A warning about changing the default Super Administrator password
May 13, 2016 Leave a comment
One thing you should always do in your production instance is change the default passwords. Everyone does that right? riiiight…
Well when you decide to change the default Super Administrator (administrator) password in AEM Forms Workflows 6.1 or 6.2 there is an unexpected side effect. After changing this password you would notice that it works fine when you test it so you go about your other tasks. Then you will notice that after a period of time you are automatically locked out!
Under the hood, there is an OSGi service that links the OSGi CRX instance to the JEE instance. This is called the Adobe LiveCycle Client SDK Configuration. This service constantly attempts to log into the JEE instance and do stuff. If you change the default administrator password, and don’t change this password, this service will lock your Super Administrator account out.
Great. How do I stop this?
It’s easy. Just open the OSGi system console and change the password in the configuration screen. You can open the config item directly from a browser. e.g.
Ok…I’m already locked out. Now what?
The default unlock time is set to 30 minutes after 20 incorrect attempts, so you can change the OSGi password and wait 30 minutes…or you are super impatient like me and can bust out some SQL-fu.
Remember the password you set on the database when you installed the instance? You’re going to need that now. Don’t remember it? Sorry – you now have to wait. Go browse Reddit for a bit and come back…
First, start by installing a SQL editor for your particular database (I’m going to show MySQL since that is in the turnkey edition)
- First log in to your MySQL instance using the root account
2. Then enter the password by clicking Store in Vault… (this is the password that you used when you installed the instance). Click OK
3. Click Test Connection
4. You should see a couple of adobe database instances (these will be the database names you specified during setup) I usually call mine ‘adobe’ or ‘adobe_wf’
5. Now locate the Super Admin account using the following SQL:
SELECT * FROM adobe.edcprincipalentity where canonicalname = 'SuperAdmin';
6. You should see the column countauthfailure has a number > 20 and islocked is set to 1 (locked)
7. Now you can either use the GUI to change the value or run the following SQL:
UPDATE adobe.edcprincipalentity SET islocked = 0 WHERE canonicalname = 'SuperAdmin';
8. You should be able to log in to your Super Administrator account now
Its probably a good idea to create a second Super Administrator account just in case this happens again.