"admin" password lost or forgotten, or you are unable to access SSH / WebGui on a IBM WebSphere DataPower SOA Appliance

Technote (troubleshooting)


Problem(Abstract)

What are the steps to follow when the "admin" password is lost or forgotten? What are the steps when you are unable to access the IBM WebSphere DataPower SOA Appliances via SSH or the WebGui. Also what are the steps to reset RBM and ACL.

Resolving the problem

This document is kept current to provide you with the latest information. You can monitor for updates to this document using My Notifications. Important support information is also posted on Twitter.
Read and follow all safety precautions listed in the documents linked from:
Removing and Replacing Parts provided by IBM Level 2 for IBM WebSphere DataPower SOA Appliances. .

Table of contents:

Part 1. Critical Information

Part 2. Recovering the "admin" id's password

Part 1. Critical Information


  • IMPORTANT: Create a privileged user id as a back up for the "admin" user id.
    This will allow you to reset the "admin" user id's password in case that password is lost or forgotten, or in case the "admin" id is locked out.

    In order to increase the security features of the appliance, the lockout duration feature was added. APAR IC65339 reports a problem where the "admin" id is locked out when an incorrect password is entered multiple times for this id. The "admin" is continues to be locked out after the lock out duration has expired. Another privileged user id can reset the "admin" id's password regardless if the APAR fix is applied or not. Please monitor our Critical Update flash for the resolution to this APAR.

    See item 1 in Part 2 on how to define a privileged user id.
  • Copy and Paste of passwords is not recommended as this might produce unpredictable passwords.
    When you copy and paste the password into the password prompts you could pick up extra or special characters in the copy. Best Practice is to check your keyboard for case and numlock, and enter the password via the keyboard.

Part 2. Recovering the "admin" id's password



Review the following to see if you can reset the admin id's password, or if there is another problem.

  1. Check to see if you have defined another privileged account user which can log in, this user can change the password for the "admin" user.

    To reset the administrator account password, your access level should be "privileged" or "group-defined" with the following access policy:

    */*/*?Access=rwadx

    Change the password from the WebGui at Administration > Access > Manage User accounts.

    From the CLI you can you these commands "adminTWO" is for example only, for security, use a unique name for your back up admin id:
    xi50# config
    xi50(config)# user adminTWO
    New User configuration
    xi50(config user adminTWO)# reset
    xi50(config user adminTWO)# password
    Enter new password: ********* (Note: use a temporary password as you will be required to change the password on the first log in)
    Re-enter new password: *********
    xi50(config user adminTWO)# access-level privileged
    xi50(config user adminTWO)# summary '<note to identify the backup user>'
    xi50(config user adminTWO)# exit
    xi50(config)#write mem

  2. Make sure you are using the IBM serial cable supplied with the appliance, and try to logon via the serial connection.

    Connect to another appliance where you know the admin or other log-on, and make sure you can log-on with that connection.

    Make certain that the terminal or terminal emulation software is configured for standard 9600 8N1 (9600 baud, 8-bits per character, no parity, 1 stop-bit, no flow control) operation.

    For the 9235 confirm the IBM part number is: 46M0493. Other serial cables might accept the "admin" id, but not the password.

  3. Did you define your appliance to be in common criteria mode? If so, the admin id may only be blocked.

    You can wait for the lockout duration to expire and try to log-on again with the serial connection.

    Account lockout was added when the common-criteria mode was added. However, the lockout-duration and max-login-failures are part of the base RBM functionality. The default is 1 minute.

    The lockout duration documentation states: The lockout duration applies to all accounts including the admin account. The only difference is that the admin account cannot be locked out until reset. When the duration is 0, the admin account is locked out for 120 minutes or until re-enabled by another administrator.

    Reference the IBM WebSphere DataPower Administrator's guide under "Managing RBM Access" to learn more about this feature of the product. This and other documentation on the appliance is available from our library page.

    Reference our technote on Determining whether to use Common Criteria Mode at initialization.

  4. Did you just do a "boot switch" or firmware rollback?

    A firmware rollback or boot switch, restores both the firmware and the configuration. For example if you are at firmware 3.8.1.6, with an admin password of "password1" and you upgrade to 3.8.2.3 and change the admin password to "password2", then if you do a "rollback" you will need to use "password1" to access the appliance.

  5. If you are running firmware older than 3.7.1.8, 3.7.2.4, or 3.7.3.3 that do not contain the fix for APAR IC60930 it is possible that the user accounts may have been corrupted.

    In this case the user and password will be reset to the default of user = admin, password = admin. If you are able to log-in with this you will need to recreate the desired user accounts.

  6. Can you log-in via SSH or CLI with the ADMIN id, but not with via the WebGui? From the serial connection, issue these commands to reset the RBM and ACL.
    config
    rbm
    reset
    exit
    acl web-mgmt
    reset
    exit
    no web-mgmt
    write mem
    y
    web-mgmt z.z.z.z 9090 (z.z.z.z = IP address to listen on for the WebGUI)
    write mem.
  7. If the admin password was lost during the initial configuration of the appliance.

    Follow the safety instructions referenced at the beginning of the document to shutdown the appliance, power off the appliance, unplug electrical power connections. Wait 5 minutes. Safely reconnect the electrical power connections, and power on the appliance and try the password again.
  8. Otherwise

    As IBM WebSphere DataPower SOA Appliances are highly secure, tamper-resistant devices often deployed in secure environments or deployed to meet high security standards. One of the secure features is the fact that we do not offer a non-authenticated / authorized appliance reset or password reset capability. In order to reset the appliance password, the appliance actually has to be re-imaged just like during the initial manufacturing process. We have one facility, a secure location, where this is done. This is in the United States.

    Note: The appliance hardware will be inspected, tested and the battery replaced and the configuration reset to factory settings so all configuration objects will be deleted.

    Reference: Contacting IBM WebSphere DataPower SOA Appliance Support to contact IBM support for next steps.

Cross reference information
Segment Product Component Platform Version Edition
Business Integration WebSphere DataPower Integration Appliance XI50 Firmware 3.8, 3.7.3, 3.7.2, 3.7.1 All Editions
Business Integration WebSphere DataPower B2B Appliance XB60 Firmware 3.8, 3.7.3, 1.0 All Editions
Business Integration WebSphere DataPower Low Latency Appliance XM70 Firmware 3.8, 3.7.3, 1.0 All Editions
Business Integration WebSphere DataPower XML Accelerator XA35 Firmware 3.8, 3.7.3, 3.7.2, 3.7.1 All Editions
Business Integration WebSphere DataPower XML Security Gateway XS40 Firmware 3.8, 3.7.3, 3.7.2, 3.7.1 All Editions

Rate this page:

(0 users)Average rating

Document information


More support for:

IBM DataPower Gateways
General

Software version:

5.0.0, 6.0.0, 6.0.1, 7.0.0

Operating system(s):

Firmware

Software edition:

Edition Independent

Reference #:

1257115

Modified date:

2007-09-13

Translate my page

Machine Translation

Content navigation