How do I reset the Identity Manager Provisioning Repository Credential on Linux

Document ID:  TEC3304993
Last Modified Date:  07/10/2017
{{active ? 'Hide' : 'Show'}} Technical Document Details

Products

  • CA Identity Manager

Releases

  • CA Identity Manager:Release:12.6 SP1
  • CA Identity Manager:Release:12.6.0
  • CA Identity Manager:Release:12.6.01
  • CA Identity Manager:Release:12.6.1
  • CA Identity Manager:Release:12.6.2
  • CA Identity Manager:Release:12.6.3
  • CA Identity Manager:Release:12.6.4
  • CA Identity Manager:Release:12.6.5
  • CA Identity Manager:Release:12.6.6
  • CA Identity Manager:Release:12.6.7

Components

  • IdentityMinder(Identity Manager):IDMGR
Introduction:

We restored the IM Provisioning Repository from a ldif dump file and we do not know the userPassword on eTDSAContainerName=DSAs,eTNamespaceName=CommonObjects,dc=im,dc=etadb entry, the Identity Manager Provisioning Server service can not start up any more

We saw LDAP_INVALID_CREDENTIALS error in the etatrans log

Verifying that directory DSA 'impd-main' is available.

ldaps://impd-machine-name:20391. Connecting (busy=0, waiters=0, connecting=1)

ldaps://impd-machine-name:20391. Failed to connect: RC=LDAP_INVALID_CREDENTIALS (0x31) Retry=0

***** STARTUP ERROR [EtaServer] *****: Required directory DSA 'impd-main' is not available.  Shutting down IM Provisioning Server.

***** SHUTDOWN of Identity Manager Provisioning Server initiated *****

 

Question:

How do we reset the Provisioning Repository password for IM Provisioning Server running on Linux?

Environment:
CA Identity Manager 12.x / 14.x running over RedHat 6.x or 7.x
Answer:

The following is the summary of the procedure for resetting the Provisioning Repository password for IM Provisioning Server running on Linux:

•Enable anonymous access to the Provisioning Repository

•Change the userPassword on eTDSAContainerName=DSAs,eTNamespaceName=CommonObjects,dc=im,dc=etadb entry

•Adjust registry setting and allow IM Provisioning Server to access the Provisioning Repository anonymously

•Start Provisioning Server service

•Use pwdmgr utility to re-establish repository password

•Disable anonymous access to the Provisioning Repository

•Restart Provisioning Server to verify the change.

 

The following are the steps:

Enable anonymous access to the Provisioning Repository, please perform the steps on ALL Provisioning Repository machines

1.logon as the user dsa, or open the shell of user dsa

sudo su - dsa

2.dxserver stop all

3.edit $DXHOME/config/settings/impd.dxc, change the min-auth setting from:

       set min-auth = clear-password;

to:

       set min-auth = none;

4.edit all the Provisioning Repository DSA's knowledge files in $DXHOME/config/knowledge folder:

        *-impd-co.dxc

        *-impd-inc.dxc    

        *-impd-main.dxc   

        *-impd-notify.dxc 

        *-imps-router.dxc

change the auth-levels setting of each DSA from

        auth-levels   = clear-password

to:

        auth-levels   = anonymous, clear-password

5.start IM Provisioning Repository DSAs

dxserver start all

 

Change the userPassword on eTDSAContainerName=DSAs,eTNamespaceName=CommonObjects,dc=im,dc=etadb entry

1.use Jxplorer or your preferred ldap browser, connect to the IM Provisioning Repository machine on port 20391 anonymously, and change userPassword value to a new password on  the following 2 entries:

        eTDSAContainerName=DSAs,eTNamespaceName=CommonObjects,dc=etadb

        eTDSAContainerName=DSAs,eTNamespaceName=CommonObjects,dc=im,dc=etadb

2.ensure the Jxplorer can connect to the IM Provisioning Repository port 20391 with the new password

 

Adjust registry setting and allow IM Provisioning Server to access the Provisioning Repository anonymously, please perform the steps on ALL the machines hosting the Provisioning Server

1.logon as user imps, or open the shell of user imps

sudo su - imps

2.delete the following 2 files 

        /opt/CA/SharedComponents/EnterpriseCommonServices/registry/hkey_local_machine/software/computerassociates/identity_manager/provisioning_server/domains/eta/etpassworddb

        /opt/CA/SharedComponents/EnterpriseCommonServices/registry/hkey_local_machine/software/computerassociates/identity_manager/provisioning_server/domains/im/etpassworddb

 

Start Provisioning Server service

1.start the Provisioning Server service

2.review the etatrans log, confirm the following lines presenting

ALERT: Repository password cannot be decrypted; ANONYMOUS access used for repository communication. Use Password Manager to re-establish repository password and check TLS/SSL settings.

