Web Hosting Journal

It is not straight forward to change amadmin password on an Access Manager 7.1 setup. If you simply change it on subject tab of AM console, you would fail to login once you logout.

This is due to the factor that amadmin's password is saved in a separate entry of Directory Server. You need to save the new password into this entry after changing it on the console. But the password is not saved as is but needs both encrypted and hashed. Unfortunately, the current cli tool ampassword does not help.

Actually this issue had been noticed by the team and the fix - new option to do both encrypt and hash of ampassword - will be available in the next patch 7.1p4. You don't have to wait for the official release though. Here is the alternative:

1) Save the following java code in a file say PasswordHashEncryption.java.

import com.iplanet.services.util.Crypt;
import com.iplanet.services.util.Hash;

class PasswordHashEncryption {
public static void main(String[] args) {
if (args.length != 1) {
System.out.println("Usage: PasswordHashEncryption ");
System.exit(1);
}
String st = Hash.hash(args[0]);
st = Crypt.encode(st);
System.out.println(st);
}
}

2) Compile this java file with am_sdk.jar in the classpath.

3) Run this class to generate encrypted/hashed new password
$JAVA_HOME/bin/java -cp .:/etc/opt/sun/identity/config:/opt/sun/identity/lib/am_sdk.jar:/opt/sun/private/share/lib/jss4.jar PasswordHashEncryption

Note you need to set LD_LIBRARY_PATH=/opt/sun/private/lib to have libjss4.so in the library path. Path of jss4.jar and libjss4.so vary on different platform, so does the path to am_sdk.jar and AMConfig.properties file.

Now it is time to delete old password and add the new one from entry ou=amAdmin,ou=users,ou=default,ou=GlobalConfig,ou=1.0,ou=sunIdentityRepositoryService,ou=services,dc=com (suppose the DS root suffix is dc=com). You can run ldapmodify tool

ldapmodfy -D "cn=directory manager" -w $pass -h $host -p $port