What are the steps to follow when the "admin" password is lost or forgotten? What are the steps when you are unable to access the IBM WebSphere DataPower SOA Appliances via SSH or the WebGui. Also what are the steps to reset RBM and ACL.
Resolving the problem
This document is kept current to provide you with the latest information. You can monitor for updates to this document using My Notifications. Important support information is also posted on Twitter.
Read and follow all safety precautions listed in the documents linked from:
Removing and Replacing Parts provided by IBM Level 2 for IBM WebSphere DataPower SOA Appliances. .
Table of contents:
- IMPORTANT: Create a privileged user id as a back up for the "admin" user id.
This will allow you to reset the "admin" user id's password in case that password is lost or forgotten, or in case the "admin" id is locked out.
In order to increase the security features of the appliance, the lockout duration feature was added. APAR IC65339 reports a problem where the "admin" id is locked out when an incorrect password is entered multiple times for this id. The "admin" is continues to be locked out after the lock out duration has expired. Another privileged user id can reset the "admin" id's password regardless if the APAR fix is applied or not. Please monitor our Critical Update flash for the resolution to this APAR.
See item 1 in Part 2 on how to define a privileged user id.
- Copy and Paste of passwords is not recommended as this might produce unpredictable passwords.
When you copy and paste the password into the password prompts you could pick up extra or special characters in the copy. Best Practice is to check your keyboard for case and numlock, and enter the password via the keyboard.
Review the following to see if you can reset the admin id's password, or if there is another problem.
- Check to see if you have defined another privileged account user which can log in, this user can change the password for the "admin" user.
To reset the administrator account password, your access level should be "privileged" or "group-defined" with the following access policy:
Change the password from the WebGui at Administration > Access > Manage User accounts.
From the CLI you can you these commands "adminTWO" is for example only, for security, use a unique name for your back up admin id:
xi50(config)# user adminTWO
New User configuration
xi50(config user adminTWO)# reset
xi50(config user adminTWO)# password
Enter new password: ********* (Note: use a temporary password as you will be required to change the password on the first log in)
Re-enter new password: *********
xi50(config user adminTWO)# access-level privileged
xi50(config user adminTWO)# summary '<note to identify the backup user>'
xi50(config user adminTWO)# exit
- Make sure you are using the IBM serial cable supplied with the appliance, and try to logon via the serial connection.
Connect to another appliance where you know the admin or other log-on, and make sure you can log-on with that connection.
Make certain that the terminal or terminal emulation software is configured for standard 9600 8N1 (9600 baud, 8-bits per character, no parity, 1 stop-bit, no flow control) operation.
For the 9235 confirm the IBM part number is: 46M0493. Other serial cables might accept the "admin" id, but not the password.
- Did you define your appliance to be in common criteria mode? If so, the admin id may only be blocked.
You can wait for the lockout duration to expire and try to log-on again with the serial connection.
Account lockout was added when the common-criteria mode was added. However, the lockout-duration and max-login-failures are part of the base RBM functionality. The default is 1 minute.
The lockout duration documentation states: The lockout duration applies to all accounts including the admin account. The only difference is that the admin account cannot be locked out until reset. When the duration is 0, the admin account is locked out for 120 minutes or until re-enabled by another administrator.
Reference the IBM WebSphere DataPower Administrator's guide under "Managing RBM Access" to learn more about this feature of the product. This and other documentation on the appliance is available from our library page.
Reference our technote on Determining whether to use Common Criteria Mode at initialization.
- Did you just do a "boot switch" or firmware rollback?
A firmware rollback or boot switch, restores both the firmware and the configuration. For example if you are at firmware 18.104.22.168, with an admin password of "password1" and you upgrade to 22.214.171.124 and change the admin password to "password2", then if you do a "rollback" you will need to use "password1" to access the appliance.
- If you are running firmware older than 126.96.36.199, 188.8.131.52, or 184.108.40.206 that do not contain the fix for APAR IC60930 it is possible that the user accounts may have been corrupted.
In this case the user and password will be reset to the default of user = admin, password = admin. If you are able to log-in with this you will need to recreate the desired user accounts.
- Can you log-in via SSH or CLI with the ADMIN id, but not with via the WebGui? From the serial connection, issue these commands to reset the RBM and ACL.
web-mgmt z.z.z.z 9090 (z.z.z.z = IP address to listen on for the WebGUI)
- If the admin password was lost during the initial configuration of the appliance.
Follow the safety instructions referenced at the beginning of the document to shutdown the appliance, power off the appliance, unplug electrical power connections. Wait 5 minutes. Safely reconnect the electrical power connections, and power on the appliance and try the password again.
As IBM WebSphere DataPower SOA Appliances are highly secure, tamper-resistant devices often deployed in secure environments or deployed to meet high security standards. One of the secure features is the fact that we do not offer a non-authenticated / authorized appliance reset or password reset capability. In order to reset the appliance password, the appliance actually has to be re-imaged just like during the initial manufacturing process. We have one facility, a secure location, where this is done. This is in the United States.
Note: The appliance hardware will be inspected, tested and the battery replaced and the configuration reset to factory settings so all configuration objects will be deleted.
Reference: Contacting IBM WebSphere DataPower SOA Appliance Support to contact IBM support for next steps.
|Business Integration||WebSphere DataPower Integration Appliance XI50||Firmware||3.8, 3.7.3, 3.7.2, 3.7.1||All Editions|
|Business Integration||WebSphere DataPower B2B Appliance XB60||Firmware||3.8, 3.7.3, 1.0||All Editions|
|Business Integration||WebSphere DataPower Low Latency Appliance XM70||Firmware||3.8, 3.7.3, 1.0||All Editions|
|Business Integration||WebSphere DataPower XML Accelerator XA35||Firmware||3.8, 3.7.3, 3.7.2, 3.7.1||All Editions|
|Business Integration||WebSphere DataPower XML Security Gateway XS40||Firmware||3.8, 3.7.3, 3.7.2, 3.7.1||All Editions|