If during the install, a user account was used for the Global System Admin (GSA) account, you'll run into the issue that when the password for that account is changed or the account uses the "Forgot you password?" function, anytime anyone tries to log into the Management UI you'll get a message of "Oops: there was an error on the backend. Please try again." This is not from using the wrong credentials to Authenticate; you I would expect to get the message "Invalid credentials." or that the credentials were not valid.
To fix this, change the GSA account to a non user account as described below (and taunt whoever did the original install - they do deserve a little grief. We all have done things without thinking it through, but you do need to administer SOME degree of negative reinforncement!)
Run the following on the management server.
1) Create a new GSA user.
curl -u {current_gsa}:{current_gsa_password} -X POST http://<mgrhost>:8080/v1/users -H "Content-Type: application/xml" -d '<User><FirstName>admin</FirstName><LastName>user</LastName><Password>testing123</Password><EmailId>adminuser@domain.com</EmailId></User>'
2) Assign the sysadmin role to the new user.
curl -u {current_gsa}:{current_gsa_password} -X POST http://<mgrhost>:8080/v1/users/adminuser@domain.com/userroles -H "Content-Type: application/xml" -d '<Roles><Role name="sysadmin"/></Roles>'
3) Add new GSA as orgadmin wherever the current GSA was orgadmin. This can be done a few different ways. If there are only a few orgs then via the UI may be better, but if there are many orgs, using the following curls and some scripts may work better. a) Get list of orgs
curl -u {current_gsa}:{current_gsa_password} -X GET http://<mgrhost>:8080/v1/organizations
b) For each org in list from above, check if the current GSA user is listed as an orgadmin.
curl -s -i -u {current_gsa}:{current_gsa_password} -X GET http://<mgrhost>:8080/v1/organizations/{org}/userroles/orgadmin/users/{current_gsa} -D- -o /dev/null | egrep -i "http"
This curl will produce HTTP/1.1 200 OK if the current GSA user is found in the orgadmin role for the given org; otherwise, it will produce HTTP/1.1 404 Not Found.
c) For each org where the current GSA is an orgadmin, add the new GSA as an orgadmin.
curl -u {current_gsa}:{current_gsa_password} -X POST http://<mgrhost>:8080/v1/users/adminuser@domain.com/userroles -H "Content-Type: application/xml" -d '<Roles><Role name="orgadmin"><Organization>{org}</Organization></Role></Roles>'
4) In each of the following files, update the current GSA user and password to the new GSA user and password (assumes apigee install root is /opt). Adjust paths as needed for your install
/opt/apigee4/conf/ui/apigee.conf
/opt/apigee4/conf/apigee/management-server/security.properties
/opt/apigee4/bin/apigee-env.sh
It's suggested to backup each file before making any changes (but we know that seldom happens)
5) If the old GSA account was NOT a user account, decommission current GSA (These steps can be done at a later time after new GSA is up and confirmed working properly). a) Delete current GSA from user roles Run this for each org found in step 3b
curl -u {new_gsa}:{new_gsa_password} -X DELETE http://<mgrhost>:8080/v1/users/{old_gsa}/userroles/orgadmin?org={org}
Run this once
curl -u {new_gsa}:{new_gsa_password} -X DELETE http://<mgrhost>:8080/v1/users/{old_gsa}/userroles/sysadmin
b) Delete old GSA
curl -u {new_gsa}:{new_gsa_password} -X DELETE http://<mgrhost>:8080/v1/users/{old_gsa}