Powered by Algolia

    PAD Block Corrupted

    The steps below apply when the PAD (Password Authentication Data) block corruption prevents successful authentication in OpenIAM. The symptoms for the issue might be the following.

    • Users cannot log in despite entering correct credentials.
    • "Invalid credentials" error appears even with valid username/password.
    • Master key is null or corrupted.
    Note: The following steps are written for RPM-based deployments. The same sequence applies to containerized and other deployment types. Hence, make sure to use equivalent service management commands for your environment.

    To resolve the issue, follow the steps below.

    WARNING This procedure will reset and/or recreate secrets in Vault. All user passwords you explicitly reset, managed system connector passwords, message broker/cache credentials, and mail server credentials stored in Vault may need to be re-entered during bootstrap. Plan a maintenance window and back up Vault/ETCD data if possible.
    1. Obtain component passwords. Capture the current passwords as they're auto-generated during installation. You can fetch vault properties using the following commands.
    cd /usr/local/openiam/utils/vault/
    

    ./vault.fetch.property.sh vault.secret.jdbc.username
    ./vault.fetch.property.sh vault.secret.jdbc.password
    ./vault.fetch.property.sh vault.secret.activiti.jdbc.username
    ./vault.fetch.property.sh vault.secret.activiti.jdbc.password
    ./vault.fetch.property.sh ELASTICSEARCH_USERNAME
    ./vault.fetch.property.sh ELASTICSEARCH_PASSWORD
    ./vault.fetch.property.sh vault.secret.spring.redis.sentinel.password
    ./vault.fetch.property.sh vault.secret.rabbitmq.password
    1. Stop OpenIAM services, before operating on Vault/ETCD:
    openiam-cli stop
    1. Stop Vault Server with the following command.
    pkill -9 vault
    1. Clean ETCD storage. First, stop ETCD.with the following command
    systemctl stop etcd

    Then, remove ETCD data and start it back 

    rm -rf /var/lib/etcd/default.etcd/member/
    systemctl start etcd
    1. Start vault by running start.sh from utils/vault.
    /usr/local/openiam/utils/vault/start.sh
    1. Run the bootstrap script and re-populate new secrets for connection as follows.
    /usr/local/openiam/utils/vault/bootstrap.sh

    For Redis, RabbitMQ, and Elasticsearch use the passwords you fetched in Step 1.

    1. Connect to your database and resetting login passwords to passwd00 with the following commands.
    UPDATE LOGIN SET PASSWORD='passwd00';
    DELETE FROM USER_KEY;
    UPDATE MANAGED_SYS SET PSWD = NULL;
    DELETE FROM PWD_HISTORY;
    DELETE FROM USER_IDENTITY_ANS;
    UPDATE SYNCH_CONFIG SET SRC_PASSWORD = NULL;
    DELETE FROM OAUTH_TOKEN;
    DELETE FROM AUTH_STATE_AUTH_PARAM_XREF;
    DELETE FROM USER_AUTH_PARAM;

    In the event of issues or for additional information on password reset procedures, refer to Resetting passwords document.

    1. Start OpenIAM services back with the following command.
    openiam-cli start
    1. Verify if the issue is resolved by logging in with the sysadmin account using password passwd00.
    Previous
    Overriding UI application properties
    Next
    Error during report generating in RPM installations