docker ps (1)
docker exec -it container_id bash (2)
cd /opt/midpoint/var/logAdministrator Initial Password
|
Since 4.8.1
This functionality is available since version 4.8.1.
|
Starting with version 4.8.1, MidPoint no longer uses the default administrator password 5ecr3t.
Instead, it offers several options for setting the initial password.
If you don’t define the initial password explicitly, midPoint generates one automatically.
Use Auto-Generated Password
If you perform a clean installation of MidPoint without configuring an initial administrator password, the system generates a password for you. You can find this generated password in midPoint logs.
To obtain the password, search the logs for Administrator initial password.
The password may contain spaces, so it is enclosed in double quotes.
The quotes are not part of the password.
|
After you first log into the administrator account, change the password or disable the built-in administrator account completely. This is important because the initial password may remain in the logs or environment variables for some time. See also the note on changing the administrator password on an existing instance. |
Obtain the Password From Logs
If you run midPoint using a distribution package, the location of logs depends on your operating system and environment configuration.
When you run midPoint using Docker, the logs are saved within the container. To access them, you need to enter the container console and find the logs there.
|
You must have the container running to access its console. |
Enter the Docker container console
| 1 | Find the ID of the container with midpoint, e.g., 263baad5a25a. |
| 2 | Substitute container_id for the ID from the first step.
This gets you to a normal Linux Bash subshell, which you can later exit it using the exit command. |
Once you find the midpoint.log file, you can search it for the password:
grep "Administrator initial password" midpoint.log (1)
2025-04-06 07:49:28,288 [] [main] WARN (com.evolveum.midpoint.init.DataImport): Administrator initial password (except double quotes): "Ec5s !f7a" (2)| 1 | Search logs for the initial password using grep. |
| 2 | The initial password is Ec5s !f7a. |
|
Now you know that you can log into your midPoint instance using |
Define Custom Initial Password
Instead of using the generated password, you can set your own initial password. You have several ways to do that:
-
Using Environment Variable (recommended way)
The initial password must conform to default password policy (see below), otherwise the administrator user is not created and you can’t use your midPoint instance.
|
You cannot change the password using the initial deployment configuration options
Once you deploy your midPoint instance, the only reasonable way to change the administrator password is via the web administration interface (GUI). Even if you stop the midPoint instance, change the initial password, and restart the instance, the new configuration value is ignored and the administrator password does not change. The configuration for the initial password is used only once.
To use an updated value, you would need to reset the instance entirely, e.g., using |
Default Password Policy
The default password policy is stricter since midPoint 4.8.1 and the password must meet the following criteria:
-
At least 8 characters long
-
At least one uppercase Latin letter
-
At least one lowercase Latin letter
-
At least one number
-
You can also use some special characters.
-
Full list of allowed non-alpha-numeric characters:
!"#$%&'()*+,-. :;<>?@[]^_(includes white space) -
Example of some disallowed characters:
=–/„, any accented Latin characters (e.g.,šřöýéł), and any non-Latin characters (e.g.,жяア地მო).
-
-
The password must not contain the particular user’s username, family name, given name, or additional names.
|
If you set an initial password that does not satisfy all the requirements, midPoint does not create the administrator user. That effectively means you cannot use the midPoint instance. If that happens to you, delete the instance (e.g., |
Using Environment Variable
Setting the initial password using an environment variable offers the most flexibility. You can use environment variables for Docker deployments as well.
Set the environment variable MP_SET_midpoint_administrator_initialPassword to the desired initial password.
|
Developers may prefer this approach as they can configure environment variables consistently across all midPoint instances they spin up. |
shell
export MP_SET_midpoint_administrator_initialPassword=Test5ecr3t
bin/midpoint.sh startUsing Docker Container Configuration
You can set the initial password for Docker deployments:
-
As a command line parameter when you invoke Docker
-
In
docker-compose.ymlconfiguration file
Docker in command line
docker run evolveum/midpoint ... -E MP_SET_midpoint_administrator_initialPassword=Test5ecr3t ...Docker Compose configuration file
version: "3.3"
services:
midpoint:
image: evolveum/midpoint
environment:
MP_SET_midpoint_administrator_initialPassword=Test5ecr3t
...|
If you set the initial password via the environment variable, it’s not stored in the logs. |
Using Java Property
You can also set default initial password using the Java property midpoint.administrator.initialPassword.
shell
bin/midpoint.sh start -Dmidpoint.administrator.initialPassword=Test5ecr3tUsing config.xml
If the methods above don’t suit your needs, you can define the initial password in
config.xml, which also contains other infrastructure passwords.
config.xml
<configuration>
<midpoint>
....
<administrator>
<initialPassword>xml5ecr3t</initialPassword>
</administrator>
</midpoint>
</configuration>Was this page helpful?
YES
NO
Thanks for your feedback