Installation Considerations

When you install the first Access Manager instance, the Java Enterprise System installer generates a default password encryption key string. You can either accept this default value or specify another value produced by a J2EE random number generator. The installer stores the password encryption key value in the am.encryption.pwd attribute in the AMConfig.properties file.

If you specify a value for the password encryption key, the string must be at least 12 characters long.

To deploy multiple instances of Access Manager, save the password encryption key value from the am.encryption.pwd attribute after you install the first instance. Then, use this key value to set the value when you deploy additional instances:

• If you run the Java ES installer, copy this value into the Password Encryption Key field on the “Access Manager: Administration” panel.

• If you run the amconfig script, set the AM_ENC_PWD variable to this value in the amsamplesilent configuration file (or copy of the file).

The following scenarios explain why you might need to retrieve and change the password encryption key. In these scenarios, the Access Manager instances use the same Directory Server.

• If you are doing a multiple server installation of Access Manager and you did not save the password encryption key when you installed the first Access Manager instance, you must retrieve the key to use when you deploy additional instances.

• If you have deployed an additional Access Manager instance that uses a different password encryption key from the first Access Manager instance, you must modify the encryption key value to match the first instance.

What else needs to be changed if you change the password encryption key?

Passwords and the password encryption key must be consistent throughout a deployment. If you change a password in one place or instance, you must also update the password in all other places and instances.

The serverconfig.xml file contains the encrypted user passwords, which are identified by the <DirPassword> element. For example:

<DirPassword>
Adfhfghghfhdghdfhdfghrteutru
</DirPassword>

The puser and dsameuser passwords in serverconfig.xml are encrypted using the password encryption key defined in am.encryption.pwd in the AMConfig.properties file. If you change the password encryption key, you must also re-encrypt these passwords in the serverconfig.xml file using the ampassword utility.

For information about the ampassword utility, see the Sun Java System Access Manager 7 2005Q4 Administration Guide.