How do I reset the Identity Manager Provisioning Repository Credential on Linux

book

Article ID: 11377

calendar_today

Updated On:

Products

CA Identity Manager CA Identity Governance CA Identity Portal

Issue/Introduction

This tech doc should be implemented only when there is a mismatch between the password in IMPD and the one in registry and which means IMPS not being able to start without authorizing anonymous access for IMPS/IMPD communication.

In such case, the Identity Manager Provisioning Server service can no longer start up


We saw LDAP_INVALID_CREDENTIALS error in the etatrans log

Verifying that directory DSA 'impd-main' is available.

ldaps://impd-machine-name:20391. Connecting (busy=0, waiters=0, connecting=1)

ldaps://impd-machine-name:20391. Failed to connect: RC=LDAP_INVALID_CREDENTIALS (0x31) Retry=0

***** STARTUP ERROR [EtaServer] *****: Required directory DSA 'impd-main' is not available.  Shutting down IM Provisioning Server.

***** SHUTDOWN of Identity Manager Provisioning Server initiated *****


How do we reset the Provisioning Repository password for IM Provisioning Server running on Linux?

Environment

CA Identity Manager 12.x / 14.x running over RedHat 6.x or 7.x

Resolution

The following is the summary of the procedure for resetting the Provisioning Repository password for IM Provisioning Server running on Linux:

•Enable anonymous access to the Provisioning Repository

•Change the userPassword on eTDSAContainerName=DSAs,eTNamespaceName=CommonObjects,dc=im,dc=etadb entry

•Adjust registry setting and allow IM Provisioning Server to access the Provisioning Repository anonymously

•Start Provisioning Server service

•Use pwdmgr utility to re-establish repository password

•Disable anonymous access to the Provisioning Repository

•Restart Provisioning Server to verify the change.

 

The following are the steps:

Enable anonymous access to the Provisioning Repository, please perform the steps on ALL Provisioning Repository machines

1.logon as the user dsa, or open the shell of user dsa

sudo su - dsa

2.dxserver stop all

3.edit $DXHOME/config/settings/impd.dxc, change the min-auth setting from:

       set min-auth = clear-password;

to:

       set min-auth = none;

4.edit all the Provisioning Repository DSA's knowledge files in $DXHOME/config/knowledge folder:

        *-impd-co.dxc

        *-impd-inc.dxc    

        *-impd-main.dxc   

        *-impd-notify.dxc 

        *-imps-router.dxc

change the auth-levels setting of each DSA from

        auth-levels   = clear-password

to:

        auth-levels   = anonymous, clear-password

5.start IM Provisioning Repository DSAs

dxserver start all

 

Change the userPassword on eTDSAContainerName=DSAs,eTNamespaceName=CommonObjects,dc=im,dc=etadb entry

1.use Jxplorer or your preferred ldap browser, connect to the IM Provisioning Repository machine on port 20391 anonymously, and change userPassword value to a new password on  the following 2 entries:

        eTDSAContainerName=DSAs,eTNamespaceName=CommonObjects,dc=etadb

        eTDSAContainerName=DSAs,eTNamespaceName=CommonObjects,dc=im,dc=etadb

2.ensure the Jxplorer can connect to the IM Provisioning Repository port 20391 with the new password

 

Adjust registry setting and allow IM Provisioning Server to access the Provisioning Repository anonymously, please perform the steps on ALL the machines hosting the Provisioning Server

1.logon as user imps, or open the shell of user imps

sudo su - imps

2.delete the following 2 files 

        /opt/CA/SharedComponents/EnterpriseCommonServices/registry/hkey_local_machine/software/computerassociates/identity_manager/provisioning_server/domains/eta/etpassworddb

        /opt/CA/SharedComponents/EnterpriseCommonServices/registry/hkey_local_machine/software/computerassociates/identity_manager/provisioning_server/domains/im/etpassworddb

 

Start Provisioning Server service

1.start the Provisioning Server service

2.review the etatrans log, confirm the following lines presenting

ALERT: Repository password cannot be decrypted; ANONYMOUS access used for repository communication. Use Password Manager to re-establish repository password and check TLS/SSL settings.

