Access Manager Administrative Accounts

During the installation of Access Manager, the following administrative accounts are created:

• Administrator user ID (amadmin) is the Access Manager top-level administrator that has unlimited access to all entries managed by Access Manager. You cannot change the default name, amadmin.

  During installation, you must provide a password for amadmin. To change the amadmin password after installation, use the Access Manager Administration Console.

• Bind DN user for LDAP, Membership, and Policy services (amldapuser) is the administrative user that has read and search access to all Directory Server entries. You cannot change the default name, amldapuser.

  During installation, you must provide a password for amldapuser. Do not use the same password that you used for amadmin. To change the amldapuser password after installation, use the Directory Server Console or the ldapmodify utility.

  If you change the amldapuser password, you must also modify the LDAP authentication service and policy configuration services to reflect the change (amldapuser is the default user used in these services). You must make changes in each organization where these services are registered.

• Proxy user (puser) can take on any user's privileges (for example, an organization administrator or end user).

• Admin user (dsameuser) is used for binding purposes when the Access Manager SDK performs operations on Directory Server that are not linked to a particular user (for example, retrieving service configuration information).

Both puser and dsameuser have an associated password that is stored in encrypted format in the serverconfig.xml file, in the following directories:

• Solaris systems: /etc/opt/SUNWam/config

• Linux and HP-UX systems: /etc/opt/sun/identity/config

• Windows systems: javaes-install-dir\identity\config

  The javaes-install-dir variable represents the Java ES 5 installation directory. The default value is C:\Program Files\Sun\JavaES5.

After installation, it is recommended that you change the password for puser and dsameuser, but do not use the same password that you used for amadmin or amldapuser. To change the puser or dsameuser password, use the ampassword utility:

• The ampassword --admin (or -a) option changes the password for dsameuser. (This option does not change the amadmin password.)

• The ampassword --proxy (or -p) option changes the password for puser.

Changing the puser or dsameuser password depends on your deployment.

If Access Manager is deployed on a single host server:

1. Use the ampassword utility to change the respective password in Directory Server and in the local serverconfig.xml file.

2. Restart the Access Manager web container.

If Access Manager is deployed on multiple host servers:

1. On the first server, use the ampassword utility to change the respective password in Directory Server and in the local serverconfig.xml file.

2. Encrypt the new password using the ampassword --encrypt (or -e) option.

3. On each additional server where Access Manager is deployed, change the password manually in the serverconfig.xml file, using the new encrypted password from Step 2.

4. On each server where you changed the password, including the first server, restart the Access Manager web container.

For information about the ampassword utility, see the Sun Java System Access Manager 7.1 Administration Reference.