Changing default passwords

The default administrative user is defined as SA when the product is installed.

Important

We recommend you to change the default password for the SA user as soon as possible. For more information, see Duplicating-editing-and-deleting-users-and-groups.

In addition to changing the password, the following sections provide guidelines for passwords and describe how to encode the new password:

Related topics

User-authentication-and-permissions

Default-users-and-groups

Configuring-Active-Directory-security

To encode the new password use the Cryptor method in the mqsusertool 

In this example, the password BMCSOFTWARE is encoded and gives the following string:

D;1wqmhAxF08ijqKs=
mqsusertool --encode -t Cryptor BMCSOFTWARE
mqsusertool 5.0.00 (build 63)
(C) Copyright 1996-2010 BMC Software, Inc.
Reading defaults from services.cfg
Encoding 'BMCSOFTWARE' using algorithm Cryptor:
D;1wqmhAxF08ijqKs=

Use the returned encoded password in step 3 of the following procedure. For assistance with using mqsusertool, contact BMC Support. For more information see, Managing-security-information-with-mqsusertool-command-line-tool.


To change the Directory Service (LDAP) Administrator password

A Directory Service embedded in the MVMM  Application Service is used to provide product security. The Directory Service has an Administrator password (the LDAP Administrator password) that is required only for system backup and recovery. The password is not used at runtime internally by the product. That password is set to an initial secure value when the product is first installed. You must recover or have the LDAP administrator password to create a new password.


To recover the LDAP Administrator Password on a new installation

If you have a new installation, you can recover the initial LDAP Administrator password from the services.cfg file.

The initial password is stored in services.cfg in the java.naming.security.credentials as an OBF encoded string during the product installation. It uses a secure, randomly generated password value.

java.naming.security.credentials=OBF:1i8a1ke11i7o1p531ldo1iel1ifl1ldu1p4n1i8a1ked1i7o

This password can be decoded using the OBFPassword command:

obfpassword OBF:1i8a1ke11i7o1p531ldo1iel1ifl1ldu1p4n1i8a1ked1i7o
OLD_PASSWORD

You can use this password with the mqsusertool command to set the password to another value.

To recover the LDAP Administrator Password on an upgraded installation

The current password is a securely encoded string stored in services.cfg in java.naming.security.credentials. For example:

java.naming.security.credentials=D;5iKGpSZ3

If you didn't change the default password in an earlier install, then the value would be as above. Please call BMC Support to get the decoded password value.

If you have changed the default password using mqsusertool, then the value is not recoverable from services.cfg but should have been recorded when the value was changed. Use the previously recorded value for the following step.

Once you have the current LDAP Administrator password, you can perform the following steps to assign a new password:

  1. Ensure the MVMM  Application Service is running. MVMM services do not need to be stopped or restarted as part of this process.

  2. At a command prompt in the installDir, use the mqsusertool command to set a new password. For an example:

    $ mqsusertool --account -ldap_admin_password NEW_PASSWORD -target LDAP -logon_password CURRENT_PASSWORD
    mqsusertool 9.0.00 (build 500)
    (C) Copyright 1996-2020 BMC Software, Inc.

    Administrative password has been changed in the target.
    Saving administrative password in services.cfg ...
    Administrative password has been saved.
    Successfully changed administrative password for target LDAP
    Processing account settings completed successfully.
  3. Once run, the new password is stored in services.cfg as a securely encoded string.

Important

It is important to record the new password value, as it cannot be recovered once it has been encoded by mqsusertool.

Changing the msproxy_password

The msproxy_password is used by the Media Service account to secure access to the media repository within the product. The password is set to a unique, random, and cryptographically secure value (a type 4 UUID) during the product installation. The password is used only internally within the product and it cannot be used for any external access to the product. Hence, users do not need to know the original password value.

Use the mqsusertool tool to change the password to a new unique, random, and cryptographically secure value, or to a defined value according to your security requirements.

To change the password to a random value

  1. Stop the Application Service before resetting the password value. 

  2. Use the sync option: 

    mqsusertool --account -sync -user msproxy -target FILE
  3. Restart the Application Service after changing the password. This activates the new password.

To change the password to a defined value

  1. Stop the Application Service before resetting the password value.

  2. Execute the following command: 

    mqsusertool --account -user msproxy -password NEW_PASSWORD -target FILE
  3. Restart the Application Service after changing the password. This activates the new password.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*