Managing the default Policy Manager administrator account
search cancel

Managing the default Policy Manager administrator account

book

Article ID: 42844

calendar_today

Updated On:

Products

CA API Gateway

Issue/Introduction

The local Policy Manager administrator account is used to ensure administrative access to the Gateway via the Policy Manager is available even if an external identity provider that provides user authentication and authorization is disabled or unavailable. It may be necessary to reset this password if the credentials are lost. This article will describe this process.

Environment

API Gateway: 9.X. 10.X

Resolution

The administrative credentials for a user authorized to access the CA API Gateway Policy Manager can be changed by any other user assigned to the Administrator role within the API Gateway. If another administrative user is not available then the credentials can be reset from the privileged shell of the API Gateway appliance as the root user. To reset the credentials in this manner, do the following:

  1. Connect to the API Gateway via a serial cable, direct console access, or SSH

  2. Log in as the ssgconfig user

  3. Select Option #3: Use a privileged shell (root)

  4. Execute the following command: /opt/SecureSpan/Appliance/bin/resetAdmin.sh <dbUser> <dbPassword>

NOTE: The values <dbUser> and <dbPassword> should be replaced with the username and password of the privileged MySQL user. The privileged Linux user account is not used for this purpose

  1. Provide the API Gateway database name

  2. Provide the username of the administrative account to be unlocked

The password for the account in step #6 will be changed to password. It is recommended that this password be changed immediately upon logging in and ensuring the replacement password conforms to the Gateway password policy.

If the account is locked out due to too many attempts, changing the password would not be enough, and user would still be getting 'admin' exceeded max failed logon attempts' when trying to login. To fix that issue, user needs to remove the corresponding record for admin from the logon_info table:

# mysql -e "DELETE FROM ssg.logon_info WHERE login='admin';"

Additional Information