IBM Support

QRadar: Changing the admin account password from the UI or CLI

Question & Answer


What is the procedure for changing the local admin account password for the User Interface (UI) and the Command-Line Interface (CLI)?


The recommended method to change the password for the admin account is via the UI. However, since that requires you to log in to the UI with the admin account, it can be necessary, for example in recovery scenarios, to change the admin account password by using the appliance command-line interface (CLI). Procedures for both the UI method and the CLI method are explained in these examples.


How to change the admin account password in the user interface (7.3.2 and later)

  1. Log in to the QRadar user interface with an administrator (admin) account.
  2. Click the User Preferences icon
  3. From the menu shown, select User Preferences.
    User Preferences
  4. Scroll down to Authentication and enter the new password into both New Password and Confirm New Password fields to change the admin account password.
    New Password
  5. Click Save.

    The admin account password is now changed.

How to change the admin account password in the command-line interface

Note: This procedure requires that you restart the Tomcat service and deploy changes, resulting in a temporary loss of access to the QRadar user interface while services restart. Administrators can complete this procedure during a scheduled maintenance window as users are logged out, exports in process are interrupted, and scheduled reports might need to be restarted manually.

If you do not have access to the admin account from the user interface, it can be necessary to change the admin password from the command-line interface.
  1. Using SSH, log in to the QRadar Console as the root user.
  2. To change the admin user password, type:
    /opt/qradar/support/ -a
  3. Enter the new password as prompted.
  4. Confirm the new password.
    [root@qr750-3199-29271 ~]# /opt/qradar/support/ -a
    Please enter the new admin password.
    Confirm password:
    The admin password has been changed.
  5. To restart the user interface, type:
    systemctl restart tomcat
    Note: This command works on QRadar SIEM versions at QRadar 7.3.x and later
  6. Log in to the user interface as an administrator.
  7. Click Admin tab > Advanced > Deploy Full Configuration.
Performing a Deploy Full Configuration results in services being restarted. While services are restarting, event processing stops until services restart. Scheduled reports that are in-progress need to be manually restarted by users. Administrators with strict outage policies are advised to complete the Deploy Full Configuration step during a scheduled maintenance window for their organization.
After the service restarts, the admin account password is changed.

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"Password Management","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
27 June 2023