Change the Password of Identity Suite Components

cislp143
You can change the password of Identity Suite components by following the step-by-step procedures that are mentioned in this document.
Change “config” User Password
To change
config
user password, perform the given steps on each Virtual Appliance server:
Note:
On AWS, password based login is disabled for ec2-user. User must use SSH keys to log in to the system.
  1. SSH to the Virtual Appliance using the
    config
    (OVA/Azure) user credentials.
  2. Run
    setVappUserPassword
    command.
  3. Enter a new password for the
    config
    user in the window that appears on the screen.
    Change “config” User Password
  4. Next, confirm the password and click
    OK
    .
  5. Log out and log in to the Virtual Appliance with the new config user password.
Change Database Connection Configurations
From Virtual Appliance 14.3 CP2, you can change the database connection configurations from the web UI
without redeploying the solution
.
Pre-Virtual Appliance 14.3 CP2 customers have to redeploy the entire solution after changing the database connection configurations.
  • Virtual Appliance allows you to change the database connection configurations but not switch to a different database type.
  • Post database configuration change, it is not mandatory to redeploy the services.
To change the database configurations, follow these steps:
  1. In the Virtual Appliance web UI, click the hamburger (three horizontal lines) menu on the top left corner and click
    Setup.
  2. Scroll down and click
    Edit
    in the
    External Database
    section.
  3. Change the database configuration for the deployed services and click
    Test All Connections
    .
  4. Once the database connection test succeeds, click
    Apply
    .
  5. A message pops up on the screen to notify that the services would restart after the database configuration changes are applied. Click
    OK
    to proceed.
  6. After the database configurations are applied successfully, either click
    Dismiss
    to stay on the Setup page or click
    Go to Dashboard
    to navigate to the
    Dashboard.
  7. If Identity Portal fails to start in a cluster setup, restart Identity Portal.
  8. Post database connection configuration changes:
    1. Reconfigure JasperReports Server datasource configurations.
      1. In the JasperReports Server UI, navigate to
        View
        and click
        Repository
        .
      2. In the left-pane, navigate to
        root
        ,
        organizations
        ,
        IAM
        /
        IG
        ,
        IM
        /
        IG
        ,
        datasources
        .
      3. In the middle-pane, select
        IMReportDS / IGReportDS
        and click the
        edit
        menu under
        Repository
        .
      4. In the
        Set Data Source Type and Properties
        screen, ensure that the datasource details are in sync with the newly changed database configurations. Also, ensure that the test connection succeeds.
      5. Save the datasource details.
      6. Now, try running reports from Identity Manager and Identity Governance user interfaces.
    2. In case of Identity Manager, ensure that you reestablish the snapshot database connection. For more information, see Configure a Connection to JasperReports Server
Change Provisioning Components’ Password
To change the password of the Provisioning components, perform the given steps on each provisioning node:
  1. Log in to the Virtual Appliance with
    config/ec2-user
    user credentials.
  2. Switch user
    config/ec2-user
    to
    imps
    using
    su – imps
    command.
    Image5
  3. Run
    echo $ETPKIHOME
    to validate the location of the Provisioning Server.
    Image6
  4. If FIPS mode is enabled, navigate to
    /opt/CA/SharedComponents/EnterpriseCommonServices/registry/hkey_local_machine/software/computerassociates/identity_manager/provisioning_server/
    and run
    cat etrust_tls_enable_fips_mode
    . You must see the output
    yes
    on the screen. Image7
  5. Navigate to
    /opt/CA/IdentityManager/ProvisioningServer/bin
    .
  6. Run
    ./pwdmgr
    to update the Provisioning Directory password for
    im
    domain. Follow the screen below and enter values as appropriate. Image8
  7. Run
    ./pwdmgr
    to update the Provisioning Server password for
    im
    domain. Follow the screen below and enter values as appropriate. Image9
  8. Run
    ./pwdmgr
    to update the Provisioning Directory password for
    eta
    domain. Follow the screen below and enter values as appropriate. Image10
  9. Run
    ./pwdmgr
    to update the Provisioning Server password for
    eta
    domain. Follow the screen below and enter values as appropriate. Image11
  10. Type
    exit
    to exit the Provisioning Server user.
  11. Stop and start Provisioning Server and Provisioning Directory services.
Change Connector Server (JCS/CCS) Password
To change the password of the Connector Server (Java Connector Server(JCS)/C++ Connector Server (CCS)), perform the given steps on each connector node:
  1. Log in to the Connector Server Management Console with Username=
    admin
    and Password
    =<Old Master Password>
    .
  2. In the
    IAM Connector Server
    home page, click
    admin
    on the top right and then click
    Change Password
    . Image12
  3. In the
    Change Password
    window, enter the new password for the Connector Server and click
    OK
    . Image13
  4. Click
    Yes
    to confirm the password change.
  5. Click
    OK
    .
  6. To verify if the Connector Server password has changed successfully, perform these steps:
    1. Open Connector Xpress.
    2. Right-click
      Provisioning Servers
      and click
      Add Server
      .
      Image14
    3. In the
      Provisioning Server Details
      window, enter the following details to connect to the Provisioning Server:
      1. Host Name:
        Enter the name or IP address of the Provisioning Server.
      2. User Domain:
        im
      3. User Name:
        etaadmin
        Image15
    4. In the
      Provisioning Server Password Required
      window, enter the password to access the Provisioning Server and click
      OK
      . Image16
    5. In the Connector Xpress home page, navigate to
      Provisioning Servers
      ,
      im
      ,
      CS Configs
      . Right-click the Connector Server and click
      Edit CS Config
      .
      Image17
    6. In the
      Edit Connector Server Configuration
      window, enter the new password of the Connector Server and click
      OK
      . Image18
  7. To reset
    Keystore
    password on the Connector Server, perform the given steps:
    1. Open a Command Prompt with admin privileges on the Connector Server.
    2. Navigate to <Connector_Server_Installed_Location>\jcs\conf and run the following command:
      ..\..\jvm\bin\keytool –storepasswd –new <new password> -keystore ssl.keystore –storetype JKS
      When prompted, enter the old master password.
    3. Run the following command.
      ..\..\jvm\bin\keytool –keypasswd –alias eta2_server –keystore ssl.keystore
      After you press enter, the system prompts for the new password.
  8. Update Connector Server password in the XML files.
    1. Navigate to < Connector_Server_Installed_Location>\jcs\tools\ldaps_password and run the following command:
      ldaps_password.bat <newpassword>
      From the output, copy the encrypted password displayed after {AES}.
      Image19
    2. Navigate to < Connector_Server_Installed_Location>\jcs\conf\ and open
      server_osgi_shared.xml
      for editing. Paste the encrypted password in the following property.
      <property name="keystorePassword">{AES} <Copied encrypted password><value>
    3. Navigate to < Connector_Server_Installed_Location>\etc and open
      system.properties
      file for editing. Paste the encrypted password in the following properties.
      com.ca.jcs.transport.sslcontext.trustStoreEncodedPassword=<Encrypted Password> com.ca.jcs.transport.sslcontext.keyStoreEncodedPassword==<Encrypted Password>
  9. Restart the
    CA Identity Manager - Connector Server (Java)
    service on the Connector Server.
  10. Copy the following files from the primary Connector Server to remaining nodes in the cluster.
    Note:
    If the files exist on the other nodes, rename them to .old prior to copying the files.
    • < Connector_Server_Installed_Location>\jcs\conf\ssl.keystore
    • < Connector_Server_Installed_Location>\jcs\conf\override\server_jcs.properties
    • < Connector_Server_Installed_Location>\jcs\conf\override\server_shared.properties
    • < Connector_Server_Installed_Location>\etc\system.properties
    • < Connector_Server_Installed_Location>\jcs\conf\server_osgi_shared.xml
  11. Restart the
    CA Identity Manager - Connector Server (Java)
    service on each server.
Change Provisioning Server Administrator Password
To change the Provisioning Server administrator password (etaadmin), perform the given steps on the Provisioning Manager:
  1. Log in to the Provisioning Manager with User name=
    etaadmin
    and Password=
    <Old Master Password>.
  2. In the Provisioning Manager window, navigate to the
    Users
    tab.
  3. Enter
    etaadmin
    in the
    Value
    field and click
    Search
    . The etaadmin user is searched for and displayed in the left-pane.
  4. Double-click
    etaadmin
    in the left-pane.
  5. In the right-pane, click the
    Password
    tab and enter the new administrator password and click
    Apply
    . Image20
  6. Log out and log in to the Provisioning Manager with the new etaadmin password.
Change User Store Passwords
To change the User Store password for
dsaadmin
and
imadmin
users, perform the given steps:
  1. Launch JXplorer.
  2. In the
    Open LDAP/DSML Connection
    window, enter the following User Store login details and click
    OK
    .
    1. Host:
      Enter the host name of the Identity Manager where the User Store resides.
    2. Port:
      Enter port as 19289.
    3. Level:
      Select
      SSL + User + Password
      .
    4. User DN:
      Enter
      cn=dsaadmin,ou=im,ou=ca,o=com
      .
    5. Password:
      Enter the old master password of the User Store.
      Image21
  3. In the
    Server CA Certificate Missing
    window, select
    This Session Only.
    Image22
  4. In the left-pane of the JXplorer home page, expand
    im
    and select
    dsaadmin
    .
  5. In the right-pane, click the
    Table Editor
    tab.
