Password Change Procedures

Contents
cminder12902
Contents
The following procedures explain the different ways in which you can change
Privileged Identity Manager
passwords.
Use selang to Change a Password
You can use selang to change the password for the following service accounts:
  • +policyfetcher
  • +devcalc
  • ac_entm_pers
You may need to regularly change the password for these accounts to comply with your organization's security and password policies.
When you use selang to change a password, note the following:
  • You must enclose the password in double quotes.
  • You cannot use advanced policy management to propagate password change commands.
You may need to use more than one method to change the password on all components that the service account interacts with.
To use selang to change a password, run the following command:
cu user password("password") grace- nonative
  • user
    Specifies the name of the user whose password you change.
  • password
    Specifies the new password.
If you cut and paste the password into the command, verify that the password does not contain carriage returns or line feeds.
Example: Change the +policyfetcher Password
This command changes the password for the +policyfetcher user. The password is "secret", and must be in clear text and enclosed in double quotes:
AC> cu +policyfetcher password("secret") grace- nonative
(localhost)
Successfully updated USER +policyfetcher
Use sechkey to Change a Message Queue Password
You can use sechkey to change the password for the following service accounts:
  • reportserver
  • +reportagent
You may need to regularly change the password for these accounts to comply with your organization's security and password policies. When you use sechkey to change a password, you must enclose the password in double quotes.
You may need to use more than one method to change the password on all components that the service account interacts with.
To use sechkey to change a Message Queue password, run the following command on the Distribution Server:
{sechkey | acuxchkey} -t [-server] -pwd "password"
  • sechkey
    Specifies to change the password on a
    Privileged Identity Manager
    endpoint.
  • acuxchkey
    Specifies to change the password on a UNAB endpoint.
  • -server
    Specifies to change the password on the DMS.
    This parameter is only valid with the sechkey parameter.
  • password
    Specifies the new password.
If you cut and paste the password into the command, verify that the password does not contain carriage returns or line feeds.
Example: Change the Message Queue Password on a UNAB Endpoint
This command propagates the Message Queue password to all UNAB endpoints that communicate with the Distribution Server. The password is "secret", and must be in clear text and enclosed in double quotes:
acuxchkey -t -pwd "secret"
Example: Change the Message Queue Password on the DMS
This command changes the Message Queue password on the DMS. The password is "secret", and must be in clear text and enclosed in double quotes:
sechkey -t -server -pwd "secret"
Set a Message Queue Password
You set the Message Queue password to change the password for the following service accounts:
  • reportserver
  • +reportagent
You may need to regularly change the password for these accounts to comply with your organization's security and password policies. When you set a Message Queue password, you must enclose the password in double quotes.
You may need to use more than one method to change the password on all components that the service account interacts with.
Follow these steps:
  1. Navigate to the following directory, where
    DistServer
    is the directory in which you installed the Distribution Server:
    DistServer/MessageQueue/tibco/ems/5.1/bin
  2. (UNIX) Enter the following command:
    tibemsadmin
    The Tibco EMS Administration Tool starts.
  3. (Windows) Enter the following command:
    tibemsadmin.exe
    The Tibco EMS Administration Tool starts.
  4. Connect to the current environment, using one of the following commands:
    • If the Distribution Server listens for the Report Agent on port 7222 (the default port), use the following command:
      connect
    • If the Distribution Server listens for the Report Agent in SSL mode on port 7243, use the following command:
      connect SSL://7243
  5. Enter your username and password.
    The default username is admin and the password is the communication password that you specify when you installed the Enterprise Management Server.
    You are connected to the Message Queue.
  6. Run the following command:
    set password user "password"
    • user
      Specifies the name of the user whose password you change.
    • "
      password
      "
      Specifies the new password.
    The password for the user is changed on the Message Queue.
If you cut and paste the password into the command, verify that the password does not contain carriage returns or line feeds.
Example: Set the Message Queue Password for the reportserver User
This Tibco EMS Administration Tool command sets the Message Queue password for the reportserver user. The password is "secret", and must be in clear text and enclosed in double quotes:
> connect SSL://7243
Login name (admin): admin
Password:
Connected to: ssl://localhost:7243
ssl://localhost:7243> set password reportserver "secret"
Password of user 'reportserver' has been modified
ssl://localhost:7243>
Encrypt a Clear Text Password
You encrypt clear text passwords for the following service accounts:
  • RDBMS_service_user
  • reportserver
You encrypt the passwords because they are stored in clear text XML files in the JBoss directory. You use the pwdtools utility to encrypt clear text passwords.
When you use pwdtools to encrypt a clear text password, you must enclose the password in double quotes.
Follow these steps:
  1. Open a command prompt window.
  2. Navigate to the following directory, where
    ACServerInstallDir
    is the directory in which you installed the Enterprise Management Server:
    ACServerInstallDir/IAM Suite/Access Control/tools/PasswordTool
  3. Run the following command:
    pwdtools -FIPS -p "password" -k [FIPS Key File Path]
    • password
      Specifies the clear text password.
    • FIPS Key File Path
      Specifies the full path (including name) of the FIPSkey.dat file. 
    pwdtools encrypts the password.
Example: Encrypt a Clear Text Password
This command generates the encrypted password onto the display. The clear text password is "secret" and must be enclosed in double quotes:
C:\Program Files\CA\AccessControlServer\IAM Suite\Access Control\tools\PasswordTool>
pwdtools.bat -FIPS -p "secret" -key C:\jboss-4.2.3.GA\server\default\deploy\IdentityMinder.ear\config\com\netegrity\config\keys\FIPSkey.dat"
Change the Password in the properties-service.xml File
You change the password in the properties-service.xml file to change the password for the reportserver account. You may need to regularly change the password for this account to comply with your organization's security and password policies.
