IBM Support

Recovering a lost admin password concurrently via ASMI on Power 10 eBMC Systems

Troubleshooting


Problem

This document describes how to recover from a lost ASMI admin password on eBMC-based Power 10 systems (all models except 9080-HEX).

Symptom

The ASMI "admin" user password is unknown or does not work.

Resolving The Problem

If there have been 5 or more unsuccessful attempts to log into ASMI as the "admin" user, the account may be temporarily locked.  When locked, ASMI will refuse all login attempts for that account regardless of the password used.  Wait 5 minutes for the account to automatically unlock, then try again with the correct password.  For more information on this behavior, see "Account policy settings" under User management in the ASMI documentation.

If there is another user account in ASMI with Administrator authority, log into ASMI as that user.  Or if LDAP is configured in ASMI, log into ASMI as an LDAP user with Administrator authority.  Then skip to step 8 later in this document to update the admin user account in ASMI.

If you are still unable to log in as admin and do not have access to another user account in ASMI with Administrator authority, do the following:

1. Contact IBM support to request an ASMI admin password reset.  IBM Support will provide an Access Control File (ACF) and service user password.  Or, if your system has firmware FW1050.00 or newer, IBM Support may provide an Access Control File (ACF) with a temporary admin user password.


Note: If your system has firmware version FW1050.00 or newer, you can quickly create an admin password reset for yourself on the IBM Support web page.  See Self-Service: Resetting admin password for eBMC systems running FW1050 or higher with Virtual Assistant for details.

2. Access ASMI for the managed system, either from an HMC that manages it or with a computer connected directly the eBMC ports on the back of the system.  See Logging in to the ASMI GUI for more information.

3. If there is not already an "Upload service login certificate" link present at the bottom of the ASMI login page, use the physical control panel on the front of the system to enable it with the following steps.  See Physical control panel for help locating and using the physical control panel on your system.  Also refer to a video of this procedure for Service ACF or a video of the procedure for Admin Reset ACF for more detail.
    a. Press the Increment (↑) or Decrement (↓) button to find function 02.  Press Enter to start function 02.
    b. Press Enter until the "<" character is pointing to "N" for Normal mode in the center of the top line.
    c. Press the Increment (↑) or Decrement (↓) button to toggle this to an "M" for Manual mode.
    d. Exit function 02 by pressing Enter two or three times until the display only shows "02".
    e. Use the Increment (↑) button several times to find function 25 and press Enter to start it.  The result should be 00.
    f. Use the Increment (↑) button to find function 26 and press Enter to start it.  The result should be 00.
    g. Use the Increment (↑) button several times to find function 74 and press Enter to start it.  The result should be 00.
    h. Refresh the ASMI login page.  An "Upload service login certificate" link should appear near the bottom.  This link should remain active for 30 minutes after this.
    i. Press the Decrement (↓) button several times to find function 02.  Press Enter to start function 02.
    j. Press Enter until the "<" character is pointing to "M" for Manual mode in the center of the top line.
    k. Press the Increment (↑) or Decrement (↓) button to toggle this to an "N" for Normal mode.
    l. Exit function 02 by pressing Enter two or three times until the display only shows "02".
    m. Press the Decrement (↓) button to find function 01.  Press Enter to start function 01 (status display).
    n. Refresh the ASMI login page/window.  An "Upload service login certificate" link should display at the bottom of the page.

Note: To avoid the requirement to use the physical control panel and function 74 in the future, you can permanently enable the Upload service login certificate link in ASMI.  Once logged into ASMI as an Administrator, navigate to Security and access -> Policies and enable the "Unauthenticated ACF upload enablement" option.

4. Follow the "Upload service login certificate" link on the ASMI login page.
5. When prompted, select the ACF file provided by IBM support and click Add.  A status message should appear in the top right corner of the ASMI window stating it was successfully added.
6. Log in with the user ID and password provided by IBM Support with the ACF.
7. If IBM Support provided a "service" user ID and password with the ACF file, proceed to step 8.  If IBM Support provided an "admin" user ID and password with the ACF file, log in as "admin" with the supplied password.  You will be prompted to change the admin user password.  See Setting the password for password rules.  Then skip to step 11.
8. Once logged in, navigate to Security and access -> User management.
9. Find the "admin" user in the table and click the edit (pencil) icon to the right.
Note: If the admin user is missing or has been removed, click "Add user" and create a new account with username "admin" with "Administrator" privilege.  See Setting the password for password rules.  See User management for more information.
10. If the account is locked, click "Unlock" to unlock it.  If the account is Disabled, set it to Enabled.  Enter a new password for the user in both password fields.  See Setting the password for password rules.  Then click Save. 
11.  Document the new password you entered.
12. If you logged in as user "service" after installing an ACF, you must remove the service ACF. 
    a. Log out of ASMI as user "service"
    b. Log back into ASMI as user "admin"
    c. Navigate to Security and access -> Certificates
    d. Find the "ServiceLogin Certificate" row and click the delete (trash can) icon to the right. 
13. If the system is managed by one or more Hardware Management Consoles (HMCs), you must update the system password for this system on each HMC managing it.  Not doing this will result in the HMCs showing the system in "Failed Authentication" state the next time the HMC reboots or re-connects to the system.
    a. In the HMC GUI, select the system and choose Connections and Operations -> Reset system connection
    b. Wait for the system to show in "Failed Authentication" state
    c. Choose Connections and Operations -> Update system password.
    d. Enter the new password you set in the previous steps.
    e. Wait for the system state to return to normal. 
    f. Repeat this step from each HMC managing the system.
This ends the procedure.

Document Location

Worldwide

[{"Line of Business":{"code":"LOB57","label":"Power"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"POWER10","label":"IBM Power10"},"ARM Category":[{"code":"","label":""}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions","Type":"MASTER"}]

Document Information

Modified date:
22 May 2025

UID

ibm16843863

Page Feedback