Symantec Identity Manager - How To Reset Forgotten Provisioning Manager Administrator Account Password
search cancel

Symantec Identity Manager - How To Reset Forgotten Provisioning Manager Administrator Account Password

book

Article ID: 37695

calendar_today

Updated On:

Products

CA Identity Manager CA Identity Suite

Issue/Introduction

This tech doc will instruct you on how to reset the provisioning manager administrator account password (i.e. ETAADMIN )

IMPORTANT: This article contains information about modifying DN values within your directory. Before you modify the directory, make sure you have the appropriate knowledge of any or all functionality. If you have any concerns please open up a case with support and reference this tech doc:
This article is offered "as is".

Environment

Release : 14.X

Component : IdentitySuite(Identity Suite)

Component : IdentityManager(Identity Manager)

Resolution

Step 1: Connect to Provisioning Directories via Provisioning Router (port 20391)

Example Settings:

Hostname = PROVISIONING_SERVER_ROUTER_HOST
Port = 20391
Level = User + Password
User DN = eTDSAContainerName=DSAs,eTNamespaceName=CommonObjects,dc=etadb
Password = Provisioning Repository Password (Configured During Installation)

Change the eTPassword attribute on your Administrator Account:

Example:

eTGlobalUserName=etaadmin,eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects,dc=im,dc=eta
Set eTPassword = password01

Note: You will be able to connect with clear text however, do not leave your password clear text as it is a security risk. 

Step 2: Use Provisioning Manager to encrypt your password:

Log into Provisioning Manager using your new password (i.e. password01)

Click on User, then Search for your user, then Change Password (Note You can use same password that you set with clear test), then click Apply

This will set the user's password again but this time it will be stored as an encrypted value

If you have used etaadmin to establish your connection between IDM and Provisioning Server (i.e. IM ProvDir XML) then continue reading:

Navigate to:
https://IPAddress:Port/iam/immanage
Home › Directories and confirm successful connectivity

Note:

If you receive a connection error to your provisioning directory database you may not be able to export your environment and would need to follow different steps mentioned further below.

If you can export your environment please follow these steps:

Export out your IM Provisioning Directory XML.

Find: <Credentials user="eTGlobalUserName=etadmin,eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects,dc=im,dc=eta">{PBES}:WQf3wza4JfYe3zPI8zcveQ==</Credentials> within your directory xml.

Step 3: Configure pwdtools.bat

Go to: CA\Identity Manager\IAM Suite\Identity Manager\tools\PasswordTool
Right click on the bat file and configure the %JAVA_EXE% Attribute.
Example: SET JAVA_EXE=C:\Java\jdk1.8.0_245\jre\bin\java.exe

 

Next, open up CMD and cd to the location of pwdtools.bat, and run the pwdtools.bat. 

Screen output:
To create a FIPS key file  pwdtools -FIPSKEY -k <FIPS key file location>  [-f <param_file>]
To add a FIPS key  pwdtools -FIPSKEY -add  [-f <param_file>]
To encrypt a plain text value using non FIPS (PBES) algorithm  pwdTools -JSAFE -p <plain text>  [-f <param_file>]
To encrypt a shared secret using PBES algorithm and save it  pwdTools -JSAFEKEY -p <shared_secret>  [-f <param_file>]
To encrypt a plain text using FIPS key file  pwdTools -FIPS -p <plain text> -k <FIPS key file path> [-f <param_file>]
To encrypt a plain text value using non FIPS (RC2) algorithm pwdTools -RC2 -p <plain text> [-f <param_file>]

In this example, we are going to compare our current password values.

Execute the below command:
pwdTools -RC2 -p password1

Results:
     Plain Text: password1
     Encrypted value: {RC2}:vDZXXXXXXXXAXYzSw==

 

In this example, we are going to compare our current password values.

execute the following command:
pwdTools -JSAFE -p password1

Results:

     Plain Text: password1
     Encrypted value: {PBES}:WQf3wza4JfYe3zPI8zcveQ==

Step 4:

Replace PBES Key within xml with new PBES key and upload xml file

Step 5:

Restart the IM Application Server

 

If you are not able to export your environment please follow these steps:

 

Step 1: Stop The Identity Manager Application Server

Step 2: Update the Administrator user password on the source

Navigate to your directory where the Administrator is stored and update their password to the new password value

Step 3: Configure pwdtools.bat

Go to: CA\Identity Manager\IAM Suite\Identity Manager\tools\PasswordTool
Right click on the bat file and configure the %JAVA_EXE% Attribute.
Example: SET JAVA_EXE=C:\Java\jdk1.8.0_245\jre\bin\java.exe

 

Next, open up CMD and cd to the location of pwdtools.bat, and run the pwdtools.bat. 

Screen output:
To create a FIPS key file  pwdtools -FIPSKEY -k <FIPS key file location>  [-f <param_file>]
To add a FIPS key  pwdtools -FIPSKEY -add  [-f <param_file>]
To encrypt a plain text value using non FIPS (PBES) algorithm  pwdTools -JSAFE -p <plain text>  [-f <param_file>]
To encrypt a shared secret using PBES algorithm and save it  pwdTools -JSAFEKEY -p <shared_secret>  [-f <param_file>]
To encrypt a plain text using FIPS key file  pwdTools -FIPS -p <plain text> -k <FIPS key file path> [-f <param_file>]
To encrypt a plain text value using non FIPS (RC2) algorithm pwdTools -RC2 -p <plain text> [-f <param_file>]

In this example, we are going to compare our current password values.

Execute the below command:
pwdTools -RC2 -p password1

Results:
     Plain Text: password1
     Encrypted value: {RC2}:vDZXXXXXXXXAXYzSw==

 

Step 4: Update The Object Store:

Navigate to the following table [imdb].[dbo].[IM_DIR_CONNECTION]

Execute a Select * FROM [imdb].[dbo].[IM_DIR_CONNECTION]

Under Column Connection_Name find your provisioning repository 

 

Navigate to the Password column

Replace previous encrypted {RC2} value with new {RC2}:vDZXXXXXXXXAXYzSw==

Step 5: Start The Identity Manager Application Server

Powered by Wolken Software