Recover a locked Root User account

From Metadata Technology Wiki
Jump to navigation Jump to search

Overview

There are two ways a root account can become inaccessible. Either by losing the password or by having the account enter a "locked" state. A root account can only be locked if the setting "Max Login Attempts" has been set to a positive number and the specified number of illegal access attempts has been attempted.

Resetting the Root Password

If you need to reset the root password in Fusion Metadata Registry, we supply a tool with the Registry that can help you do this and which does not require the Registry to be restarted. This tool is supplied as a JAR file and is distributed within the Registry ZIP distribution.

To use this tool, you will need:

  • A Java VM
  • Access to the database that is storing the settings for Fusion Registry

The process consists of 3 steps:

  1. Run the tool to generate a new password
  2. Apply the password to the Registry's database
  3. Ensure the password works

Running the Password Reset Tool

Open a Command Prompt and navigate to the directory containing the Password Reset tool. Then issue the command:

java -jar "password reset.jar"

The tool will respond with:

Please enter a new password, or press enter for a random password to be generated

So either type the new password you would like to use or press enter to have a random password generated. If you typed the new password as abcdefgh the tool will respond with:

your new password is: 'abcdefgh' and your new hash is: $2a$10$ASWui0vUQqbTXncVtijBjuNFB3voHv3mGGb.XsT5OnZ0FTARk.'

This hash now needs to be applied to the database.

Assigning the New Password Hash

The database that stores the settings for the Fusion Registry will contain a table called "registry_root_security". This table has a single row with the username of the root account and the hash for the password. The column "pwd" needs to be updated with the value from the password reset too. By way of example here is SQL to update a MySQL server with the new hash:

UPDATE `registry_root_security` SET pwd = '$2a$10$ASWui0vUQqbTXncVtijBjuNFB3voHv3mGGb.XsT5OnZ0FTARk.';

COMMIT;

Ensure that the Registry Accepts the new Password

Once the table has been updated, the credentials can be used. There is no need to restart the Registry.

Open a browser window and attempt to log in using the root credentials. If the new password doesn't work, please check the values entered into the table in the previous stage.

If you are still having trouble resetting the password, another technique is to modify the database so that when the Registry is restarted it returns to the Install Page. This process is described here.

Unlocking a locked Root Account

To unlock a locked Root Account in the Registry you will need access to the underlying database that stores all of the Registry information.

In the database there will be a table with the name 'registry_root_security'.

This table contains the following information about the root account: the username; the password (encrypted); the number of times a wrong password can be entered before the account is locked; whether or not the root account is locked.

To unlock a locked root user set the value of the column 'is_locked' to 0. There is no need to restart the Registry after this change, the root user is now unlocked.