The dsameuser password does not appear to be required during the bootstrap process. In AM < 14 it is encoded in the bootstrap file, in AM 14 it is stored in the keystore.
After various experiments with OpenAM and ssoadm, we note the following:
- A dsameuser password is needed for initial boot, before the configuration store is opened. However, it does not appear to matter what the password is, and it does not need to match the password value for dsameuser in the configuration store
- After the the initial boot phase, dsameuser is re-initialized with the password from the configuration store.
The conclusion: There is no need to sync the password from the config store to the bootstrap / keystore. For initial boot, the value can be set to any random string.
The presence of the password in the bootstrap / keystore confuses users and introduces additional documentation requirements. It should be removed