...

Verifying that directory DSA 'impd-main' is available.

...

Verifying that directory DSA 'impd-co' is available.

...

Verifying that directory DSA 'impd-inc' is available.

...

Verifying that directory DSA 'impd-notify' is available.

3.confirm the administrative user can logon Provisioning Manager and search the Global Users

 

Use pwdmgr utiilty to re-establish repository password, please perform the steps on ALL the machines hosting the Provisioning Server

1.logon as user imps, or open the shell of user imps

sudo su - imps

2.cd ~/bin

3.pwdmgr re-establish repository password for accessing eta and im domains, for example

-bash-4.1$ pwdmgr

Administrator ID: etaadmin

Password for administrator:

Component: Administrative (D)irectory, (P)rovisioning Server, (C)++ Connector Server: P

Domain (enter "eta" for the top-level domain): eta

New Password: new-password

Confirm Password: new-password

Password locked down to the following host configuration

Password host: impd-machine-name

Password port: 20389

Password tls port: 20389

Successfully set password

WARNING: You must re-start your Provisioning Server for it to continue to work correctly

 

-bash-4.1$ pwdmgr

Administrator ID: etaadmin

Password for administrator:

Component: Administrative (D)irectory, (P)rovisioning Server, (C)++ Connector Server: P

Domain (enter "eta" for the top-level domain): im

New Password: new-password

Confirm Password: new-password

Password locked down to the following host configuration

Password host: impd-machine-name

Password port: 20389

Password tls port: 20389

Successfully set password

WARNING: You must re-start your Provisioning Server for it to continue to work correctly

 

 

NOTE: please replace the parameters in Italics with the actual values from your environment.

 

Disable anonymous access to the Provisioning Repository, please perform the steps on ALL Provisioning Repository machines

1.logon as the user dsa, or open the shell of user dsa

sudo su - dsa

2.edit $DXHOME/config/settings/impd.dxc, change the min-auth setting from:

       set min-auth = none;

to:

       set min-auth = clear-password;

3.edit all the Provisioning Repository DSA's knowledge files in $DXHOME/config/knowledge folder:

        *-impd-co.dxc

        *-impd-inc.dxc    

        *-impd-main.dxc   

        *-impd-notify.dxc 

        *-imps-router.dxc

change the auth-levels setting of each DSA from

        auth-levels   = anonymous, clear-password

to:

        auth-levels   = clear-password

4.re-load the configurations

 

dxserver init all

 

Restart IM Provisioning Server to verify the change.

1.stop the IM Provisioning Server

2.start the IM Provisioning Server

3.review the etatrans log and confirm there is no LDAP_INVALID_CREDENTIALS errors any more

 

4.confirm the administrative user can logon Provisioning Manager and search the Global Users

 

Please help us improve!

Will this information enable you to resolve your issue?

Please tell us what we can do better.

{{feedbackText.length ? feedbackText.length : '0'}}/255

{{status}}

Not what you were looking for?

Search Again >

Product Information

Support by Product >

Communities

Join a Community >

Chat with CA

Just give us some brief information and we'll connect you to the right CA ExpertCA sales representative.

Our hours of availability are 8AM - 5PM CST.

All Fields Required

connecting

We're matching your request.

Unfortunately, we can't connect you to an agent. If you are not automatically redirected please click here.

  • {{message.agentProfile.name}} will be helping you today.

    View Profile


  • Transfered to {{message.agentProfile.name}}

    {{message.agentProfile.name}} joined the conversation

    {{message.agentProfile.name}} left the conversation

  • Your chat with {{$storage.chatSession.messages[$index - 1].agentProfile.name}} has ended.
    Thank you for your interest in CA.


    Rate Your Chat Experience.

    {{chat.statusMsg}}

agent is typing