How to change the password of the AD user for the ENTM System Manager or how to sync the AD user's password change in ENTM
search cancel

How to change the password of the AD user for the ENTM System Manager or how to sync the AD user's password change in ENTM

book

Article ID: 17478

calendar_today

Updated On:

Products

CA Privileged Access Manager - Server Control (PAMSC) CA Privileged Identity Management Endpoint (PIM)

Issue/Introduction

If you have to change the password of the Active Directory user account mapped to the ENTM System Manager, please follow these steps.

Environment

Release: R12.8 / R12.9 ENTM

Resolution

Ensure the  <WildFly_Home>\standalone\deployments\IdentityMinder.ear\management_console.war\WEB-INFWeb.XML

 <filter>
   <filter-name>AccessFilter</filter-name>
   <filter-class>com.netegrity.ims.manage.filter.AccessFilter</filter-class>
 <init-param>
   <param-name>Enable</param-name>
   <param-value>True</param-value>
  </init-param>
 </filter>


  • Click the "Directories" link
  • Click the "ac-dir" link
  • Scroll down the page and click the "Export..." button
  • Save and then edit the "ac-dir.xml" file in e.g. notepad / vi
  • On the ENTM Server open a cmd / sh and set JAVA_HOME

    Windows: set JAVA_HOME=C:\jdk1.7.0

    Linux: export JAVA_HOME=/usr/java/jdk1.7.0_21

  • Encrypt a Clear Text Password

    e.g.
    # ./pwdtools.sh -FIPS -p "newPassword" -key /opt/jboss-4.2.3.GA/server/default/deploy/IdentityMinder.ear/config/com/netegrity/config /keys/FIPSkey.dat

  • In the "ac-dir.xml" file put the new password (and new user)
    ...
    <Credentials user="CN= ... >{AES}: ... ==</Credentials>
    ...

  • Amend the line in the "ac-dir.xml" file so that it is exactly like this:
    ...
    <Container objectclass="top,organizationalUnit" attribute="ou" value=""/>
    ...

  • Save the modified "ac-dir.xml" file and return to your

    CA Identity Minder Management Console
    Home : Directories : ac-dir

  • Scroll down the page and click the "Update..." button
  • Select and load the "ac-dir.xml" file

You should now be able to logon to ENTM with the new user / password.

 

No the work around is to use a second interim account.

So first in AC-DIR modify both the account and the passwd to a different user with a valid password (no equal singn) using the same methods. PAM SC should continue to work like normal with the new bind account
Then change the AD password on the original account.
After this  AC-DIR modify both the account and the passwd  back to the original account with the new password.


Using an interim Bind account allows us to maintain the connection to the AD and validate the updated password.

Please confirm this makes sense. we are working on this but if you need to change this now, this is the only way we can do this.

Powered by Wolken Software