...

Verifying that directory DSA 'impd-main' is available.

...

Verifying that directory DSA 'impd-co' is available.

...

Verifying that directory DSA 'impd-inc' is available.

...

Verifying that directory DSA 'impd-notify' is available.

3.confirm the administrative user can logon Provisioning Manager and search the Global Users

 

Use pwdmgr utiilty to re-establish repository password, please perform the steps on ALL the machines hosting the Provisioning Server

1.logon as user imps, or open the shell of user imps

sudo su - imps

2.cd ~/bin

3.pwdmgr re-establish repository password for accessing eta and im domains, for example

-bash-4.1$ pwdmgr

Administrator ID: etaadmin

Password for administrator:

Component: Administrative (D)irectory, (P)rovisioning Server, (C)++ Connector Server: D

Domain (enter "eta" for the top-level domain): eta

New Password: new-password

Confirm Password: new-password

Password locked down to the following host configuration

Password host: impd-machine-name

Password port: 20391

Password tls port: 20391

Successfully set password

WARNING: You must re-start your Provisioning Server for it to continue to work correctly

 

-bash-4.1$ pwdmgr

Administrator ID: etaadmin

Password for administrator:

Component: Administrative (D)irectory, (P)rovisioning Server, (C)++ Connector Server: D

Domain (enter "eta" for the top-level domain): im

New Password: new-password

Confirm Password: new-password

Password locked down to the following host configuration

Password host: impd-machine-name

Password port: 20391

Password tls port: 20391

Successfully set password

WARNING: You must re-start your Provisioning Server for it to continue to work correctly

  

NOTE: please replace the parameters in Italics with the actual values from your environment.

 

Disable anonymous access to the Provisioning Repository, please perform the steps on ALL Provisioning Repository machines

1.logon as the user dsa, or open the shell of user dsa

sudo su - dsa

2.edit $DXHOME/config/settings/impd.dxc, change the min-auth setting from:

       set min-auth = none;

to:

       set min-auth = clear-password;

3.edit all the Provisioning Repository DSA's knowledge files in $DXHOME/config/knowledge folder:

        *-impd-co.dxc

        *-impd-inc.dxc    

        *-impd-main.dxc   

        *-impd-notify.dxc 

        *-imps-router.dxc

change the auth-levels setting of each DSA from

        auth-levels   = anonymous, clear-password

to:

        auth-levels   = clear-password

4.re-load the configurations

 

dxserver init all

 

Restart IM Provisioning Server to verify the change.

1.stop the IM Provisioning Server

2.start the IM Provisioning Server

3.review the etatrans log and confirm there is no LDAP_INVALID_CREDENTIALS errors any more

 

4.confirm the administrative user can logon Provisioning Manager and search the Global Users

 

Additional Information

1.For routine DB/IMPD password reset, pwdmgr should be utilized.

This document needs to be followed only when there is a mismatch between the password in IMPD and the one in registry

 

2. When utilizing pwdmgr for routine password reset, for “Password host”,  we need to ensure to use the one corresponding to DbHost in im_ps.conf. In vApp it is using alias rather than the IP address, or even the output of hostname e.g.

 

[email protected] VAPP-14.2.0 (10.97.110.159):~ > hostname

myvapp142fips

[email protected] VAPP-14.2.0 (10.97.110.159):~ > grep DbHost data/im_ps.conf

DbHost           ca-prov-srv

 

If the same hostname is not being used, then IMPS won’t start and will report “Failed to connect: RC=LDAP_INAPPROPRIATE_AUTH (0x30)”

 

Also please refer to the associated Knowledge Article - How to reset the Provisioning Repository password for IMPS on Windows?

https://ca-broadcom.wolkenservicedesk.com/external/article?articleId=141211