Failed to start IM environment after resetting imadmin user password
search cancel

Failed to start IM environment after resetting imadmin user password


Article ID: 204722


Updated On:


CA Identity Manager CA Identity Governance CA Identity Portal CA Identity Suite


I have install IM with OOTB (Out-of-the-box) IM Environment.

I recently changed the default password of imadmin user using IM User Console. Now IM Environment won't start. After restarting IM, application server log shows

11:20:57,983 INFO  [ims.Main] (ServerService Thread Pool -- 95) * Starting environment: identityEnv
11:20:58,062 ERROR [] (ServerService Thread Pool -- 95) [LDAP: error code 49 - Invalid Credentials]
11:20:58,079 WARN  [ims.tmt.EnvironmentService] (ServerService Thread Pool -- 95) * Failed to start environment: identityEnv


Release : 14.x non vApp environment with OOTB IM Environment

Component : IdentityMinder(Identity Manager)


imadmin user credentials is being used to access User Store. As the imadmin user's password has been changed in User Store but not in the User Store definition (UserStore.xml), IM cannot connect to User Store and cannot start IM Environment.


1. First of all, install Java and JXplorer ( JXplorer will be used to access CA Directory  User Store directly to change the user password.

2. Launch JXplorer and connect to the User Store. In my lab here are the connection information
      a. Host: <hostname where User Store is running>
      b. Port: 10101
      c. Protocol: LDAP3
      d. Security Level: User + Password
                        User DN: cn=dsaadmin,ou=im,ou=ca,o=com
                        Password: test
          Note: 'test' (without quotation mark) is default password for imadmin and dsaadmin user in OOTB IME


3. Click [OK] and find imadmin user item under people container, select Table Editor tab on the right and double click the (non string data) field to the right of userPassword. Restore imadmin user password to default password, i.e. 'test' (without quotation mark).


In the User Password Data dialog set password back to 'test' (without quotation). Click [OK]


Click [Submit]


4. Now restart IM and you should back to original condition. You should be able to login to IM User Console using imadmin and 'test' (without quotation mark) as password.

5. Access IM Management Console and select Directories > UserStore, click the [Export...] button at the bottom. UserStore.xml will be downloaded.

6. Use Password tool to encrypt your new password. For example, on a Windows IM machine, launch a DOS prompt and go to C:\Program Files (x86)\CA\Identity Manager\IAM Suite\Identity Manager\tools\PasswordTool directory and run the following command.

pwdtools.bat -JSAFE -p <your new password>

7. Edit downloaded UserStore.xml to set the new encryptep password for imadmin user to access User Store. In my environment I have edited line 125, i.e.


<Credentials user="uid=imadmin,ou=people,ou=im,ou=ca,o=com">{PBES}:HUkQTOZbkIs=</Credentials>


<Credentials user="uid=imadmin,ou=people,ou=im,ou=ca,o=com">{PBES}:FR8fyicr45YmhbO5Tkcm9A==</Credentials>

Save the UserStore.xml

8. Go back to JXplorer and update the imadmin user with new password (make sure the pulldown is set to SHA) and don't forget to click [Submit]


9. Go back to IM Management Console, go to Directories > UserStore and click [Update...] button at the bottom. Click [Browse...] to select the updated UserStore.xml and click [Next>>] . You show see Warning message like below, click [Finish]


Click [Continue]


Click [Restart Environment]

Now you should be able to login as imadmin using the new password.