  6. Run the do-batch command to apply the changes in your batch file, for example: $ ./ssoadm do-batch -u amadmin -f pwd.txt -Z update.batch
Note

This ssoadm command is performed against all data stores, meaning AM will send a password change request for the amadmin user to all data stores and therefore may report a failure if the user does not exist in a particular data store.

  1. Encode the new amadmin password using the DS encode tool. Ensure that the first server you change the directory manager password on, is the same server in which you ran the ssoadm do-batch command on in step 6 , for example: $ cd /path/to/openam/opends/bin $ ./encode-password --storageScheme SSHA512 --clearPassword newPassword {SSHA512}RypyBA65dxSQP0Zd2HZ2Ue7C2/FEQ/7YU0FU59jhD8kirLXToEaMelrY90/21QJcr3mfyB1KXPSZjCgq6OcQqIOsklOGlXOH
  2. Wait! You must allow enough time at this point for replication to complete.
  3. Stop the web application container in which AM runs.
  4. Update the config.ldif file (located in the /path/to/openam/opends/config directory) with this new encoded password (the server must not be running when you edit this file). You need to change the password for dn: cn=Directory Manager,cn=Root DNs,cn=config, for example:dn: cn=Directory Manager,cn=Root DNs,cn=config objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson givenName: Directory sn: Manager ... cn: Directory Manager userPassword: {SSHA512}RypyBA65dxSQP0Zd2HZ2Ue7C2/FEQ/7YU0FU59jhD8kirLXToEaMelrY90/21QJcr3mfyB1KXPSZjCgq6OcQqIOsklOGlXOH
  5. Restart the web application container in which AM runs to apply these changes.
  6. At this point, the bootstrap file will have been changed, and you should be able to login to server 1.
  7. Repeat steps 7 to 11 on all the remaining servers. Ensure to stop the server before performing the steps.
  8. You should now see the bootstrap files for the remaining servers have also been updated and you can log in with your new password.
  9. Update the global admin password to match the new amadmin password using ldappasswordmodify (this is needed to ensure you can add new AM nodes in the future without password conflicts). You only need to do this on one server as replication will copy the password change to other replicas. For example: $ ./ldappasswordmodify --hostname ds1.example.com --port 1389 --bindDN "cn=Directory Manager" --bindPassword password --useStartTLS --authzID "cn=admin,cn=Administrators,cn=admin data" --newPassword newPassword
  10. Update the password file used by ssoadm, and any ssoadm scripts or third-party applications that rely on the current amadmin password.
  11. Only applicable if you have an embedded user store as well:
    1. Create a batch file with the following commands to update all the required user store bind passwords. You must update each of these passwords in every realm that uses the embedded user store. For example: $ cat > userstore.batch update-datastore -e / -m embedded -a sun-idrepo-ldapv3-config-authpw=newPassword set-realm-attrs -e / -s iPlanetAMPolicyConfigService -a iplanet-am-policy-config-ldap-bind-password=newPassword update-auth-instance -e / -m LDAP -a iplanet-am-auth-ldap-bind-passwd=newPassword
    2. Run the do-batch command to apply the changes in your batch file, for example: $ ./ssoadm do-batch -u amadmin -f pwd.txt -Z userstore.batch
    3. Repeat steps 17.a and 17.b on all remaining servers that use the embedded user store.

See Also

How do I change the amadmin and dsameuser passwords at the same time in AM 5.x or OpenAM 13.x?

How do I change the dsameuser password in AM 5.x or 6.x?

How do I change the password for the configuration store in AM (All versions)?

How do I add privileges to identity groups in AM (All versions)?

Administrator and user accounts in AM

Related Training

N/A

Related Issue Tracker IDs

OPENAM-14183 (Cannot change amadmin's password through XUI)

OPENAM-6956 (ssoadm import-svc-cfg fails after changing amadmin password)

OPENAM-1228 (Inability to rename/ replace the 'amadmin' account)


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.