When you install the product it prompts you for a shared secret. This then
becomes the password for the initial global user that is created in the
Provisioning Server. You may or may not have used this global user when you
defined your IM Prov Dir XML in the IM Management Console. Even if you did
you may decide not to change the global user's password for the user listed
in the IM Prov Dir XML. The same applies to the IM Corp Dir XML. If you do
want to update the credentials in these Directory XML files you would need
to use the pwdtools.bat utility along with your FIPS key to generate new
1) Export the IM Corp Dir XML and IM Prov Dir XMLvia Management Console
2) Update the user's password in the IM Corp Store and Provisioning Server
3) Update the Directory XML files with the new encrypted password
4) Import the updated Directory XML files via Management Console
5) Restart the IM Environment via Management Console
The \CA\Identity Manager\IAM Suite\Identity Manager\tools\PasswordTool
folder has the pwdtools.bat utility which has the following usage:
pwdtools.bat -FIPS -p <plain text> -k <FIPS key file path>
The shared secret gets used for the authentication between the Provisioning
Server and the Provisioning Repository as well as between the Provisioning
Server and the C++ and Java Connector Servers. In order to change the
password for these connections you will need to do the following:
Go to the Provisioning Server\bin folder and run the pwdmgr.exe utility and
enter the user/password of a DomainAdmin global user and then reset the
password for the IM Provisioning Server, Connector Server, and Provisioning
Directory components and do it for all domains listed (i.e. eta and im).
So you will be performing 6 changes to set the new password.
You will also need to use an ldap browser to bind to the JCS itself which
is listening on port 20410 to update the password. The bind credentials
is uid=admin,ou=system with the original shared secret password. Once you
are connected you will go an update uid=admin,ou=system object with the
new password you will be using.
Now you need to update the CSCONFIG objects stored in the Provisioning
Repository which contain the passwords to bind to the Connector Servers
that the Provisioning Server references.
Get the name of all the Connector Server objects (i.e. CCS_HOST_TLS_20403
and JCS_HOST_TLS_20410) by running the following command. You will be
prompted for the global user's password. Replace globalusername and domain
with the values valid for your deployment.
PSHOME\bin\csfconfig.exe list auth=globalusername@domain
Take note of each object name listed and for each one run the following
command (you will first be prompted for the global user's password and then
you will be prompted for the new shared secret you will be using). Again
replace globalusername and domain with the values valid for your install.
csfconfig.exe modify auth=globalusername@domain name=CS_OBJECT_NAME pass
Restart the Provisioning Server, C++ Connector Server, and Java Connector
The shared secret password set during the installation is also the default
keystore password for the JCS keystore. I am not sure if you intend to
update this as well or not. It is mentioned in Chapter 4 of the CA Identity
Manager Java Connector Server Implementation Guide. In there it mentions
using the ldaps_password utility to update a properties file used by the
JCS with a new encrypted password. If you choose to follow those steps then
also make sure that you update the keystore file itself to use a new
password. That second part is not clearly stated and can be done using a
java keytool command such as:
keytool -storepasswd -new new_storepass -keystore ssl.keystore
I recommend you take system backups and try this out in a test environment
first so that you become familiar with all the steps before trying to do
this in your production environment.