  6. Double-click the
    (non string data)
    value of the
    UserPassword
    attribute type.
  7. In the
    User Password Data
    window that appears, change the password of the
    dsaadmin
    user, select the encryption type as
    SHA
    and click
    OK
    . Image23
  8. Click
    Submit
    .
  9. In the left-pane of the JXplorer home page, expand
    im, people
    and select
    imadmin
    . Next, follow steps 5 to 7 to change the password of the imadmin user. If single click on
    Submit
    does not work, try clicking multiple times.
Change Provisioning Store and User Store Passwords in Directory XML
To change the Provisioning Store and User Store passwords in the Directory XML of the Identity Manager Management Console, perform these steps:
  1. Log in to the Identity Manager Management Console.
    Note:
    If using cluster, stop Identity Manager on the secondary nodes.
  2. Click
    Directories
    .
  3. Click on the Provisioning Store.
  4. Scroll to the bottom of the page and click
    Export
    to export <
    Provisioning Store>.xml
    file.
  5. Take a backup of the <
    Provisioning Store>.xml
    file.
  6. Open the <
    Provisioning Store>.xml
    file and search for the following section.
    FIPS Mode:
    Image24
    Non-FIPS Mode:
    Image25
  7. In the Credentials tag line, replace the encrypted credentials with the new encrypted master password. You can use the Password Tool to generate an encrypted password.
  8. Save the file.
  9. In the Management Console, click
    Directories
    .
  10. Click on the
    User Store
    .
  11. Scroll to the bottom of the page and click
    Export
    to export <
    User Store>.xml
    file.
  12. Take a backup of the <
    User Store>.xml
    file.
  13. Open the <
    User Store>.xml
    file and search for the following section.
    FIPS Mode
    Image26
    Non-FIPS Mode
      Image27
  14. In the Credentials tag line, replace the encrypted credentials with the new encrypted master password. You can use the Password Tool to generate an encrypted password.
  15. Save the file.
  16. In the Management console, update the Provisioning Store and User Store by importing the <
    Provisioning Store>.xml
    and <
    User Store>.xml
    files. While updating, ignore the warnings and click
    Finish
    .
  17. When the text box stops scrolling, ensure it says 0 errors then click
    Continue
    .
  18. Click
    Restart Environments
    .
    Note:
    If using cluster, after Identity Manager startup sequence is complete, start Identity Manager server on the remaining nodes.
  19. Log in to the Identity Manager User Console and validate the new imadmin password.
Change Identity Manager Connector Password in Identity Portal
To change the Identity Manager environment system password in Identity Portal, perform the following steps:
  1. Log in to the Identity Portal Management Console with User Name=
    portaladmin
    and Password
    =<Old Master Password>
    .
  2. Click
    Admin UI
    .
  3. In the
    Setup
    menu, click
    CAIM
    connector. 
    Image28_143
  4. In the
    Edit Connector
    window, click
    Next
    until you reach the
    Webservices
    tab. In the
    IM Environment System Manager
    Password
    field, enter the new master password. Image29
  5. Click
    Next
    until you see the
    Save
    button.
  6. Click
    Save
    for the changes to take effect.
    1. Restart CAIM connector and ensure it is up and running. Image30
Change Identity Portal Management Console Admin Credentials
You can reset the portaladmin system user password when you encounter the following cases:
  • The system user forgot its password and is unable to log in to the Admin UI.
  • Identity Manager connector is not accessible and hence the delegated users with the portaladmin profile are unable to log in to the Admin UI.
Follow the given steps to reset portaladmin System User Password on Virtual Appliance Deployments
  1. Log in to the system where you have installed Symantec IGA using the Virtual Appliance solution.
  2. Navigate to /opt/CA/VirtualAppliance/custom/IdentityPortal/jvm-args.conf.
  3. In the jvm-args.conf file, perform the following steps:
    1. Uncomment the following JVM arguments:
      JAVA_OPTS=-Xms512m -Xmx1512m -XX:+UseG1GC -XX:+UseStringDeduplication -XX:+UseCompressedOops -Djava.net.preferIPv4Stack=true -Djava.awt.headless=true -XX:+UseLargePages -Djava.security.egd=file:/dev/./urandom
    2. Add
      -Dresetportaladmin
      to the end of the JVM arguments:
      JAVA_OPTS=-Xms512m -Xmx1512m -XX:+UseG1GC -XX:+UseStringDeduplication -XX:+UseCompressedOops -Djava.net.preferIPv4Stack=true -Djava.awt.headless=true -XX:+UseLargePages -Djava.security.egd=file:/dev/./urandom -Dresetportaladmin
    3. Save the file.
  4. Restart Identity Portal.
    restart_ip
  5. The system resets the password to
    portaladmin.
    After the system restarts, the system user must log in to the Admin UI with username=portaladmin and password=portaladmin and change its default password.
