Administrator Initial Password

Last modified 06 Apr 2025 16:33 +02:00

Since 4.8.1

This functionality is available since version 4.8.1.

Table of Contents

Use Auto-Generated Password
- Obtain the Password From Logs
Define Custom Initial Password

Starting with version 4.8.1, MidPoint no longer uses the default administrator password 5ecr3t. Instead, it offers several options for setting the initial password. If you don’t define the initial password explicitly, midPoint generates one automatically.

Use Auto-Generated Password

If you perform a clean installation of MidPoint without configuring an initial administrator password, the system generates a password for you. You can find this generated password in midPoint logs.

To obtain the password, search the logs for Administrator initial password. The password may contain spaces, so it is enclosed in double quotes. The quotes are not part of the password.

After you first log into the administrator account, change the password or disable the built-in administrator account completely. This is important because the initial password may remain in the logs or environment variables for some time.

Obtain the Password From Logs

If you run midPoint using a distribution package, the location of logs depends on your operating system and environment configuration.

When you run midPoint using Docker, the logs are saved within the container. To access them, you need to enter the container console and find the logs there.

You must have the container running to access its console.

Enter the Docker container console

docker ps (1)
docker exec -it container_id bash (2)
cd /opt/midpoint/var/log

1	Find the ID of the container with midpoint, e.g., `263baad5a25a`.
2	Substitute `container_id` for the ID from the first step. This gets you to a normal Linux Bash subshell, which you can later exit it using the `exit` command.

Once you find the midpoint.log file, you can search it for the password:

grep "Administrator initial password" midpoint.log (1)
2025-04-06 07:49:28,288 [] [main] WARN (com.evolveum.midpoint.init.DataImport): Administrator initial password (except double quotes): "Ec5s !f7a" (2)

1	Search logs for the initial password using `grep`.
2	The initial password is `Ec5s !f7a`.

Now you know that you can log into your midPoint instance using administrator as the username and Ec5s !f7a as the password. Change the password first thing after you log in. You can’t change the administrator username.

Define Custom Initial Password

Instead of using the generated password, you can set your own initial password. You have several ways to do that:

Using Environment Variable (recommended way)
Using Java Property
Using config.xml

The initial password must conform to default password policy (see below), otherwise the administrator user is not created and you can’t use your midPoint instance.

Once you deploy your midPoint instance with the initial password set using one of the available options, the only reasonable way to change it without resetting the instance is via the web administrative interface (GUI).

Even if you stop the midPoint instance, change the initial password, and restart the instance, the administrator password doesn’t get changed.

Default Password Policy

The default password policy is stricter since midPoint 4.8.1 and the password must meet the following criteria:

At least 8 characters long
At least one uppercase letter
At least one lowercase letter
At least one number
You can also use some special characters (e.g., #, ., -, ~, etc.)
- For example, the characters – and ’ aren’t allowed.
The password mustn’t contain username, family name, given name, or additional names.

If you set an initial password that doesn’t satisfy all the requirements, midPoint doesn’t create the administrator user. That effectively means you can’t use the midPoint instance.

If that happens to you, delete the instance (e.g., docker compose down -v), set a satisfactory password, and try again.

Using Environment Variable

Setting the initial password using an environment variable offers the most flexibility. You can use environment variables for Docker deployments as well.

Set the environment variable MP_SET_midpoint_administrator_initialPassword to the desired initial password.

Developers may prefer this approach as they can configure environment variables consistently across all midPoint instances they spin up.

shell

export MP_SET_midpoint_administrator_initialPassword=Test5ecr3t
bin/midpoint.sh start

Using Docker Container Configuration

You can set the initial password for Docker deployments:

As a command line parameter when you invoke Docker
In docker-compose.yml configuration file

Docker in command line

docker run evolveum/midpoint ... -E MP_SET_midpoint_administrator_initialPassword=Test5ecr3t ...

Docker Compose configuration file

version: "3.3"
services:
  midpoint:
    image: evolveum/midpoint
    environment:
      MP_SET_midpoint_administrator_initialPassword=Test5ecr3t
    ...

If you set the initial password via the environment variable, it’s not stored in the logs.

Using Java Property

You can also set default initial password using the Java property midpoint.administrator.initialPassword.

shell

bin/midpoint.sh start -Dmidpoint.administrator.initialPassword=Test5ecr3t

Using config.xml

If the methods above don’t suit your needs, you can define the initial password in config.xml, which also contains other infrastructure passwords.

config.xml

<configuration>
    <midpoint>
        ....
        <administrator>
          <initialPassword>xml5ecr3t</initialPassword>
        </administrator>
    </midpoint>
</configuration>

Was this page helpful?

YES NO

Thanks for your feedback