Changing default passwords



The MVMMApplication Service enforces default security. The component of the MVMMApplication Service that enforces security is ApacheDS. Because the default password for ApacheDS is publicly available, BMC recommends that you change it as soon as possible.

The SA is the default administrative user defined when the product is installed.

IMPORTANT

BMC recommends you to change the default password for the SA user as soon as possible. For more information, see Duplicating, editing or deleting user.

In addition to changing the password, the following sections provide guidelines for passwords and describe how to encode the new password:


To encode the new password use the Cryptor method in the mqsusertool 

In this example, the password BMCSOFTWARE is encoded and gives the following string:

D;1wqmhAxF08ijqKs=
 mqsusertool --encode -t Cryptor BMCSOFTWARE
 mqsusertool 5.0.00 (build 63)
 (C) Copyright 1996-2010 BMC Software, Inc.
 Reading defaults from services.cfg
 Encoding 'BMCSOFTWARE' using algorithm Cryptor:
 D;1wqmhAxF08ijqKs=

Use the returned encoded password in step 3 of the following procedure. For assistance with using mqsusertool, contact BMC Support. For more information see, Managing-security-information-with-mqsusertool-command-line-tool.

To change the ApacheDS default password

  1. Ensure the MVMM Application Service is running. MVMM services do not need to be stopped or restarted as part of this process.
  2. At a command prompt in the installDir, use the mqsusertool command to set a new password, See the following for an example command line.


    $ mqsusertool --account -ldap_admin_password NEW_PASSWORD -target LDAP -logon_password secret
    mqsusertool 9.0.00 (build 480)
    (C) Copyright 1996-2020 BMC Software, Inc.

    Administrative password has been changed in the target.
    Saving administrative password in services.cfg ...
    Administrative password has been saved.
    Successfully changed administrative password for target LDAP
    Processing account settings completed successfully.
  3. Keep a record of the new password in accordance with your security policies. It is required to unlock user accounts, and may be needed for support purposes. 

Changing the msproxy_password

The msproxy_password is used by the Media Service account to secure access to the media repository within the product. The password is set to a unique, random, and cryptographically secure value (a type 4 UUID) during the product installation. The password is used only internally within the product and it cannot be used for any external access to the product. Hence, users do not need to know the original password value.

Use the mqsusertool tool to change the password to a new unique, random, and cryptographically secure value, or to a defined value according to your security requirements.

To change the password to a random value

  1. Stop the Application Service before resetting the password value. 
  2. Use the sync option: 

    mqsusertool --account -sync -user msproxy -target FILE
  3. Restart the Application Service after changing the password. This activates the new password.

To change the password to a defined value

  1. Stop the Application Service before resetting the password value.
  2. Execute the following command: 

    mqsusertool --account -user msproxy -password NEW_PASSWORD -target FILE
  3. Restart the Application Service after changing the password. This activates the new password.

Disallowed characters in user and group names

User and group names allow only characters in the UTF-8 character set, with a few exceptions.

Disallowed characters in user and group names include: ! # % & ( ) * + , / : ; < = > ? @ [ ] ^ ` { | } ~ " ä ü ö e´ e`.

In addition, leading spaces and trailing spaces are disallowed, while internal spaces are allowed.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*