-
Type:
Bug
-
Status: Closed
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 7.0.0, 7.0.1
-
Component/s: documentation, Module - Authentication
-
Labels:
Config based authentication for Internal users did not make it into the Security Guide where it explains how to replace the admin user. https://backstage.forgerock.com/docs/idm/7/security-guide/managing-openidm-admin.html#managing-openidm-admin
Some of these steps may already mix with current documentation. These are the steps I found to work for me. Notice there are different ways to approach it, but wasn't sure which fit best with current documentation. I included additional steps to avoid IDM restart since restart was not a previous requirement to configure new admin user.
- Create a new "admin" user (note no longer with "authzRoles")
curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header "Accept-API-Version: resource=1.0" \ --header "Content-Type: application/json" \ --cacert ca-cert.pem \ --request PUT \ --data '{ "password": "Passw0rd" }' \ "https://localhost:8443/openidm/internal/user/admin"
- Enable new admin and disable openidm-admin user
- Without IDM restart - by directly setting authentication password
- Replace the STATIC_USER authModule in pathToIdm/conf/authentication.json for "username" : "openidm-admin"
{ "name" : "STATIC_USER", "properties" : { "queryOnResource" : "internal/user", "username" : "admin", "password" : "Passw0rd", "defaultUserRoles" : [ "internal/role/openidm-authorized", "internal/role/openidm-admin" ] }, "enabled" : true }
- Replace the STATIC_USER authModule in pathToIdm/conf/authentication.json for "username" : "openidm-admin"
- With IDM restart
- Change the STATIC_USER authModule in pathToIdm/conf/authentication.json for "username" : "openidm-admin" to "username" : "admin"
- Change the property value of "openidm.admin.password" in pathToIdm/resolver/boot.properties from "openidm-admin" to "Passw0rd"
- Restart IDM
- If removing the openidm-admin Internal user
- Authenticating as your new admin user, Delete the openidm-admin user
curl \ --header "X-OpenIDM-Username: admin" \ --header "X-OpenIDM-Password: Passw0rd" \ --header "Accept-API-Version: resource=1.0" \ --cacert ca-cert.pem \ --request DELETE \ "https://localhost:8443/openidm/internal/user/openidm-admin"
- Authenticating as your new admin user, Delete the openidm-admin user
- Without IDM restart - by directly setting authentication password
- Enable new admin without disabling or removing openidm-admin user
- Without IDM restart - by directly setting authentication password
- Add an additional STATIC_USER module in pathToIdm/conf/authentication.json
{ "name" : "STATIC_USER", "properties" : { "queryOnResource" : "internal/user", "username" : "admin", "password" : "Passw0rd", "defaultUserRoles" : [ "internal/role/openidm-authorized", "internal/role/openidm-admin" ] }, "enabled" : true }
- Add an additional STATIC_USER module in pathToIdm/conf/authentication.json
- With IDM restart
- Shutdown IDM
- Add a boot property in pathToIdm/resolver/boot.properties for your new admin password: openidm.newadmin.password=Passw0rd
- Add an additional STATIC_USER module in pathToIdm/conf/authentication.json
{ "name" : "STATIC_USER", "properties" : { "queryOnResource" : "internal/user", "username" : "admin", "password" : "&{openidm.newadmin.password}", "defaultUserRoles" : [ "internal/role/openidm-authorized", "internal/role/openidm-admin" ] }, "enabled" : true }
- Startup IDM
- Without IDM restart - by directly setting authentication password