Setting the password
Learn how to change and set the password for your root account and to help secure the system.
Improved BMC password policy
The baseboard management controller (BMC) root password must be set on first use for newly manufactured systems or after performing a factory reset of the system. This policy change helps to enforce that the BMC is not left in a state with a well-known password.
In firmware level OP940.01, and later, the root password is expired and must be changed before you can access the functions of the BMC. However, if you are upgrading the firmware level from a previous OpenBMC firmware level or if you are performing an operational installation, you do not have to change the password.
root and the default password is
0penBmc. You can use the web application, the Redfish REST APIs, the OpenBMC tool
command to change the password. You can also use the Console Inband Communications
Credentials task in the HMC GUI to change the expired password. - In the navigation area, click Console Management, and then select Console Settings.
- In the content pane, click Console Inband Communications Credentials.
- From the Console Inband Communications Credentials window, you can set the inband BMC credentials or modify an expired password for previously set inband BMC credentials for the HMC.
- To change your expired password by using the web interface, enter
https://<BMC_IP>into a web browser and then enter the access credentials of the BMC. The web interface prompts you to enter a new password. - To change your expired password through a network interface, you can use Redfish APIs. For instructions, see Managing the system by using DMTF Redfish APIs.
- To change your expired password by using the OpenBMC tool, run the
openbmctool set_passwordsubcommand. For example,
Whereopenbmctool.py -H <BMC IP address or BMC host name> -U <username> -P <password> set_password -p <new password> Attempting login... 200 User root has been logged out200is the response status that indicates success.
Also, with firmware level OP940.01, the BMC factory reset function resets the BMC password back to its default value and causes the default password to expire. This function means that after you perform the factory reset, you must change the password before you can access the BMC (even if you upgraded from an older firmware level).
- Set a strong password for the root account. Strong passwords have at least 15 characters and include non-alphabetic characters. Initially, the password must not exceed 20 characters. Passwords can be changed later to a length greater than 20 characters, but IPMI access will be removed. Avoid using the root account, as the root account has more access to the BMC than an Administrator account. The root account can present a security risk if it is used incorrectly or maliciously. Use the root account only when it is required.
- Create a separate account for each entity to manage the system. For example, you can create an
Administrator account for yourself and for xCat, and create an
Operator account for your staff. You can use the web interface or Redfish
APIs to create a new account. When you create a new account, carefully consider which privilege role
to assign to the user. Always use the least privilege role that is required.
- To create a new account by using the web interface, see Local users.
- To create a new account by using the Redfish APIs, see Managing the system by using DMTF Redfish APIs.
If your BMC is using Lightweight Directory Access Protocol (LDAP), you can add users to the LDAP server.
- Log off from the root account and switch to your personal Administrator account.
To increase the security of the system, the administrator can optionally configure access to the LDAP server. For more information, see Basic commands and functionality of the OpenBMC tool.