Reset admin password for Fortify 22.2

Hi,

I have configured Fortifity SSC 22.2.0 in a stage machine but am unable to login.

I verified the log file ssc.log in fortify home directory. The below error is shown -

/ssc/j_spring_security_check [WARN] com.fortify.manager.security.CustomLoggerListener - Authentication event AuthenticationFailureCredentialsExpiredEvent: admin; exception: User credentials have expired

Please suggest how can I fix this issue.

I do see this msg in logs -

[WARN] com.fortify.manager.security.CustomLoggerListener - Authentication event AuthenticationFailureLockedEvent: admin; exception: User account is locked

Please help how to unlock the account

  • 0  

    Run the following SQL command on the SSC database:

    UPDATE fortifyuser
    SET password = '{bcrypt}$2a$10$fJ65H/8ihJW40LOI4CAzWuiqp/G.TQs1rzs8RbfiR1avAP9Ty0Tau',
    dateFrozen = NULL,
    failedLoginAttempts = '0'
    WHERE userName = 'admin';

    This will reset the admin password back to admin.

  • 0 in reply to   

    Thanks, but still its is not working for me..  I have executed the update statement and verified in database also. I have restarted thetomcat, I tried to login using admin/admin but the url is showing this - <hostname>:8080/ssc/changePassword.jsp#!/

    I have verified the log file ssc.log - this is the last line in the log file -

    /ssc/j_spring_security_check [WARN] com.fortify.manager.security.CustomLoggerListener - Authentication event AuthenticationFailureCredentialsExpiredEvent: admin; exception: User credentials have expired

  • 0   in reply to 

    Let's also set passwordNeverExpire = 'Y':

    UPDATE fortifyuser
    SET password = '{bcrypt}$2a$10$fJ65H/8ihJW40LOI4CAzWuiqp/G.TQs1rzs8RbfiR1avAP9Ty0Tau',
    dateFrozen = NULL,
    failedLoginAttempts = '0',
    passwordNeverExpire = 'Y'
    WHERE userName = 'admin';

    (There should be no need to restart Tomcat.) Try that and let me know how it goes.

  • 0 in reply to   

    From the above screen, How to get the encrypted password of "SET password" filed value.

  • 0   in reply to 

    Passwords are never stored, only the hash value is stored. (Hashing is a one-way function, whereas encryption is two-ways.) In the last few years, SSC uses the bcrypt hashing function to generate the hash. One of the neat features of bcrypt is that it has a built-in salting mechanism, which protects against rainbow table attacks.

    If you have the hash value, you can never generate the original string (hence, hashing is one-way). If you wish to test some strings, use the following online tool: https://bcrypt.online/

    For example, enter the following under the "Bcrypt Hash Verifier" section:

    Plain Text: admin
    Hash: $2a$10$fJ65H/8ihJW40LOI4CAzWuiqp/G.TQs1rzs8RbfiR1avAP9Ty0Tau

    Then click the "Verify Hash" button.