Manage system passwords

This topic describes how to change the encryption key password and the admin user’s password in Deploy.

Additional admin user recommendation

If you have forgotten the password for the built-in admin user and you do not have the password for another user with the admin global permission, then you cannot authenticate with the Deploy server to change the admin password. It is strongly recommended that you create at least one additional user with the admin permission to prevent this situation.

Change the encryption key password

Passwords that are stored in the repository are encrypted with an encryption key that is stored in a keystore file called XL_DEPLOY_SERVER_HOME/conf/repository-keystore.jceks. For additional security, you can optionally protect the keystore file with a password. If a password is set, you need to enter it when the Deploy server starts.

Note: repository-keystore.jceks is one of two keystore concepts in Deploy. This keystore only contains the key used for encryption of passwords in the repository. If you use HTTPS, Deploy will use a second keystore file to store the self-signed certificate.

To change the keystore password, you can use the keytool utility that is provided with the Java JDK distribution:

keytool -storepasswd -keystore conf/repository-keystore.jceks -storetype jceks

The keytool utility will not read or set passwords that are shorter than 6 characters. If you want to change a keystore with an empty or short password, use KeyStore Explorer.

Change the admin user’s password

Deploy’s built-in admin user has administrative permissions. You set the admin password when you install Deploy. To change the admin password:

  1. Ensure that the Deploy server is running.
  2. Start the Deploy command-line interface (CLI) as the admin user or as another user with the admin global permission.
  3. Execute the following commands:

    adminUser = security.readUser('admin')
    adminUser.password = 'newPassword_1'
  4. Stop the Deploy server.
  5. In the XL_DEPLOY_SERVER_HOME/conf/deployit.conf file, set admin.password to the new password. Deploy will encrypt this password when it starts.
  6. Start the Deploy server.
  7. Test the credentials by executing the following command in the CLI:

    security.login('admin', 'newPassword_1')

Password strength requirements

Users can configure password strength requirements using the secret-complexity tag in the XL_DEPLOY_SERVER_HOME/conf/xl-deploy.conf file. This will restrict users when they either create a new user or try to change password in the interface or API.

Password requirements

Note: This section only applies to internal users. For external users, Deploy has no authority or solution to manage password complexity.

To set password requirements, in xl-deploy.conf add a new block in xl {}, using pairs of regex patterns with descriptions to define the requirements. For example:

xl {
    secret-complexity {
      regex-validations = [
        ".{8,}$", "Must have at least 8 characters",
        "(?=.*\\d)", "Must contain at least 1 digit",
        "(?=.*[A-Z])", "Must contain at least 1 uppercase letter",
        "(?=.*[a-z])", "Must contain at least 1 lowercase letter",

Note: updating the password requirements will not break existing passwords, but will prevent you from using weaker passwords when updating or creating accounts.