As a business policy we need to change the password of the admin user in weblogic after a cycle of specific period.
Please let us now how can we do that without losing the other existing users in 'my realm.'
I understand that we can use the weblogic.utils.security.AdminAcoount utility to give the new password, which will create a new DefaultAuthenticatorInit.ldift file in +<domain-home>/security+ folder (according to Doc ID 1082299.1).
The password will change but the users in 'my realm' will be lost. (there are many users and it is a production environment so recreation is out-of- question)
Is there a way we can retain the users and still proceed with the password change?
This can be doen by followin the standard procedure by login to console and navigate to :-
DOMAIN_STRUCTURE--->Security Realm--->myrealm--->Users and Groups---->User tab click on the user weblogic
--click on the password tab and put the new password there and save (password is changed for the user here)
---Logout from the console and login to the console again using the new password
But when the server starts it do not read the password for the user directly from the realm rather it picked the same from the $DOMAIN_HOME/servers/AdminServer/security/boot.properties
Now in order to make this change available when the server starts change the values for the username and password in boot.properties and specify them in plain-text and save the same.
Now next time whenever the server will start it will pick up the new values from the boot.properties and once the same had been accepted those will be encrypted again.
You might have to make the change for the boot.properties for all the Managed Server if you have the Managed Servers in the domain which will be located at the location $DOMAIN_HOME/servers/<<Managed Server Name>>/data/nodemanager/boot.properties
You can test the steps on some lower environment first and try the same in Critical environment once the testing goes successful.
Edited by: V Kumar on Oct 25, 2012 3:06 PM
Thanks Vijay for the steps.
But after trying this in test environments, we lost the other users in 'my realm' which were present earlier.
So is it true that recreation of users is the only option?
What if the users are large in number.
Is there a way to retain the other users as well?
I did not understand how can change in password cause the deletion the other users in realm.
The process of changing the password from the console cannot cause the deletion of other users in realm.
Did you deleted any files during this process?
Could you elborate what steps you followed?
I had tried the same steps that you mentioned.
And I am not knowingly deleting any of the files.
Does resetting the password modifies the .dat files in ldap folder or recreates it?
Not sure about that mechanism. :-(
But believe me it's a true story! All users are getting vanished.
Once you DefaultAuthenticatorInit.ldift create a new file, all the existing information will be lost.
There is no another way we can get the previous users.
If you have the previous ldap/data directory then we may have a chance.
Otherwise, we do not have any option to recreate the user.
We have an option of import/export of users from security relams, but that is before recreating <b>DefaultAuthenticatorInit.ldift</b>
Hope this answers your question.
Resetting the password from console do not regenerate the DefaultAuthneticator.ldift so that should not cause the deletion of any of teh exsiting users rather it only updates the user password in the ldift file.