Recovering admin access on appliance

From Swivel Knowledgebase
Jump to: navigation, search


Overview

This article describes how to regain admin access when all available admin accounts are locked, by setting the login back to shipping mode, the user can then set the system back to their own database, retaining all the user accounts, and configuration information. Ensure that all steps are followed, especially restart of Tomcat, and investigating why the expected user could not login and resolving that issue.


Prerequisites

  • Swivel is running and an admin login screen is available
  • Access to the Administration Console
  • Swivel appliance 2.0.10 or higher
  • Scheduled downtime during recovery process


Symptoms

Cannot login to the Swivel admin console through any admin accounts


Solution

WARNING: while you are carrying out this procedure, no-one will be able to log on to any device using Swivel authentication until the procedure is completed. Also do not carry out a User Sync until the database has been reset back to its correct value. Be aware that the repository may be set to automatically synchronise.


Required Steps

The following steps need to be undertaken;

1). login to the appliance admin console (Note: not the Swivel Administration Console)

2). Select Advanced Options

3). Select Swivel (older versions select PINsafe)

4). Select set DB to Shipping (older versions set PINsafe DB to Shipping)

5). Enter Y to confirm resetting Swivel DB to shipping (older versions listed as PINsafe)

6). Restart Tomcat

7). Login to the Swivel administration console with the following credentials:

  • Username: admin
  • Password:
  • PIN: 1234

8). Set the database back to the required database under Database/General, then click Apply.

9). Check to see why the required user cannot login Ensure a user with administrator rights exists, and the PIN number is known, the account is unlocked. If no password is set, ensure the password is blank by setting a blank password. See Administration login

10). Verify login from another PC, or a browser from another vendor. Check Swivel logs if any errors occur.

11). Restart Tomcat again.


Verifying login

Before logging out of the Swivel server, verify from another PC or another web browser (not the same vendor) on the same PC that you can login ok.


Why did the login fail?

To stop it happening again investigate why the login for the user failed.


Check the Swivel logs

The Swivel logs on ALL Swivel instances, can reveal why the login failed, search the logs for the username, to reveal the following:

  • Was the account locked?
  • Was the OTC used incorrect?
  • Did the user have permissions to login as an administrative user?
  • Someone else failing to login as that user?
  • Are there failed login attempts?
  • Was PIN expiry set? see PIN Expiry How to Guide
  • Was Change PIN on first login set?


Does an Administrative user exist?

Check the User Administration to see if the Administrative user or helpdesk permissions are set.


Reset the users PIN

Did the user receive a PIN number when the account was created, if not one should be entered manually.


Is there a Swivel password set for the Administrative user?

If there is a Swivel password, it must be used, if none is expected to be used click on reset password, leave the fields blank then click apply, this will remove an incorrectly entered password. Was the AD password being entered (do not use the AD password on the admin console).


Is the database set correctly

The database should be set to a required type such as internal, MySQL, MS SQL, Oracle.


Was the Timezone changed?

See Timezone


Troubleshooting

The Swivel config.xml is missing

Changes to the CMI require a restart of the console session. Logout and log back in again and reselect the option to set to shipping.


The Swivel DB is currently set to Shipping

The database is set to shipping, restart Tomcat.


Set DB to shipping not selected

Ensure that the Db is set to shipping, verify by selecting the option again, a message will indicate it is in shipping mode.


Tomcat not restarted

Tomcat requires a restart, ensure it has been restarted


After setting the production database back login still fails

Setting to shipping mode only allows a login. After the production database is set, the root cause of the login failure must be resolved. Check the Swivel logs to get an indication of why it failed. Reset the PIN, Reset the Password (leave blank on reset), check the Status page for locked or disabled accounts.


Swivel 3.9.5 and 3.9.6

A user sync may fail after carrying out this procedure. This is known to affect versions 3.9.5 and 3.9.6, but may also affect earlier versions. Restarting Tomcat again (i.e. step 11) after re-enabling the correct database corrects this problem.