Changing the XELSYSADM Password in OIM 11gR2
It is sometimes necessary to change the password of the Oracle Identity Management (OIM) System Administrator, known as XELSYSADM. As this user has many dependencies in OIM, we would need to change the XELSYSADM password using the WLS utility. Previously (in version 10g), this was a small task, but with the introduction of OIM 11g, new approval workflows, and other special security features, this task can now be somewhat involved and needs to be executed with care.
Some instructions suggest changing the XELSYSADM password from the OIM Identity Console, with a couple of CSF keys from the EM console – that’s it! This may be true in some cases, but not in all. If you have LDAP sync enabled or OIM integrated with OAM, following those steps is not enough. In this case, the best way to change the system admin user password is through the oimadminpassword_wls.sh utility.
The oimadminpassword_wls.sh utility is available in the <ORACLE_HOME>/server/bin directory. Running this utility is quite simple, as you just need to provide the values of certain parameters in the oimadminpassword_wls.properties file, then run the shell (.sh) file in your Linux environment. Keep in mind, however, that this is not applicable if your OIM is on a Windows environment. There is no batch file for a Windows environment.
If we open the oimadminpassword_wls.sh script and check a command that this utility is running, we can change the password by simply running a java class file. This java class file can be directly run, even if your OIM environment is on a Windows box.
The following are common steps to be executed, regardless of environment (e.g., Linux or Windows):
- Log in to the EM console with the WebLogic user credentials.
- Expand the WebLogic Domain, right click OIAM_domain, and navigate to Security > Credentials.
- On the Credentials page, Expand ‘oim’ and select ‘sysadmin’, then click on the Edit icon to change the XELSYSADM credentials from the pop-up window.
4. Repeat step 3, above, for the oim.sysadminmap (CSF key: sysadmin) and oracle.wsm.security (CSF key: OIMAdmin) CSF maps.
Follow the steps below to change the password for the XELSYSADM user (System Administrator or any other user) in a Linux environment:
- Open the Command prompt.
- Go to the <OIM_ORACLE_HOME>/server/bin directory.
- Open the oimadminpasswd_wls.properties file from the <OIM_ORACLE_HOME>/server/bin directory.
- Update the following content from the oimadminpasswd_wls.properties file. (Example values are provided for each attribute present in the file. These are sample values only; you must change all values as appropriate for your environment.)
JAVA_HOME=/opt/ora/middleware/products/identity/jdk COMMON_COMPONENTS_HOME=/opt/ora/middleware/products/identity/oracle_common OIM_ORACLE_HOME=/opt/ora/middleware/products/identity/iam ORACLE_SECURITY_JPS_CONFIG=/opt/ora/private/oracle/config/domains/IAMGovernanceDomain/config/fmwconfig/jps-config-jse.xml DOMAIN_HOME=/opt/ora/private/oracle/config/domains/IAMGovernanceDomain DBURL=jdbc:oracle:thin:@<database server>:11140/<IAM URL> DBSCHEMAUSER=EDGIGD_OIM #It should be true only if there is LDAP Sync and OIM OAM integration) OIM_OAM_INTG_ENABLED=false #Only update this attribute if you have LDAP Sync enabled and have OIM-OAM integration LDAPURL= #Only update this attribute if you have LDAP Sync enabled and have OIM-OAM integration) LDAPADMINUSER= #Only update this attribute if you have LDAP Sync enabled and have OIM-OAM integration) OIM_ADMIN_LDAP_DN=
- Execute the ./oimadminpasswd_wls.sh oimadminpasswd_wls.properties command on the command line. It will ask a couple of questions, as shown below. Provide the correct input for each question.
Enter OIM DB Schema Password : Enter OIM Adminstrator xelsysadm new Password: Re-enter OIM Adminstrator xelsysadm new Password: Dec 06, 2016 2:48:21 PM oracle.security.audit.Auditor init WARNING: IAU:IAU-6012: Unable to determine the audit log directory. No log directory specified. Dec 06, 2016 2:48:21 PM oracle.security.jps.util.JpsUtil disableAudit INFO: JpsUtil: isAuditDisabled set to true Dec 06, 2016 2:48:21 PM oracle.security.jps.internal.audit.AuditServiceImpl validateLogPossible WARNING: No audit log directory is set. Cannot perform audit operations for component JPS. Dec 06, 2016 2:48:21 PM com.thortech.util.logging.Logger info INFO: Not able to fetch OIMPlatform instance for the given Platform. Dec 06, 2016 2:48:21 PM com.thortech.util.logging.Logger info INFO: Searching App Server Information in System Enviroment... Dec 06, 2016 2:48:21 PM com.thortech.util.logging.Logger info INFO: APPSERVER_TYPE = [null] ================================================================== OIM Admin user xelsysadm password reset successfully in OIMDB ==================================================================
- A confirmation message should be received after successful execution of the utility.
Follow the steps below to change the password for the XELSYSADM user (System Administrator or any other user) in a Windows environment:
1. Open the command prompt and run the following command, as appropriate:
a. Run the command below if you have OIM-OAM integration enabled or LDAP sync enabled:
<JAVA_HOME>/bin/java -Doracle.security.jps.config=<DOMAIN_HOME>\config\fmwconfig\jps-config-jse.xml -DDOMAIN_HOME=<DOMAIN_HOME> oracle.iam.platform.utils.OIMAdminPasswordReset_WLS jdbc:oracle:thin:@<DB_HOST>:<DB_PORT>:<SID> <OIM_SCHEMA_OWNER> xelsysadm ldap://<LDAP_HOST>:<LDAP_PORT> <LDAP_ADMIN_USER> cn=xelsysadm,cn=Users,dc=example,dc=com
If you do not have LDAP sync or OIM-OAM integration enabled, run the command below:
<JAVA_HOME>/bin/java -Doracle.security.jps.config=<DOMAIN_HOME>\config\fmwconfig\jps-config-jse.xml -DDOMAIN_HOME=<DOMAIN_HOME> oracle.iam.platform.utils.OIMAdminPasswordReset_WLS jdbc:oracle:thin:@<DB_HOST>:<DB_PORT>:<SID> <OIM_SCHEMA_OWNER> xelsysadm
<JAVA_HOME> is e.g. C:\Java\jdk1.7.0_51
<DOMAIN_HOME> is e.g. C:\Oracle\Middleware\user_projects\domains\iam_domain
<OIM_SCHEMA_OWNER> is e.g. DEV_OIM
<LDAP_HOST> is server hostname where OID, AD is deployed for ldap sync
<DB_HOST> is server hostname of the database server
<DB_PORT> is e.g. 1521
<SID> is e.g. orcl
<LDAP_PORT> is e.g 3060 for OID
<LDAP_ADMIN_USER> is e.g. cn=orcladmin
2. After running the command, enter the password for the DB Schema user and LDAP admin user. Also, enter the new password for XELSYSADM you wish to set.
Enter the following after running the script to complete the password change for XELSYSADM:
- OIM DB Schema Password
- LDAP Administrator Password
- OIM Administrator XELSYSADM new password
- Re-enter OIM Administrator XELSYSADM new password
As always, if you have any questions about the processes or ideas presented here, please leave us a comment below.