I've had that question from many customers already. Procedure below is from the CA knowledge base (search for "root" under Articles and its the first hit).
Resetting the password
If the password is unknown then it will need to be reset in an emergency maintenance mode that bypasses the standard boot process. This process is documented as follows:
- Connect to the API Gateway via a serial cable or direct console access
- Restart the API Gateway appliance
- Access the GRUB menu by pressing spacebar when the following prompt is visible:
Press any key to enter the menu. Booting Layer 7 SSG
- Press P to provide a GRUB password. The default is 7layer.
- Press E to edit the boot parameters and select the kernel line
- Press E to edit the kernel parameters.
- Append the following (including a preceding space): init=/bin/bash
- Append the following to the end of the line: console=ttyS0
NOTE: This step is only required for hardware appliances. It can be skipped for virtual appliances running on VMware.
- Press Enter to save the changes
- Press B to boot the system with the specified parameters
- Mount the root file system with the following command: mount -o remount,rw /
- Change the root password: passwd
- Re-mount the root file system with the following command: mount -o remount,ro /
- Save the changes and restart the appliance: sync; reboot -f
The password for the root account will now be set to the value specified in step #12. Subsequent authentication attempts will require this new password after the system is restarted.
And also a slightly different description from another document:
Recovering Password for the root Account (*Note: As of version 4.6.6 of the SecureSpan appliance, this procedure is only necessary for recovering the password as the appliance will unlock the root account after 20 minutes)
5
a) Connect to the SecureSpan appliance console either through the serial cable or direct console access.
b) Restart the SecureSpan appliance
c) During the boot-up sequence (reboot appliance if needed with console so you can catch entry point of GRUB menu) Wait during initial stages of boot for following text, press the space bar or other key to stop the boot: ---------------------------------------------------------------------- Press any key to enter the menu Booting Layer7 SSG-up (kernel version number) in 3 seconds... ----------------------------------------------------------------------
d) Once you are in the GNU GRUB menu, type "e" to edit.
e) Use the down-arrow key to move highlighted bar down to the line that starts with kernel.
f) Type another "e" to edit this kernel line.
g) For serial console and SSH connections to the ILOM (Integrated Lights Out Manager): Modify the console option by adding a S character so that the entry will read "console=ttyS0".
h) At the end of the line, add a space and the following: init=/bin/bash Press the [Enter key] which will return you to the GNU GRUB menu.
i) Type "b" to boot the modified kernel line. System will now boot into single-user mode with no password required.
j) From the BASH prompt, list the volume for the mount point of the / volume by typing the command: "df"
Example ouput: Filesystem 1K-blocks Used Available Use% Mounted on /dev/sda2 8064300 2140000 5511700 28% /
k) Issue the following command substituting your own Filesystem for / by typing the command: mount -o remount,rw /dev/sda2
This command should yield a single line similar to: "EXT3 FS on sda2, internal journal" No errors should be present. (Note: If an error occurs use the command "mount -o remount,rw / ")
l) Change the root password to whatever you would like by typing the command: "passwd root"
m) You should also reset the pam_tally counters for both the root and the ssgconfig user by typing the commands (version 4.6 and higher):
6
/sbin/pam_tally2 --reset --user root /sbin/pam_tally2 --reset --user ssgconfig
n) And reset password aging, or change the number of days to your requirements: "chage -M 60 ssgconfig" - expiry 60 days "chage -M 60 root" - expiry 60 days
If you wish to have the appliance expire the passwords immediately and have you reset the password for root and ssgconfig on the next reboot issue these following commands: (optional)
"chage -d 0 root" - reset PS at next login (if desired) "chage -d 0 ssgconfig" - reset PW at next login (if desired)
o) Sync changes to the disc and reboot by typing the commands: sync; reboot -f
At this point, the system will allow you to log into the Gateway using the credentials defined. Once you have logged into the system as the root user, you can reset or modify the password to the ssgconfig user.
Hope that helps.
Michiel