How To Reset Forgotten Provisioning Manager Administrator Account Password

book

Article ID: 37695

calendar_today

Updated On:

Products

CA Identity Manager CA Identity Governance CA Identity Portal CA Risk Analytics CA Secure Cloud SaaS - Arcot A-OK (WebFort) CLOUDMINDER ADVANCED AUTHENTICATION CA Secure Cloud SaaS - Advanced Authentication CA Secure Cloud SaaS - Identity Management CA Secure Cloud SaaS - Single Sign On

Issue/Introduction

IMPORTANT: This article contains information about modifying DN values within your directory. Before you modify the directory, make sure you have the appropriate knowledge of any or all functionality. If you have any concerns please open up a case with support and reference this tech doc:

This article is offered "as is".

Summary:

This tech doc will instruct you on how to reset the provisioning manager administrator account password (i.e. ETAADMIN )

Instructions:

Connect to Provisioning Directories via Provisioning Router (port 20391)

 

Example Settings:

 

Hostname = PROVISIONING_SERVER_ROUTER_HOST

Port = 20391

Level = User + Password

User DN = eTDSAContainerName=DSAs,eTNamespaceName=CommonObjects,dc=etadb

Password = Provisioning Repository Password (Configured Durring Installation)

 

Change the eTPassword attribute on your Administrator Account:

 

Example

eTGlobalUserName=etaadmin,eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects,dc=im,dc=eta

 

Set eTPassword = password01

 

Note: You will be able to connect with clear text however, do not leave your password clear text as it is a security risk. 

 

Use Provisioning Manager to encrypt your password:

 

Log into Provisioning Manager using your new password (i.e. password01)

Click on User, then Search for your user, then Change Password (Note You can use same password that you set with clear test), then click Apply

This will set the user's password again but this time it will be stored as an encrypted value

 

 

If you have used etaadmin to establish your connection between IDM and Provisioning Server (i.e. IM ProvDir XML) then continue reading:

 

Go to:

http://IM_HOST:Port/iam/immanage

 

Click on "Directories" and confirm connectivity

 

Note:

If you receive a connection error to your provisioning directory database you may not be able to export your environment and would need to follow different steps mentioned further below.

 

If you are able to export your environment please follow these steps:

 

Export out your IM Provisioning Directory XML.

 

Find: <Credentials user="eTGlobalUserName=etadmin,eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects,dc=im,dc=eta">{PBES}:WQf3wza4JfYe3zPI8zcveQ==</Credentials> within your directory xml.

 

Configure pwdtools.bat

Go to: ..\CA\im\iam suite\im\tools\passwordtool

Right click on the bat file and configure the %JAVA_EXE% Attribute.

Example: SET JAVA_EXE=C:\Java\jdk1.6.0_45\jre\bin\java.exe

 

Next we need run the pwdtools.bat. Open up CMD and cd to the location of pwdtools.bat

To create a FIPS key file  pwdtools -FIPSKEY -k <FIPS key file location>  [-f <param_file>]

To add a FIPS key  pwdtools -FIPSKEY -add  [-f <param_file>]

To encrypt a plain text value using non FIPS (PBES) algorithm  pwdTools -JSAFE -p <plain text>  [-f <param_file>]

To encrypt a shared secret using PBES algorithm and save it  pwdTools -JSAFEKEY -p <shared_secret>  [-f <param_file>]

To encrypt a plain text using FIPS key file  pwdTools -FIPS -p <plain text> -k <FIPS key file path> [-f <param_file>]

To encrypt a plain text value using non FIPS (RC2) algorithm pwdTools -RC2 -p <plain text> [-f <param_file>]

 

In this example we are going to compare our current password values.

execute the following command:

pwdTools -JSAFE -p password1

 

Results:

     Plain Text: password1

     Encrypted value: {PBES}:WQf3wza4JfYe3zPI8zcveQ==

 

 

Replace PBES Key within xml with new PBES key and upload xml file and restart the IM Application Server

 

 

 

If you are not able to export your environment please follow these steps:

 

Configure pwdtools.bat

Go to: CA\Identity Manager\IAM Suite\Identity Manager\tools\PasswordTool

Right click on the bat file and configure the %JAVA_EXE% Attribute.

Example: SET JAVA_EXE=C:\Java\jdk1.6.0_45\jre\bin\java.exe

 

Next we need run the pwdtools.bat. Open up CMD and cd to the location of pwdtools.bat

To create a FIPS key file  pwdtools -FIPSKEY -k <FIPS key file location>  [-f <param_file>]

To add a FIPS key  pwdtools -FIPSKEY -add  [-f <param_file>]

To encrypt a plain text value using non FIPS (PBES) algorithm  pwdTools -JSAFE -p <plain text>  [-f <param_file>]

To encrypt a shared secret using PBES algorithm and save it  pwdTools -JSAFEKEY -p <shared_secret>  [-f <param_file>]

To encrypt a plain text using FIPS key file  pwdTools -FIPS -p <plain text> -k <FIPS key file path> [-f <param_file>]

To encrypt a plain text value using non FIPS (RC2) algorithm pwdTools -RC2 -p <plain text> [-f <param_file>]

 

In this example we are going to compare our current password values.

execute the following command:

pwdTools -RC2 -p password1

 

Results:

     Plain Text: password1

     Encrypted value: {RC2}:vDZXlsPiVi9PxkFqAXYzSw==

 

 

Please go into your Object Store:

 

Navigate to the following table [imdb].[dbo].[IM_DIR_CONNECTION]

 

Execute a Select * FROM [imdb].[dbo].[IM_DIR_CONNECTION]

 

Under Column Connection_Name find your provisioning repository 

 

Navigate to the Password column

 

Replace previous encrypted {RC2} value with new {RC2}:vDZXlsPiVi9PxkFqAXYzSw==

 

Restart the IM Application Server

Environment

Release: CAIDMB99000-12.6.7-Identity Manager-B to B
Component: