Information in this document applies to any platform.
This document provide steps to change or reset the WebLogic Admin Server's Administrator password using the WLS /console or weblogic.security.utils.AdminAccount tool.
WebLogic Server 12c
Using the weblogic.security.utils.AdminAccount tool is not supported on WLS 12c. Oracle does provide guidance in the lockdown guide recommending two admin accounts and safeguarding passwords. See Table 3-1 in Securing the WebLogic Server Host, rows "Limit the number of user accounts on the host machine" and "Safeguard passwords" within https://docs.oracle.com/middleware/12213/wls/LOCKD/secure.htm#GUID-4EE4FBAF-48B9-4E58-9CAD-381ABA81CC50 .
If you have two admin users, you can login as either one and use normal password mechanisms to change the password.
Normal password management is described in:
- Admin Console Online help: "Modify Users"
https://docs.oracle.com/middleware/12213/wls/WLACH/taskhelp/security/ModifyUsers.html
- Admin Console Online help: "Modify Users"
https://docs.oracle.com/middleware/12213/wls/WLACH/taskhelp/security/ModifyUsers.html
- Fusion Middleware Control help: "Configure user password settings"
https://docs.oracle.com/middleware/12213/wls/TASKS/security.htm#TASKS679
https://docs.oracle.com/middleware/12213/wls/TASKS/security.htm#TASKS679
-Using WLST: "Changing a Password"
https://docs.oracle.com/en/middleware/lifecycle/12.2.1.3/wlstg/config_wls.html#GUID-4B3CDA08-1EEF-4439-BF44-B8FC3C0B0CD0
https://docs.oracle.com/en/middleware/lifecycle/12.2.1.3/wlstg/config_wls.html#GUID-4B3CDA08-1EEF-4439-BF44-B8FC3C0B0CD0
WebLogic Server 10.3.6 and Earlier
To change the Administrator password on WLS 10.3.6 or earlier, perform the following steps depending on your situation:
IF YOU KNOW CURRENT PASSWORD
- Start the Admin Server and log into /console.
- Go to page: Home > Summary of Security Realms > myrealm > Users and Groups > weblogic. and click on tab Passwords.
- Enter the new Password.
- Restart the server.
If you get a weblogic.security.SecurityInitializationException error, perform these additional steps on every Managed Server (or eventually the Admin Server, too):
- Go to folder
/servers/AdminServer/security - Edit the boot.properties file and change the password to the value already entered on the Admin Console. Do this for all the servers in the domain.
- Start the Admin Server (Weblogic Server will encrypt the password for you).
Optionally, you can force a Managed Server to connect to the embedded LDAP server on the Administration Server, instead of connecting to the local replicated LDAP server. Follow these steps:
- Go to page: Domain > Security > Embedded LDAP page on the Admin Console.
- Enable MasterFirst.
- Restart the server.
IF YOU DON'T KNOW CURRENT PASSWORD
If you forget your administrative password and cannot start the server, the following procedure works for the default authenticator using the embedded LDAP server and only if you have not modified the global Admin role, which by default is granted to the Administrators group. For our example, it is assumed that your server name is AdminServer. Important: Using the weblogic.security.utils.AdminAccount tool creates a new admin user, but you may lose your existing LDAP data, which includes user, groups, and policy data, so backing up your LDAP folder is recommended before executing the steps.
If you forget your administrative password and cannot start the server, the following procedure works for the default authenticator using the embedded LDAP server and only if you have not modified the global Admin role, which by default is granted to the Administrators group. For our example, it is assumed that your server name is AdminServer. Important: Using the weblogic.security.utils.AdminAccount tool creates a new admin user, but you may lose your existing LDAP data, which includes user, groups, and policy data, so backing up your LDAP folder is recommended before executing the steps.
To reset the password, follow these steps:
- Make sure Weblogic Server instance is stopped.
- Make a backup of the LDAP folder of the admin server as well as managed servers (you may rename those folders):
/user_projects/domains/ /servers/ /data/ldap - Set your environment variables by running setDomainEnv.sh (UNIX) or setDomainEnv.cmd (Windows). For example, on UNIX:. ./setDomainEnv.sh (Notice the space between the dots)
- Create a new initialization file for the default authenticator by running the following command that creates a new DefaultAuthenticatorInit.ldift file in the $DOMAIN_HOME/security subdirectory:java weblogic.security.utils.AdminAccount
/security
Note: AdminAccount should be run on the Admin Server, not one of the Managed Servers. - Remove the initialized status file DefaultAuthenticatormyrealmInit.initialized from the
/servers/AdminServer/data/ldap/ subdirectory: cd/user_projects/domains/ /servers/AdminServer/data/ldap
rm DefaultAuthenticatormyrealmInit.initialized
NOTE: In some cases, it has been necessary to delete ldap directory for this process to work. - Go to folder
/servers/AdminServer/security - Edit the boot.properties file and change the password to the value already used on the previous step. Do this for all the servers in the domain.
- Start Weblogic Server (Weblogic Server will encrypt the password for you).
IMPORTANT:
Keep in mind that we are not just changing the password for the Admin Console, but we are rather changing it for the Admin User (which may connect in many different ways to Admin Server).
Remember to use the new password (once successfully changed), when when connecting to WLST, start the managed servers or using weblogic.Admin utility.
Keep in mind that we are not just changing the password for the Admin Console, but we are rather changing it for the Admin User (which may connect in many different ways to Admin Server).
Remember to use the new password (once successfully changed), when when connecting to WLST, start the managed servers or using weblogic.Admin utility.
