Team,
Using the jboss-cli.sh with the --gui switch allows for easy creation of the CLI processes, if you already have a pre-existing file with values you wish to update.
There are six (6) databases for CA Identity Manager, and the security context has been moved from the data-source section to a "security" section.
- To update these values, it is possible to vi this file, but if we will to leverage dev-ops processes, any method that allows an API or CLI process is preferred.
- Why this method is preferred over manual entry?
- Avoid fat finger mistakes
- Ensure a repeatable process that can be tied to dev-ops scripts/tools.
- Inherent validation of entry and approved values for attributes.
- Able to rapidly share knowledge and test over web-ex sessions with larger team members.
Example of using the jboss-cli.sh with --gui to "discover" and have this tool build the CLI script.
Step 1: Start this GUI tool
Step 2: Use the bottom search box to "find" a keyword for the item you wish to update.
Step 3: Select the object, and right click to WRITE to this object.
Step 4: View the top part of the GUI tool, and you will see the CLI line created with the EXISTING values
Step 5: Copy this CLI line from the GUI tool, to notepad++ or a new file on Linux host.
Step 6: Test your new CLI script.
Step 7: Make a duplicate of your CLI script, and change the key word of "write" to read" and remove any extra "value" from this line. You now have a proper query of the current state. If the state of the object says "reload-required", then submit a "reload" command or restart the J2EE services.
Step 8: Submit reload
Scripts created by the jboss-cli.sh GUI tool:
/subsystem=security/security-domain=iam_im-imobjectstoredb/authentication=classic/login-module=com.netegrity.jboss.datasource.PicketBoxPasswordEncryptedLogin/:write-attribute(name=module-options,value={"userName" => "IDM","password" => "{PBES}:B8+4u/F3aiZ9sXus6HyDNA==","managedConnectionFactoryName" => "jboss.jca:name=iam/im/jdbc/jdbc/objectstore,service=NoTxCM"})
/subsystem=security/security-domain=iam_im-imtaskpersistencedb/authentication=classic/login-module=com.netegrity.jboss.datasource.PicketBoxPasswordEncryptedLogin/:write-attribute(name=module-options,value={"userName" => "IDM","password" => "{PBES}:B8+4u/F3aiZ9sXus6HyDNA==","managedConnectionFactoryName" => "jboss.jca:name=iam/im/jdbc/jdbc/archive,service=NoTxCM"})
/subsystem=security/security-domain=iam_im-imworkflowdb/authentication=classic/login-module=com.netegrity.jboss.datasource.PicketBoxPasswordEncryptedLogin/:write-attribute(name=module-options,value={"userName" => "IDM","password" => "{PBES}:B8+4u/F3aiZ9sXus6HyDNA==","managedConnectionFactoryName" => "jboss.jca:name=jdbc/WPDS,service=LocalTxCM"})
/subsystem=security/security-domain=iam_im-imarchivedb/authentication=classic/login-module=com.netegrity.jboss.datasource.PicketBoxPasswordEncryptedLogin/:write-attribute(name=module-options,value={"userName" => "IDM","password" => "{PBES}:B8+4u/F3aiZ9sXus6HyDNA==","managedConnectionFactoryName" => "jboss.jca:name=iam/im/jdbc/jdbc/archive,service=NoTxCM"})
/subsystem=security/security-domain=iam_im-imauditdb/authentication=classic/login-module=com.netegrity.jboss.datasource.PicketBoxPasswordEncryptedLogin/:write-attribute(name=module-options,value={"userName" => "IDM","password" => "{PBES}:B8+4u/F3aiZ9sXus6HyDNA==","managedConnectionFactoryName" => "jboss.jca:name=iam/im/jdbc/auditDbDataSource,service=LocalTxCM"})
/subsystem=security/security-domain=iam_im-imreportsnapshotdb/authentication=classic/login-module=com.netegrity.jboss.datasource.PicketBoxPasswordEncryptedLogin/:write-attribute(name=module-options,value={"userName" => "IDM","password" => "{PBES}:B8+4u/F3aiZ9sXus6HyDNA==","managedConnectionFactoryName" => "jboss.jca:name=iam/im/jdbc/jdbc/reportsnapshot,service=NoTxCM"})
To read current values, replace these scripts "write" with a "read:
/subsystem=security/security-domain=iam_im-imarchivedb/authentication=classic/login-module=com.netegrity.jboss.datasource.PicketBoxPasswordEncryptedLogin/:read-attribute(name=module-options)
/subsystem=security/security-domain=iam_im-imauditdb/authentication=classic/login-module=com.netegrity.jboss.datasource.PicketBoxPasswordEncryptedLogin/:read-attribute(name=module-options)
/subsystem=security/security-domain=iam_im-imreportsnapshotdb/authentication=classic/login-module=com.netegrity.jboss.datasource.PicketBoxPasswordEncryptedLogin/:read-attribute(name=module-options)
/subsystem=security/security-domain=iam_im-imobjectstoredb/authentication=classic/login-module=com.netegrity.jboss.datasource.PicketBoxPasswordEncryptedLogin/:read-attribute(name=module-options)
/subsystem=security/security-domain=iam_im-imtaskpersistencedb/authentication=classic/login-module=com.netegrity.jboss.datasource.PicketBoxPasswordEncryptedLogin/:read-attribute(name=module-options)
/subsystem=security/security-domain=iam_im-imworkflowdb/authentication=classic/login-module=com.netegrity.jboss.datasource.PicketBoxPasswordEncryptedLogin/:read-attribute(name=module-options)
To update the password, use the IM PasswordTool, under IAM_SUITE/tools sub-folder
- Ensure you change folders to this folder, to ensure encryption libraries are located.
- /opt/CA/IdentityManager/IAM_Suite/IdentityManager/tools/PasswordTool
- Avoid this error: "Error: Could not find or load main class com.netegrity.rtl.jce.JSafeTools"
- Execute with the -JSAFE option to get the PBES (password-based-encryption-standard) format.
Copy this NEW encrypted format with the leading {PBES} and the trailing double equal signs ==
- After updating, execute a "reload" command if the attribute has a "process-state" => "reload-required"
- Wait 1-2 minutes, for the reload to complete, then execute the query string to see if the value is loaded fine.
Monitor the server.log for any other info/warn/error/debug messages.
Cheers,
A.