Symantec Access Management

 View Only
Expand all | Collapse all

Update Identity Manager JBOSS/Wildfly Database Ids/Passwords via Jboss-cli.sh

  • 1.  Update Identity Manager JBOSS/Wildfly Database Ids/Passwords via Jboss-cli.sh

    Posted Jun 15, 2018 03:24 PM

    Team,

     

    Using the jboss-cli.sh with the --gui switch allows for easy creation of the CLI processes, if you already have a pre-existing file with values you wish to update.

     

     

    There are six (6) databases for CA Identity Manager, and the security context has been moved from the data-source section to a "security" section.

    - To update these values, it is possible to vi this file, but if we will to leverage dev-ops processes, any method that allows an API or CLI process is preferred.

     -  Why this method is preferred over manual entry?

         - Avoid fat finger mistakes

         - Ensure a repeatable process that can be tied to dev-ops scripts/tools.

         - Inherent validation of entry and approved values for attributes.

         - Able to rapidly share knowledge and test over web-ex sessions with larger team members.

     

     

     

     

    Example of using the jboss-cli.sh with --gui to "discover" and have this tool build the CLI script.

     

     

    Step 1:   Start this GUI tool

    Step 2:   Use the bottom search box to "find" a keyword for the item you wish to update.

    Step 3:   Select the object, and right click to WRITE to this object.

    Step 4:   View the top part of the GUI tool, and you will see the CLI line created with the EXISTING values 

    Step 5:   Copy this CLI line from the GUI tool, to notepad++ or a new file on Linux host.

    Step 6:   Test your new CLI script.

    Step 7:   Make a duplicate of your CLI script, and change the key word of "write" to read" and remove any extra "value" from this line.     You now have a proper query of the current state.     If the state of the object says "reload-required", then submit a "reload" command or restart the J2EE services.

    Step 8:  Submit reload   

     

     

     

    Scripts created by the jboss-cli.sh GUI tool:

     

     

    /subsystem=security/security-domain=iam_im-imobjectstoredb/authentication=classic/login-module=com.netegrity.jboss.datasource.PicketBoxPasswordEncryptedLogin/:write-attribute(name=module-options,value={"userName" => "IDM","password" => "{PBES}:B8+4u/F3aiZ9sXus6HyDNA==","managedConnectionFactoryName" => "jboss.jca:name=iam/im/jdbc/jdbc/objectstore,service=NoTxCM"})


    /subsystem=security/security-domain=iam_im-imtaskpersistencedb/authentication=classic/login-module=com.netegrity.jboss.datasource.PicketBoxPasswordEncryptedLogin/:write-attribute(name=module-options,value={"userName" => "IDM","password" => "{PBES}:B8+4u/F3aiZ9sXus6HyDNA==","managedConnectionFactoryName" => "jboss.jca:name=iam/im/jdbc/jdbc/archive,service=NoTxCM"})


    /subsystem=security/security-domain=iam_im-imworkflowdb/authentication=classic/login-module=com.netegrity.jboss.datasource.PicketBoxPasswordEncryptedLogin/:write-attribute(name=module-options,value={"userName" => "IDM","password" => "{PBES}:B8+4u/F3aiZ9sXus6HyDNA==","managedConnectionFactoryName" => "jboss.jca:name=jdbc/WPDS,service=LocalTxCM"})


    /subsystem=security/security-domain=iam_im-imarchivedb/authentication=classic/login-module=com.netegrity.jboss.datasource.PicketBoxPasswordEncryptedLogin/:write-attribute(name=module-options,value={"userName" => "IDM","password" => "{PBES}:B8+4u/F3aiZ9sXus6HyDNA==","managedConnectionFactoryName" => "jboss.jca:name=iam/im/jdbc/jdbc/archive,service=NoTxCM"})

     

    /subsystem=security/security-domain=iam_im-imauditdb/authentication=classic/login-module=com.netegrity.jboss.datasource.PicketBoxPasswordEncryptedLogin/:write-attribute(name=module-options,value={"userName" => "IDM","password" => "{PBES}:B8+4u/F3aiZ9sXus6HyDNA==","managedConnectionFactoryName" => "jboss.jca:name=iam/im/jdbc/auditDbDataSource,service=LocalTxCM"})

     

    /subsystem=security/security-domain=iam_im-imreportsnapshotdb/authentication=classic/login-module=com.netegrity.jboss.datasource.PicketBoxPasswordEncryptedLogin/:write-attribute(name=module-options,value={"userName" => "IDM","password" => "{PBES}:B8+4u/F3aiZ9sXus6HyDNA==","managedConnectionFactoryName" => "jboss.jca:name=iam/im/jdbc/jdbc/reportsnapshot,service=NoTxCM"})

     

     

    To read current values, replace these scripts "write" with a "read:

     


    /subsystem=security/security-domain=iam_im-imarchivedb/authentication=classic/login-module=com.netegrity.jboss.datasource.PicketBoxPasswordEncryptedLogin/:read-attribute(name=module-options)

     

    /subsystem=security/security-domain=iam_im-imauditdb/authentication=classic/login-module=com.netegrity.jboss.datasource.PicketBoxPasswordEncryptedLogin/:read-attribute(name=module-options)

     

    /subsystem=security/security-domain=iam_im-imreportsnapshotdb/authentication=classic/login-module=com.netegrity.jboss.datasource.PicketBoxPasswordEncryptedLogin/:read-attribute(name=module-options)

     

    /subsystem=security/security-domain=iam_im-imobjectstoredb/authentication=classic/login-module=com.netegrity.jboss.datasource.PicketBoxPasswordEncryptedLogin/:read-attribute(name=module-options)

     

    /subsystem=security/security-domain=iam_im-imtaskpersistencedb/authentication=classic/login-module=com.netegrity.jboss.datasource.PicketBoxPasswordEncryptedLogin/:read-attribute(name=module-options)

     

    /subsystem=security/security-domain=iam_im-imworkflowdb/authentication=classic/login-module=com.netegrity.jboss.datasource.PicketBoxPasswordEncryptedLogin/:read-attribute(name=module-options)

     

     

     

     

    To update the password, use the IM PasswordTool, under IAM_SUITE/tools sub-folder

       - Ensure you change folders to this folder, to ensure encryption libraries are located. 

                 - /opt/CA/IdentityManager/IAM_Suite/IdentityManager/tools/PasswordTool

                 - Avoid this error:  "Error: Could not find or load main class com.netegrity.rtl.jce.JSafeTools"

       -  Execute with the -JSAFE option to get the PBES (password-based-encryption-standard) format.

     

     

    Copy this NEW encrypted format with the leading {PBES} and the trailing double equal signs ==

        -  After updating, execute a "reload" command if the attribute has a "process-state"  => "reload-required"

        -  Wait 1-2 minutes, for the reload to complete, then execute the query string to see if the value is loaded fine.

     

     

    Monitor the server.log for any other info/warn/error/debug messages.

     

     

    Cheers,

     

    A.



  • 2.  Re: Update Identity Manager JBOSS/Wildfly Database Ids/Passwords via Jboss-cli.sh

    Posted Jul 20, 2018 05:20 PM

    Review these additional performance notes with regards to data source max connection pool and JMS

     

    Wildfly and JMS (NIO to AIO) Performance