You may need to use more than one method to change the password on all components that the service account interacts with.
Follow these steps:
  1. Stop JBoss Application Server.
  2. Navigate to the following directory, where
    JBoss_home
    is the directory in which you installed JBoss:
    JBoss_home/server/default/deploy
  3. Open the properties-service.xml file in a text-based editor.
  4. Change the password in the SamMDB.mdb-passwd parameter.
  5. Save and close the file.
Example: Change the Password in the properties-service.xml File
This snippet of the properties-service.xml file shows you the changed reportserver password. The password has been encrypted and is }>8:Jt^+%INK&i^v:
    <attribute name="Properties">      
      SamMDB.mdb-user=reportserver  
      <!-- encoded tibco password -->   
      SamMDB.mdb-passwd={AES}:}>8:Jt^+%INK&i^v==    
    </attribute>
Change the Password in the login-config.xml File
You change the password in the login-config.xml file when you change the password for the following service accounts:
  • RDBMS_service_user
  • reportserver
You may need to regularly change the password for these accounts to comply with your organization's security and password policies.
You may need to use more than one method to change the password on all components that the service account interacts with. If the password is a clear text password, use the pwdtools utility to encrypt it before you change the password in the login-config.xml file.
Follow these steps:
  1. Stop the JBoss Application Server.
  2. Navigate to the following directory, where
    JBoss_home
    is the directory in which you installed JBoss:
    JBoss_home/server/default/conf
  3. Open the login-config.xml file in a text-based editor.
  4. Change the RDBMS_service_user password:
    1. Locate each instance of the name of the RDBMS_service_user account in the file.
      There are six instances in the file. You name this account when you create a user to prepare the database for the Enterprise Management Server.
    2. Change the password in the parameter that is immediately after each instance of the name.
      The parameter is enclosed by the <module-option name="password"> and </module-option> tags.
    The RDBMS_service_user password is changed.
  5. Change the reportserver password:
    1. Locate the following parameter in the file:
      <module-option name="userName">reportserver</module-option>
    2. Change the password in the parameter that is immediately after this parameter.
      The parameter is enclosed by the <module-option name="password"> and </module-option> tags.
    The reportserver password is changed.
  6. Save and close the file.
Example: Change the RDBMS_service_user Password in the login-config.xml File
This snippet of the login-config.xml file shows you one instance of the changed RDMBS_service_user password. The user is named caidb01. The password has been encrypted and is }>8:Jt^+%INK&i^v:
<application-policy name="imobjectstoredb">
    <authentication>    
        <login-module code="com.netegrity.jboss.datasource.PasswordEncryptedLogin"      flag="required">    
            <module-option name="userName">caidb01</module-option>  
            <module-option name="password">{AES}:}>8:Jt^+%INK&i^v==</module-option> 
            <module-option name="managedConnectionFactoryName">         jboss.jca:name=jdbc/objectstore,service=NoTxCM</module-option>  
        </login-module> 
    </authentication>   
</application-policy>
Example: Change the reportserver Password in the login-config.xml File
This snippet of the login-config.xml file shows you the changed reportserver password. The password has been encrypted and is }>8:Jt^+%INK&i^v:
<application-policy name="JmsXATibcoRealm">
       <authentication>
          <login-module code="com.netegrity.jboss.datasource.PasswordEncryptedLogin" flag="required">          
             <module-option name="userName">reportserver</module-option>
       <module-option name="password">{AES}:}>8:Jt^+%INK&i^v==</module-option>              
        <module-option name="managedConnectionFactoryName">     jboss.jca:service=TxCM,name=TibcoJmsXA</module-option>  
          </login-module>
       </authentication>
    </application-policy>
Change the User Directory Password in the CA IdentityMinder Management Console
You change the user directory password in the CA IdentityMinder Management Console when you change the ADS_LDAP_bind_user password. You may need to regularly change the password for this account to comply with your organization's security and password policies.
You may need to use more than one method to change the password on all components that the service account interacts with.
Follow these steps:
  1. Open the CA IdentityMinder Management Console.
  2. Click Directories.
    The Directories page appears.
  3. Click ac-dir.
    The Directory Properties page appears.
  4. Click Export.
    The ac-dir.xml file is exported.
  5. Open the exported file in a text-based editor.
  6. Find the following parameter:
    <Credentials user=
  7. Enter the encrypted password in the following field, which is after the <credentials> parameter:
    {PBES}=
  8. Save and close the file.
  9. In the CA IdentityMinder Management Console, from the Directory Properties page, click Update.
    The Update Directory window appears.
  10. Type the path and file name of the XML file that you edited, or browse for the file, then click Finish.
    Status information is displayed in the Directory Configuration Output field.
  11. Click Continue, and restart the environment.
    You have changed the user directory password in the CA IdentityMinder Management Console.
Example: Change the User Directory Password
This snippet of the exported ac-dir.xml file shows you the changed user directory password. The user is named Administrator. The password has been encrypted and is }>8:Jt^+%INK&i^v:
<Credentials user="CN=Administrator,cn=Users,DC=unixauthdemo,DC=co,DC=il">
{PBES}:}>8:Jt^+%INK&i^v==</Credentials>