Manage the System Passwords and Secrets
The changePasswords.sh script allows you to update various obfuscated passwords in the ActivID AS application configuration files (for example, after changing a database password or HSM PIN).
This script should be executed as ftadmin.
Update the Security Domain Passwords
As the database administrator, renew the database users' passwords before the expiration at the database level.
- As the web server administrator, update the JDBC connectors with the new passwords and to check that the database connectivity succeeds.
-
Stop the ActivID AS instances.
-
As ftadmin, run the changePasswords.sh script and update and obfuscate the security domain password using the Security domains password menu.
-
Restart the ActivID AS instances.
This will update the various obfuscated passwords in the ActivID AS configuration files and allow internal scripts to work silently.
The new password will be validated before updating the ActivID AS installation.
- As the application server administrator, update the data source configuration with the new runtime user passwords and check that the database connection succeeds.
- Stop the ActivID AS instances.
- As ftadmin, run the changePasswords.sh script and update and obfuscate the credentials using the Database Credentials menu.
- Restart the ActivID AS instances.
This will update the various obfuscated passwords in the ActivID AS configuration files and allow internal scripts to work silently.
Update the ActivID AS JMX Credentials
ActivID AS needs to access the application server Mbean server to publish and invoke JMX beans. If this Mbean server is secured, this menu allows you to update the obfuscated JMX credentials in the ActivID AS installation.
-
As ftadmin, run the changePasswords.sh script and update the obfuscated username/password using the ActivID Server JMX credentials menu.
-
Restart the ActivID AS server.
Update the ActivID AS Applications Keystore Password
The ActivID AS applications software keystore is split in two files in the <ACTIVID_HOME>/ActivID_AS/config directory:
-
ActivID.keystore − (only if ActivID AS is installed locally) contains the:
- ActivID AS secret keys (if not using an HSM)
- SAML IDP key pairs
-
SYSUSERS.keystore − only contains the security domain system users key pairs.
To change the password of these two keystore files, apply the following:
-
As ftadmin, run the changePasswords.sh script and update the password using the ActivID AS Key Store password menu.
-
Restart the ActivID AS server.
Update the ActivID AS Applications Truststore Password
The ActivID AS applications truststore is used by ActivID AS for SAML certificate validation and by the utility scripts for SSL communications.
To change the truststore password:
-
As ftadmin, run the changePasswords.sh script and update the obfuscated password using the SSL Server Trust Store password menu.
-
Restart the ActivID AS server.
Update the HSM User PIN
To change the HSM PIN:
-
Stop the ActivID AS instances.
-
Change the HSM PIN.
-
As ftadmin, run the changePasswords.sh script and select the HSM Public Slot User PIN menu to update the obfuscated HSM PIN.
-
Restart the ActivID AS instances.
The new PIN will be validated before updating the ActivID AS installation.
Update the RADIUS Front End Credentials
The RADIUS Front-End has one ActivID AS direct user per security domain. The users’ credentials are obfuscated in the /etc/raddb/activid/activid.conf file.
To update the RFE username and password:
-
Stop the RADIUS Front-end.
-
Update the RFE direct user password using the ActivID Management Console.
-
As ftadmin, update the obfuscated password using the following command:
Copy<ACTIVID_HOME>/ActivID_AS/bin/manageRFE.sh –m <domain name>
-
Restart the RADIUS Front-end.
For further information, refer to the ActivID Authentication Server RADIUS Front End Solution Guide available from the ActivID Customer Portal.