Passwords

This page configures the various options related to Passwords, the Keystore password, and Password policies.

Note

User passwords may be changed in the Users dialog box accessed from the Users, Groups, Roles page.

Keystore passwords

In GeoServer, encrypting and decrypting passwords involves the generation of secret shared keys, stored in a Java keystore. For more information see Secret keys and the keystore.

Active keystore password provider

This option sets the active keystore password provider, via a list of all available keystore password providers.

../../_images/passwd_activemaster.png

Active keystore password provider

To change the keystore password click the Change password link.

../../_images/passwd_changemaster.png

Changing the keystore password

To view the current keystore password use the link Keystore password forgotten?. This link requires access to the REST API which is used to view the current value in your browser.

Warning

The file security/masterpw.info may be present from a GeoServer 2.27 or earlier update. This file is a security risk and shows up as a warning on the welcome page for administrators to address.

The administrator should read this file, verify the keystore password, and then this file should be removed.

Keystore Password Providers

This section provides the options for adding, removing, and editing keystore password providers.

../../_images/passwd_masterprovider.png

Keystore password provider list

Use Add new and Remove selected to manage the list of keystore passowrd providers.

When creating or editing a URL Keystore password Provider the following settings are available.

../../_images/keystore-provider.png

URL Keystore password Provider

The Read-only setting is used to indicate the URL location is used as the source only, and disables the ability to change the keystore password from GeoServer.

The URL indicates the location of the URL source used to obtain the Keystore password.

The Enable encryption setting offers the option to encrypt the password to/from the URL source.

The Allow “root” user to login as Admin setting is used to enable the root account.

Note

By default the login to Admin GUI and REST APIs with Keystore Password is disabled, this setting is only recommended as a temporary measure when adjusting the security subsystem (in case an administrator inadvertently disrupting normal authentication).

Password policies

This section configures the various Password policies available to users in GeoServer. New password policies can be added or renamed, and existing policies edited or removed.

By default there are two password policies in effect, default and root. The default password policy, intended for most GeoServer users, does not have any active password constraints. The keystore password policy, intended for the Root account, specifies a minimum password length of eight characters. Password policies are applied to users via the user/group service.

../../_images/passwd_policies.png

List of password policies

Clicking an existing policy enables editing, while clicking the Add new button will create a new password policy.

../../_images/passwd_newpolicy.png

Creating a new password policy