PAD Block сorrupted

The steps below apply when the PAD (Password Authentication Data) block corruption prevents successful authentication in OpenIAM. The symptoms for the issue might be the following.

Users cannot log in despite entering correct credentials.
"Invalid credentials" error appears even with valid username/password.
Master key is null or corrupted.

Note: The following steps are written for RPM-based deployments. The same sequence applies to containerized and other deployment types. Hence, make sure to use equivalent service management commands for your environment.

WARNING This procedure will reset and/or recreate secrets in Vault. All user passwords you explicitly reset, managed system connector passwords, message broker/cache credentials, and mail server credentials stored in Vault may need to be re-entered during bootstrap. Plan a maintenance window and back up Vault/ETCD data if possible.

To resolve the issue, follow the steps below.

RPM deployments

Obtain component passwords. Capture the current passwords as they're auto-generated during installation. You can fetch vault properties using the following commands.

cd /usr/local/openiam/utils/vault/

./vault.fetch.property.sh vault.secret.jdbc.username
./vault.fetch.property.sh vault.secret.jdbc.password
./vault.fetch.property.sh vault.secret.activiti.jdbc.username
./vault.fetch.property.sh vault.secret.activiti.jdbc.password
./vault.fetch.property.sh ELASTICSEARCH_USERNAME
./vault.fetch.property.sh ELASTICSEARCH_PASSWORD
./vault.fetch.property.sh vault.secret.spring.redis.sentinel.password
./vault.fetch.property.sh vault.secret.rabbitmq.password

Stop OpenIAM services, before operating on Vault/ETCD:

openiam-cli stop

Stop Vault Server with the following command.

pkill -9 vault

Clean ETCD storage. First, stop ETCD.with the following command

systemctl stop etcd

Then, remove ETCD data and start it back

rm -rf /var/lib/etcd/default.etcd/member/
systemctl start etcd

Start vault by running start.sh from utils/vault.

/usr/local/openiam/utils/vault/start.sh

Run the bootstrap script and re-populate new secrets for connection as follows.

/usr/local/openiam/utils/vault/bootstrap.sh

For Redis, RabbitMQ, and Elasticsearch use the passwords you fetched in Step 1.

Connect to your database and resetting login passwords to passwd00 with the following commands.

UPDATE LOGIN SET PASSWORD='passwd00';
DELETE FROM USER_KEY;
UPDATE MANAGED_SYS SET PSWD = NULL;
DELETE FROM PWD_HISTORY;
DELETE FROM USER_IDENTITY_ANS;
UPDATE SYNCH_CONFIG SET SRC_PASSWORD = NULL;
DELETE FROM OAUTH_TOKEN;
DELETE FROM AUTH_STATE_AUTH_PARAM_XREF;
DELETE FROM USER_AUTH_PARAM;

In the event of issues or for additional information on password reset procedures, refer to Resetting passwords document.

Start OpenIAM services back with the following command.

openiam-cli start

Verify if the issue is resolved by logging in with the sysadmin account using password passwd00.

Docker deployments

To resolve pad blocker issue in Docker:

Stop OpenIAM, before operating on Vault/ETCD:

sudo ./shutdown.sh

Remove the Vault and ETCD volumes.
Start OpenIAM again.

sudo ./startup.sh

Connect to your database and resetting login passwords to passwd00 with the following commands.

UPDATE LOGIN SET PASSWORD='passwd00';
DELETE FROM USER_KEY;
UPDATE MANAGED_SYS SET PSWD = NULL;
DELETE FROM PWD_HISTORY;
DELETE FROM USER_IDENTITY_ANS;
UPDATE SYNCH_CONFIG SET SRC_PASSWORD = NULL;
DELETE FROM OAUTH_TOKEN;
DELETE FROM AUTH_STATE_AUTH_PARAM_XREF;
DELETE FROM USER_AUTH_PARAM;

In the event of issues or for additional information on password reset procedures, refer to Resetting passwords document.

Verify if the issue is resolved by logging in with the sysadmin account using password passwd00.

Overriding UI application properties

Removing menu items from top navigation bar