The content is taken from the following blog post, copying it for my future reference.
http://identityandaccessmgmt.blogspot.in/2010/05/how-to-recover-missingdeleted-tam.html
Prior to TAM 5.1 the bind password was defined in the WebSEAL configuration file, in clear text (see bind-pwd). With later TAM versions for security reasons IBM introduced the *.obf file, in which the bind password is obsfucated. Here we describe the process of creating a new obf file in the event that the original file is modified/deleted.
Note that the following solution depends on the existence of a valid obf file and WebSEAL bind account elsewhere within your TAM environment.
The obf file contains the password for the account used by WebSEAL when binding to the user repository (LDAP). The obf file is created during the configuration process and should not be modified or deleted. There is no supported way to recreate the obf file, but you can borrow one from a working WebSEAL instance and synchronise the password (userPassword) using native LDAP commands.
Consider an environment that consists of two WebSEAL instances; good-webseal and bad-webseal. In our example we assume that the obf file has been removed for the bad-webseal instance. When you attempt to restart the WebSEAL it will fail as it will not be able to bind to the LDAP. The solution for this scenario is as follows:
1. Retrieve the userPassword for the good WebSEAL instance - for example:
ldapsearch –h ldap.server –p 389 –D cn=root –w password –b cn=good-webseald/tivoli.com,cn=SecurityDaemons,secAuthority=Default –s base –L objectclass=* userPassworddn: cn=good-webseald/tivoli.com,cn=SecurityDaemons,secAuthority=Default
userPassword: GOOD_PASSWORD_HASH
2. Set the bad WebSEAL bind password to the good WebSEAL password - for example:
ldapmodify –h ldap.server –p 389 –D cn=root –w password
dn: cn=bad-webseald/tivoli.com,cn=SecurityDaemons,secAuthority=Default
changetype: modify
replace: userPassword
userPassword: GOOD_PASSWORD_HASH
3. Create a bad WebSEAL obf file from the good WebSEAL obf file:
cp webseald-good.conf.obf webseald-bad.conf.obf
4. Start the bad WebSEAL
pdweb restart bad
5. The .obf file is now recovered, and the WebSEAL server is now running.
http://identityandaccessmgmt.blogspot.in/2010/05/how-to-recover-missingdeleted-tam.html
Prior to TAM 5.1 the bind password was defined in the WebSEAL configuration file, in clear text (see bind-pwd). With later TAM versions for security reasons IBM introduced the *.obf file, in which the bind password is obsfucated. Here we describe the process of creating a new obf file in the event that the original file is modified/deleted.
Note that the following solution depends on the existence of a valid obf file and WebSEAL bind account elsewhere within your TAM environment.
The obf file contains the password for the account used by WebSEAL when binding to the user repository (LDAP). The obf file is created during the configuration process and should not be modified or deleted. There is no supported way to recreate the obf file, but you can borrow one from a working WebSEAL instance and synchronise the password (userPassword) using native LDAP commands.
Consider an environment that consists of two WebSEAL instances; good-webseal and bad-webseal. In our example we assume that the obf file has been removed for the bad-webseal instance. When you attempt to restart the WebSEAL it will fail as it will not be able to bind to the LDAP. The solution for this scenario is as follows:
1. Retrieve the userPassword for the good WebSEAL instance - for example:
ldapsearch –h ldap.server –p 389 –D cn=root –w password –b cn=good-webseald/tivoli.com,cn=SecurityDaemons,secAuthority=Default –s base –L objectclass=* userPassworddn: cn=good-webseald/tivoli.com,cn=SecurityDaemons,secAuthority=Default
userPassword: GOOD_PASSWORD_HASH
2. Set the bad WebSEAL bind password to the good WebSEAL password - for example:
ldapmodify –h ldap.server –p 389 –D cn=root –w password
dn: cn=bad-webseald/tivoli.com,cn=SecurityDaemons,secAuthority=Default
changetype: modify
replace: userPassword
userPassword: GOOD_PASSWORD_HASH
3. Create a bad WebSEAL obf file from the good WebSEAL obf file:
cp webseald-good.conf.obf webseald-bad.conf.obf
4. Start the bad WebSEAL
pdweb restart bad
5. The .obf file is now recovered, and the WebSEAL server is now running.
