Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-10175

Remove dsameuser password from bootstrap file / keystore

    Details

    • Type: Improvement
    • Status: In Progress
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 14.0.0
    • Fix Version/s: None
    • Component/s: install
    • Labels:

      Description

      The dsameuser password does not appear to be required during the bootstrap process. In AM < 14 it is encoded in the bootstrap file, in AM 14 it is stored in the keystore.

      After various experiments with OpenAM and ssoadm, we note the following:

      • A dsameuser password is needed for initial boot, before the configuration store is opened. However, it does not appear to matter what the password is, and it does not need to match the password value for dsameuser in the configuration store
      • After the the initial boot phase, dsameuser is re-initialized with the password from the configuration store.

      The conclusion: There is no need to sync the password from the config store to the bootstrap / keystore. For initial boot, the value can be set to any random string.

      The presence of the password in the bootstrap / keystore confuses users and introduces additional documentation requirements. It should be removed

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                warren.strange@forgerock.com Warren Strange
                Reporter:
                warren.strange@forgerock.com Warren Strange
              • Votes:
                0 Vote for this issue
                Watchers:
                10 Start watching this issue

                Dates

                • Created:
                  Updated: