Account unlocking using CURL

  1. Install CURL on your local computer using this link (https://curl.haxx.se/)
  2. This step is applicable when operating in a clustered environment; otherwise, skip this step.

    You must ascertain which node the user is blocked; follow the steps listed below:

    1. Obtain amlbcookie from blocked-user (amlbcookie determines which OpenAM node is being used by the user), to do this, inspect the Request headers send by the client browser. Note that amlbcookie is sent in the cookie header.
    2. As an OpenAM administrator, follow the instructions in the list below to determine which node is using amlbcookie:
      • Login to OpenAM as an OpenAM administrator (username: amadmin and password entered in deploy.properties/security.admin.password during installation of security bundle). From the menubar select deployment/servers, here you will find a server listing.
      • You now need to establish which server the user has been locked-out. To do this, on each server, check its amlbcookie (after clicking on the server choose Advanced and check value of the property com.iplanet.am.lbcookie.value). The property com.iplanet.am.lbcookie.value should be the same as amlbcookie.
      • By following the instructions in the points above, you can determine which OpenAM server address and port to be used in step 4 below.

      NOTE: The process listed in this step may be time-consuming, and in certain scenarios, it may be advisable to wait for the lockout time period determined in the deploy.properties file instead of carrying out this step.

  3. Obtain session token for OpenAM administrator, as follows:
    curl -X POST -H 
    "X-OpenAM-Username: amadmin" -H 
    "X-OpenAM-Password: <OPENAM ADMIN PASSWORD>" -H 
    "Content-Type: application/json" <ADDRESS>:<OPENAM PORT>/OpenAM/json/authenticate
  4. Use the session token obtained from the previous step to clear login attempts data, as follows:
    curl -X PUT -H 
    "iPlanetDirectoryPro: <SESSION TOKEN>" -H 
    "Content-type: application/json" -d 
    "{ \"sunAMAuthInvalidAttemptsData\":[] }" 
    <ADDRESS>:<OPENAM PORT>/OpenAM/json/EngageOne/users/<LOCKED ACCOUNT NAME>

Important: <OPENAM ADMIN PASSWORD> is the password specified in deploy.properties/ security.admin.password