How To

How do I hash the password for openidm-admin before the first startup of IDM/OpenIDM (All versions)?

Last updated Jul 9, 2018

The purpose of this article is to provide information on securing the openidm-admin password before starting IDM/OpenIDM for the first time by hashing the password value. Normally IDM/OpenIDM hashes the password on first startup of the instance; this information is only required if you want the password hashed prior to this. This article assumes the configuration and are in place even though IDM/OpenIDM is not yet running.

1 reader recommends this article

Hashing the password for openidm-admin

You can set the openidm-admin's password to a secure value before the first startup as follows:

  1. Execute the ./ secureHash command within the root of the IDM/OpenIDM installation:
    $ cd /path/to/idm
    $ ./ secureHash newPassword
  2. Copy the return JSON object that is between the ----- BEGIN HASHED VALUE ---- and ----- END HASHED VALUE ------ lines, for example:
    -----BEGIN HASHED VALUE-----
      "$crypto" : {
        "value" : {
          "algorithm" : "SHA-256",
          "data" : "xMJwQJCIUdhLCPIoQny9vp04coqadSBsC/iin4FsY+KfZJ10OO1C7gmN91tz2aFL"
        "type" : "salted-hash"
    ------END HASHED VALUE------
  3. Run a database query against the openidm-admin object to update the internaluser password, where the JSON object returned above is all on one line with all the spaces removed. For example, your query would look like this if you have a MySQL repository:
    update internaluser set pwd='{"$crypto":{"value":{"algorithm":"SHA-256","data":"xMJwQJCIUdhLCPIoQny9vp04coqadSBsC/iin4FsY+KfZJ10OO1C7gmN91tz2aFL"},"type":"salted-hash"}}'where objectid='openidm-admin';
  4. Start the IDM/OpenIDM instance. You should be able to log in with your new password.

You will not be able to log in with your new password if the JSON object included in the update has any spaces or spans multiple lines. Additionally, you will see a warning when you perform this update with a MySQL repository (but not with a PostgreSQL repository); this warning can be ignored.

See Also

FAQ: Installing and configuring IDM/OpenIDM

Integrator's Guide › Securing & Hardening Servers › Replace Default Security Settings

Integrator's Guide › Command-Line Interface › Using the secureHash Subcommand

Related Training


Related Issue Tracker IDs


Copyright and TrademarksCopyright © 2018 ForgeRock, all rights reserved.