IY83559: AFTER CHANGING ISCADMIN PASSWOR, A RESTART OF ISC PORTAL FAILS

Tivoli Federated Identify Manager 6.0 Fixpack 7 6.0.0-TIV-TFIM-LA0007

APAR status

• Closed as documentation error.

Error description

• Customer had to change the password to the iscadmin user for ISC
  console. However, after the change was done in console, customer
  could not stop the server. Here is the output observed during
  stop:
  ------------------------------
  
  [root@s0280cdc bin]# ./stop_ISC_AppServer.sh
  ADMU0116I: Tool information is being logged in file
             /opt/IBM/ISC/AppServer/logs/server1/stopServer.log
  ADMU3100I: Reading configuration for server: server1
  ADMU0111E: Program exiting with error:
  javax.management.JMRuntimeException:
  ADMN0022E: Access denied for the stop operation on Server MBean
  due
             to insufficient or empty credentials.
  ADMU4113E: Verify that user and password information is on the
  command
  line
  (-user and -password) or in the <conntype>.client.props file.
  ADMU0211I: Error details may be seen in the file:
             /opt/IBM/ISC/AppServer/logs/server1/stopServer.log
  ADMU1211I: To obtain a full trace of the failure, use the -trace
  option.
  ---------------------------------
  
  Therefore customer could not restart the server. Console is
  still up and running. However customer cannot log into console
  using old or new password.
  
  I was able to recreate customer issue in my lab setup.
  Therefore, this problem is recreatable.
  
  No workaround seems available. Killing the ISC process and a
  start of ISC portal did not work
  

Local fix

• During change of password, the security.xml file in ./opt/IBM/IS
  C/AppServer/config/cells/DefaultNode/security.xml is not updated
  with new 'iscadmin' password. Simply change the following line
  that contains the iscadmin password:
  
   serverId="iscadmin" serverPassword="{xor}Lz4sLChvLTs="
  
  You can fill in new password in clear text by first removing all
  characters between double quotes.
  
  If you need password in xor mode, use the following steps to
  encode password:
  ----------------------------
  For the password in clear text, you can use the WAS tool called
  'PropFilePasswordEncoder.sh'. Here is a link which describes the
  tool:
  
  http://publib.boulder.ibm.com/infocenter/wasinfo/v5r1//index.jsp
  ?topic=/com.ibm.websphere.exp.doc/info/exp/ae/tsec_protplaintxt.
  html
  
  Simply create a new dummy file, any name you prefer. Edit the
  file and add a line with variable set to the your password (ex
  pass=fortknox). Do not put quotes around the password text. Then
  execute the 'PropFilePasswordEncoder.sh < file name> <password
  variable name>' script. The password will now be xor'd within
  the file you created. Here is an example:
  
  contents of dummy file called 'dummy.prop':
  pass=fortknox
  
  execute 'PropFilePasswordEncoder.sh dummy.prop pass'
  
  new contents of dummy file:
  
  #Tue Apr 04 12:55:56 CDT 2006
  pass={xor}OTAtKzQxMCc\=
  
  remove the '\' character (ie '{xor}OTAtKzQxMCc=') and place the
  encrypted text into security.xml for iscadmin password.
  
  Stop and restart ISC_Portal to make sure password is still
  correct.
  ------------------------------------
  

Problem summary

• After installing the TFIM Administration Consol
  e, changing the password for iscadmin in the ISC no longer allow
  s restarting the ISC with either the old or the new password and
   if you stop the ISC or reboot it will not be usable.
  

Problem conclusion

• The fix for this APAR is expected to be cont
  ained in the following maintenance delivery vehicle:
  | LA interim fix | 6.0.0-TIV-TFIM-LA0008
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

Fix information

Applicable component levels