  6. Next, comment the JVM arguments in the jvm-arg.conf else the system user password gets reset on every restart of the system.
    #JAVA_OPTS=-Xms512m -Xmx1512m -XX:+UseG1GC -XX:+UseStringDeduplication -XX:+UseCompressedOops -Djava.net.preferIPv4Stack=true -Djava.awt.headless=true -XX:+UseLargePages -Djava.security.egd=file:/dev/./urandom -Dresetportaladmin
Change Identity Manager Management Console Admin Credentials
To change the Identity Manager Management Console Admin credentials, perform the following steps on each Identity Manager server:
  1. Log in to the Identity Manager Management Console.
  2. Click
    Directories
    .
  3. Click the
    User Store
    .
  4. Scroll to the bottom of the page and click
    Export
    to export <
    User Store>.xml
    file.
  5. Open the <
    User Store>.xml
    file and search for the following section. 
    FIPS Mode
      Image32  
    Non-FIPS Mode
      Image33
  6. Copy the encrypted password including {AES}/{PBES}.
  7. Open database Management Studio and log in to the database server. Navigate to
    CAIM_Object
    ,
    Expand Tables.
  8. Right-click the
    IM_AUTH_USER
    table and execute the following query with the SET [PASSWORD] set to the copied encrypted password including {AES}/{PBES}.
    FIPS Mode:
    USE [CAIM_Object] GO UPDATE [dbo].[IM_AUTH_USER] SET [PASSWORD] = '{AES}:toquITB67Sz+ebFJKhEYxV1Wd2vRgzTnkPnQWPZOmN8=' WHERE USER_NAME = 'admin' GO
    None-FIPS Mode:
    USE [CAIM_Object] GO UPDATE [dbo].[IM_AUTH_USER] SET [PASSWORD] = '{PBES}:toquITB67Sz+ebFJKhEYxV1Wd2vRgzTnkPnQWPZOmN8=' WHERE USER_NAME = 'admin' GO
Change Bulk Load Client Password
To change the Bulk Load Client password, perform the following steps:
  1. In a Command Prompt, navigate to <BulkLoadClient_Installed_Location>\bin.
    Note:
    If the file
    info.txt
    exists in the bin folder, rename it and create a new empty one with the same name.
  2. Run the following command:
    imbulkloadclient.bat -S -u imadmin -p <new master password> -s https://<Hostname of Identity Manager>/iam/im/TEWS6/<Environment Name> -c info.txt
    Note:
    The URL represents the environment for which you are updating the password.
  3. Open the
    info.txt
    file and copy the password. Image34
  4. Navigate to <BulkLoadClient_Installed_Location>\ and create a backup of the
    conf
    folder.
  5. Open the
    conf
    folder.
  6. Search for
    “password=”
    in each *.properties files. If found, replace the password with the password copied from
    info.txt
    . Image35
Change Database Password for Report Server
To change the password of the database used by the Report Server, perform the given steps:
  1. Stop the Tomcat Service.
  2. In the Report Server installer software, navigate to the
    buildomatic\sample_conf\
    folder.
  3. Copy
    <database>_master.properties
    to
    buildomatic
    folder.
  4. Rename
    <database>_master.properties
    to
    default_master.properties.
  5. Open the
    default_master.properties
    , and enter a value for
    appServerDir
    and
    dbPassword
    attributes. Image36
  6. At the end of the file, add "encrypt=true".
    Image37
  7. [Non-administrators only]
    1. Copy the .jrsksp, .jrsks files from user home directory (Example: C:\User\<LoggedIn-User>) to the <Tomcat_Home>/conf folder.
    2. In the Command Prompt, navigate to
      buildomatic
      folder and run the following commands: [Windows]
      • set ks=<Tomcat_Home>/conf
      • set ksp=<Tomcat_Home>/conf
      [Linux]
      • export ks=<Tomcat_Home>\conf
      • export ksp=<Tomcat_Home>\conf
  8. In the Command Prompt, navigate to
    buildomatic
    folder and run
    js-ant
    command. This command should run and exit successfully.
    Note:
    Non-administrators must ensure
    that
    they run
    js-ant
    command from the same Command Prompt window that they had opened in step 7.
  9. Open the
    default_master.properties
    file and verify the encrypted
    dbPassword
    . Image38
  10. Copy the encrypted string.
  11. Navigate
    to <Tomcat_Home>\webapps\jasperserver-pro\META-INF\
    and open
    context.xml.
    Replace the plain text password with the encrypted password from the above screen.
    Image39
  12. Start the Tomcat service with the following run-time argument:
    -Duser.home=<Tomcat_Home>/conf
    Note:
    If Tomcat is running as a Windows service, add this run-time argument to the registry. If Tomcat runs using a batch file, include this run-time argument in the batch file.