Symantec IGA

 View Only

CA Identity Manager - Reset ETAADMIN password via provisioning router access. 

Feb 04, 2016 11:33 AM

Summary:

This tech doc will instruct you on how to reset the provisioning manager administrator account password (i.e. ETAADMIN ).

Instructions:

Connect to Provisioning Directories via Provisioning Router (port 20391)

 

Example Settings:

 

Hostname = PROVISIONING_SERVER_ROUTER_HOST

Port = 20391

Level = User + Password

User DN = eTDSAContainerName=DSAs,eTNamespaceName=CommonObjects,dc=etadb

Password = Provisioning Repository Password (Configured Durring Installation)

 

Change the eTPassword attribute on your Administrator Account:

 

Example

eTGlobalUserName=etaadmin,eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects,dc=im,dc=eta

 

Set eTPassword = password01

 

Note: You will be able to connect with clear text however, do not leave your password clear text as it is a security risk.

 

Use Provisioning Manager to encrypt your password:

 

Log into Provisioning Manager using your new password (i.e. password01)

Click on User, then Search for your user, then Change Password (Note You can use same password that you set with clear test), then click Apply

This will set the user's password again but this time it will be stored as an encrypted value

 

 

If you have used etaadmin to establish your connection between IDM and Provisioning Server (i.e. IM ProvDir XML) then continue reading:

 

Go to:

http://IM_HOST:Port/iam/immanage

 

Click on "Directories" and confirm connectivity

 

Note:

If you receive a connection error to your provisioning directory database you may not be able to export your environment and would need to follow different steps mentioned further below.

 

If you are able to export your environment please follow these steps:

 

Export out your IM Provisioning Directory XML.

 

Find: <Credentials user="eTGlobalUserName=etadmin,eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects,dc=im,dc=eta">{PBES}:WQf3wza4JfYe3zPI8zcveQ==</Credentials> within your directory xml.

 

Configure pwdtools.bat

Go to: ..\CA\im\iam suite\im\tools\passwordtool

Right click on the bat file and configure the %JAVA_EXE% Attribute.

Example: SET JAVA_EXE=C:\Java\jdk1.6.0_45\jre\bin\java.exe

 

Next we need run the pwdtools.bat. Open up CMD and cd to the location of pwdtools.bat

To create a FIPS key file  pwdtools -FIPSKEY -k <FIPS key file location>  [-f <param_file>]

To add a FIPS key  pwdtools -FIPSKEY -add  [-f <param_file>]

To encrypt a plain text value using non FIPS (PBES) algorithm  pwdTools -JSAFE -p <plain text>  [-f <param_file>]

To encrypt a shared secret using PBES algorithm and save it  pwdTools -JSAFEKEY -p <shared_secret>  [-f <param_file>]

To encrypt a plain text using FIPS key file  pwdTools -FIPS -p <plain text> -k <FIPS key file path> [-f <param_file>]

To encrypt a plain text value using non FIPS (RC2) algorithm pwdTools -RC2 -p <plain text> [-f <param_file>]

 

In this example we are going to compare our current password values.

execute the following command:

pwdTools -JSAFE -p password1

 

Results:

     Plain Text: password1

     Encrypted value: {PBES}:WQf3wza4JfYe3zPI8zcveQ==

 

 

Replace PBES Key within xml with new PBES key and upload xml file and restart the IM Application Server

 

 

 

If you are not able to export your environment please follow these steps:

 

Configure pwdtools.bat

Go to: CA\Identity Manager\IAM Suite\Identity Manager\tools\PasswordTool

Right click on the bat file and configure the %JAVA_EXE% Attribute.

Example: SET JAVA_EXE=C:\Java\jdk1.6.0_45\jre\bin\java.exe

 

Next we need run the pwdtools.bat. Open up CMD and cd to the location of pwdtools.bat

To create a FIPS key file  pwdtools -FIPSKEY -k <FIPS key file location>  [-f <param_file>]

To add a FIPS key  pwdtools -FIPSKEY -add  [-f <param_file>]

To encrypt a plain text value using non FIPS (PBES) algorithm  pwdTools -JSAFE -p <plain text>  [-f <param_file>]

To encrypt a shared secret using PBES algorithm and save it  pwdTools -JSAFEKEY -p <shared_secret>  [-f <param_file>]

To encrypt a plain text using FIPS key file  pwdTools -FIPS -p <plain text> -k <FIPS key file path> [-f <param_file>]

To encrypt a plain text value using non FIPS (RC2) algorithm pwdTools -RC2 -p <plain text> [-f <param_file>]

 

In this example we are going to compare our current password values.

execute the following command:

pwdTools -RC2 -p password1

 

Results:

     Plain Text: password1

     Encrypted value: {RC2}:vDZXlsPiVi9PxkFqAXYzSw==

  

  

Please go into your Object Store:

 

Navigate to the following table [imdb].[dbo].[IM_DIR_CONNECTION]

 

Execute a Select * FROM [imdb].[dbo].[IM_DIR_CONNECTION]

 

Under Column Connection_Name find your provisioning repository

 

Navigate to the Password column

 

Replace previous encrypted {RC2} value with new {RC2}:vDZXlsPiVi9PxkFqAXYzSw==

 

Restart the IM Application Server

Statistics
0 Favorited
10 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Related Entries and Links

No Related Resource entered.