How To
ForgeRock Identity Platform
Does not apply to Identity Cloud

How do I change the password for the configuration store in AM (All versions)?

Last updated May 10, 2022

The purpose of this article is to provide information on changing the password for the configuration store in AM. This article also covers changing the configuration store password in a high availability (HA) environment where you have multiple servers in a site.


1 reader recommends this article

Overview

The password for the configuration store is held in the configstorepwd alias in the keystore. Each time you update the configuration store password, AM also modifies the content of the configstorepwd alias in the keystore.jceks keystore file. See Configuring Secrets, Certificates, and Keys for further information. 

If you use embedded DS, your configuration store password and amAdmin password should match. See To Change the amadmin User's Password: Embedded Configuration Store for further information.

Warning

You must ensure the directory bind password specified in AM exactly matches the directory superuser password specified on the directory servers. If the passwords do not match, AM will not be able to restart. It is recommended that you check your connection to the configuration store before restarting AM as follows:$ ./ssoadm get-svrcfg-xml -u [adminID] -f [passwordfile] -s [serverName] -X [XMLfile]If this command fails, check you have entered your passwords correctly and try again.

Changing the configuration store password

You can change the configuration store password using either the console or ssoadm:

Console

  1. Take a backup of your configuration data as described in Backing Up Configurations (AM 7 and later) or How do I make a backup of configuration data in AM 5.x or 6.x?
  2. Update the password for the directory superuser (uid=admin or cn=Directory Manager) on all directory servers. This configuration is server-specific and must be changed on all directory servers. If you use DS, refer to Forgotten Superuser Password for further information. If you use the embedded DS, you must restart the web application container in which AM runs to restart the DS server.
  3. Update the configuration store (directory bind) password on all AM servers to match your new password by navigating to: Deployment > Servers > [Server Name] > Directory Configuration > Bind Password and entering your new password. This configuration is server-specific and must be changed on all servers in your site.
  4. Check you can still connect to the configuration store as indicated in the warning above. There is not a console-based way of checking.
  5. Restart the web application container in which AM runs.

ssoadm 

  1. Take a backup of your configuration data as described in Backing Up Configurations (AM 7 and later) or How do I make a backup of configuration data in AM 5.x or 6.x?
  2. Export the current server configuration details to an XML file using the following command: $ ./ssoadm get-svrcfg-xml -u [adminID] -f [passwordfile] -s [serverName] -o [XMLfile]replacing [adminID], [passwordfile], [serverName] and [XMLfile] with appropriate values.
  3. Encrypt your new configuration store password using ampassword: $ ./ampassword -e [passwordfile]replacing [passwordfile] with an appropriate value.
  4. Edit the XML file you exported in step 1 to replace the <DirPassword> value in the sms section with the encrypted password you generated in step 2: <ServerGroup name="sms" minConnPool="1" maxConnPool="10">        <Server name="Server1" host="host1.example.com" port="8080"              type="SIMPLE" />              <User name="User2" type="admin">                 <DirDN>uid=admin</DirDN>                 <DirPassword>AQICUsKIqPqiF0SPBdLZ99beokClGjSB0vuR</DirPassword>              </User>              <BaseDN>dc=example,dc=com</BaseDN>     </ServerGroup>
  5. Import the updated server configuration XML file to AM using the following command: $ ./ssoadm set-svrcfg-xml -u [adminID] -f [passwordfile] -s [serverName] -X [XMLfile]replacing [adminID], [passwordfile], [serverName] and [XMLfile] with appropriate values.
  6. Repeat steps 1 to 4 on all AM servers if you have multiple servers in a site; this configuration is server-specific and must be changed on all servers in your site.
  7. Update the password for the directory superuser (uid=admin or cn=Directory Manager) on all directory servers to match your new password. This configuration is server-specific and must be changed on all directory servers. If you use DS, refer to Forgotten Superuser Password for further information. If you use the embedded DS, you must restart the web application container in which AM runs to restart the DS server.
  8. Check you can still connect to the configuration store as indicated in the warning above.
  9. Restart the web application container in which AM runs to update the configuration.

Example using ssoadm

The following example changes the configuration store password from cangetinam to newPassw0rd on a single server using ssoadm:

  1. Export the current server configuration details to an XML file:
    • AM 7 and later: $ ./ssoadm get-svrcfg-xml -u uid=amAdmin,ou=People,dc=openam,dc=forgerock,dc=org -f pwd.txt -s http://host1.example.com:8080/openam -o serverConfig.xml
    • Pre-AM 7: $ ./ssoadm get-svrcfg-xml -u amadmin -f pwd.txt -s http://host1.example.com:8080/openam -o serverConfig.xml
  2. Create a text file containing your new password: $ echo newPassw0rd > password.txt
  3. Encrypt your new configuration store password using ampassword: $ ./ampassword -e password.txtOutput: AQIC61K+PS/+xIv3c4Y4Wxwb66cCcCYeKa/9
  4. Edit the serverConfig.xml file you exported in step 1 to replace the <DirPassword> value in the sms section with the encrypted password you generated in step 3: <ServerGroup name="sms" minConnPool="1" maxConnPool="10">        <Server name="Server1" host="host1.example.com" port="8080"              type="SIMPLE" />              <User name="User2" type="admin">                 <DirDN>uid=admin</DirDN>                 <DirPassword>AQIC61K+PS/+xIv3c4Y4Wxwb66cCcCYeKa/9</DirPassword>              </User>              <BaseDN>dc=example,dc=com</BaseDN>     </ServerGroup>
  5. Import the updated serverConfig.xml file to AM:
    • AM 7 and later: $ ./ssoadm set-svrcfg-xml -u uid=amAdmin,ou=People,dc=openam,dc=forgerock,dc=org -f pwd.txt -s http://host1.example.com:8080/openam -X serverConfig.xml
    • Pre-AM 7: $ ./ssoadm set-svrcfg-xml -u amadmin -f pwd.txt -s http://host1.example.com:8080/openam -X serverConfig.xml
  6. Update the password for the directory superuser (uid=admin or cn=Directory Manager) on all directory servers to newPassw0rd.
  7. Check you can still connect to the configuration store as indicated in the warning above:
    • AM 7 and later: $ ./ssoadm get-svrcfg-xml -u uid=amAdmin,ou=People,dc=openam,dc=forgerock,dc=org -f pwd.txt -s http://host1.example.com:8080/openam -o newServerConfig.xml
    • Pre-AM 7: $ ./ssoadm get-svrcfg-xml -u amadmin -f pwd.txt -s http://host1.example.com:8080/openam -o newServerConfig.xml
  8. Restart the web application container in which AM runs.

See Also

How does AM (All versions) establish the LDAP connection to the configuration store on startup?

How do I add a second configuration store or edit an existing configuration store in AM (All versions)?

Preparing Configuration Stores

Directory Configuration Properties

Managing Key Aliases and Passwords

Related Training

N/A

Related Issue Tracker IDs

OPENAM-18510 (AM should validate the directory bind password entered to prevent mismatches)

OPENAM-14385 (Add Test Connection button to LDAP configuration pages)


Copyright and Trademarks Copyright © 2022 ForgeRock, all rights reserved.