Skip to main content
Skip table of contents

Running the Password Rotation script

The Password Rotation script allows you to rotate the application user (ejbcadbuser) password on supported databases and update the WildFly Elytron credential store accordingly.

Running the script without any parameters displays the help:

CODE 
Rotate the EJBCA Cloud app user (ejbcadbuser) password on supported databases.

Options:
  -f <file>   Properties file to read (default: /opt/wildfly/bin/start.sh)
  -n <pass>   New app user password to set on the database
  -p          Generate a secure new app user password (mutually exclusive with -n)
  -m <pass>   Database master password (used to change the app user's password)
  -s          Silent. No prompting in the script for automation
  -w          WildFly credential store only (cluster node sync; no DB change)
  -h          Show help

First-time requirement:
  If DATABASE_MASTERUSER_PASSWORD is NOT present in the properties file,
  you MUST provide -m on the first run (unless using -w).

Master password precedence (after first run):
  1) -m (if provided)
  2) DATABASE_MASTERUSER_PASSWORD from the properties file

Examples:
  # Rotate DB password + update Elytron
  ./rotate_db_password.sh -f /opt/wildfly/bin/start.sh -n 'MyN3wP@ss!' -m 'Sup3rS3cret!'

  # Generate a password, rotate DB + update Elytron
  ./rotate_db_password.sh -f /opt/wildfly/bin/start.sh -p -m 'Sup3rS3cret!'

  # Cluster node only: update Elytron to match already-rotated password
  ./rotate_db_password.sh -w -f /opt/wildfly/bin/start.sh -n 'MyN3wP@ss!'

Script Options

Option

Description

-f

WildFly properties file to read (default: /opt/wildfly/bin/start.sh). Can be omitted if the default file is in the original location.

-n

Specifies the new “ejbcadbuser” app user password to set on the database

-p

Automatically generates a secure new “ejbcadbuser” app user password (mutually exclusive with -n)

-m

Database master user password (used to change the app user's password). This is the user that has the permissions in the database to change the password for other users

-s

Silent. No prompting in the script for automation. Skips the y/n prompts and assumes “y” for all answers.

-w

Only rotate the WildFly credential store. Run this option on multiple nodes in the cluster so the configuration can be updated on them but the database password not changed again.

Running for the first time

Running the script for the first time requires you to provide the database master user password, or a password that has GRANT and ALTER USER permissions and can change the password on the application user (ejbcadbuser).

It is advised to wrap all passwords used in this script with single quotes to prevent shell expansion. Enter “password123!” as ‘password123!’ so its treated literally.

The first run must include “-m”.

Running this script will add the DATABASE_MASTERUSER_PASSWORD variable to the start.sh properties file. If this is not desired it can be removed after.

Specify -n and the password to be used or -p for the script to generate a secure password automatically.

Example output

CODE 
./rotate_db_password.sh -m 'password123!' -n 'password123!'
# Example output:
This script will change the ejbcadbuser password on the database for password rotation purposes and update the Elytron credential store.  Do you want to continue (Yy/Nn)?y
2025-12-15 20:42:31,570 INFO: Backup created: /opt/wildfly/bin/start.sh.bak-20251215-204231
2025-12-15 20:42:31,586 INFO: Rotating password for app user 'ejbca' on 127.0.0.1:3306/ejbca ...
2025-12-15 20:42:31,605 INFO: Creating WildFly credential store...
2025-12-15 20:42:31,609 INFO: Backup created: /opt/PrimeKey/wildfly_config/ejbca-credstore.cs.bak-20251215-204231
2025-12-15 20:42:31,610 INFO: Creating new credential store
Credential Store has been successfully created
2025-12-15 20:42:32,527 INFO: Updating wildfly credential store password in WildFly configuration.
2025-12-15 20:42:32,530 INFO: Adding alias to credential store...
Alias "wildfly" has been successfully stored
2025-12-15 20:42:33,626 INFO: Property updates complete:
2025-12-15 20:42:33,628 INFO:  - DATABASE_PASSWORD updated (application user).
2025-12-15 20:42:33,629 INFO:  - DATABASE_MASTERUSER_PASSWORD present and up-to-date.
Would you like to restart EJBCA to make the password change take effect (Yy/Nn)?y
2025-12-15 20:42:37,926 INFO: If there are other nodes in the cluster, perform the same action on the additional nodes with '-w (WildFly credential only)'.

Running the script silently

To run the script silently and not prompt, specify -p to generate a password automatically or specify the existing password (-m) so that the script has what it needs to run without input.

CODE 
./rotate_db_password.sh -m 'password123!' -p -s

Example silent output

CODE 
2025-12-16 02:12:46,970 INFO: Backup created: /opt/wildfly/bin/start.sh.bak-20251216-021246
2025-12-16 02:12:46,987 INFO: Rotating password for app user 'ejbca' on 127.0.0.1:3306/ejbca ...
2025-12-16 02:12:47,009 INFO: Creating WildFly credential store...
2025-12-16 02:12:47,013 INFO: Backup created: /opt/PrimeKey/wildfly_config/ejbca-credstore.cs.bak-20251216-021246
2025-12-16 02:12:47,014 INFO: Creating new credential store
Credential Store has been successfully created
2025-12-16 02:12:47,972 INFO: Updating wildfly credential store password in WildFly configuration.
2025-12-16 02:12:47,975 INFO: Adding alias to credential store...
Alias "wildfly" has been successfully stored
2025-12-16 02:12:49,162 INFO: Property updates complete:
2025-12-16 02:12:49,163 INFO:  - DATABASE_PASSWORD updated (application user).
2025-12-16 02:12:49,165 INFO:  - DATABASE_MASTERUSER_PASSWORD present and up-to-date.
2025-12-16 02:12:51,045 INFO: If there are other nodes in the cluster, perform the same action on the additional nodes with '-w (WildFly credential only)'.

Rotating the WildFly credential only

On nodes that are a part of a cluster, the database password will have changed and they will be unaware of the new password and be disconnected from the database. Run this script with the -w and -n options to have the WildFly configuration updated to match the remaining nodes in the cluster.

CODE 
./rotate_db_password.sh -w -n 'password123!'

Example output

CODE 
[root@alextest3 support]# ./rotate_db_password.sh -w -n 'password123!'

This script will change the ejbcadbuser password on the database for password rotation purposes and update the Elytron credential store.  Do you want to continue (Yy/Nn)?y
2025-12-16 02:29:25,453 INFO: Backup created: /opt/wildfly/bin/start.sh.bak-20251216-022925
2025-12-16 02:29:25,459 INFO: Creating WildFly credential store...
2025-12-16 02:29:25,463 INFO: Backup created: /opt/PrimeKey/wildfly_config/ejbca-credstore.cs.bak-20251216-022925
2025-12-16 02:29:25,464 INFO: Creating new credential store
Credential Store has been successfully created
2025-12-16 02:29:26,407 INFO: Updating wildfly credential store password in WildFly configuration.
2025-12-16 02:29:26,410 INFO: Adding alias to credential store...
Alias "wildfly" has been successfully stored
2025-12-16 02:29:27,621 INFO: Property updates complete:
2025-12-16 02:29:27,622 INFO:  - DATABASE_PASSWORD updated (application user).
2025-12-16 02:29:27,624 INFO:  - DATABASE_MASTERUSER_PASSWORD present and up-to-date.
Would you like to restart EJBCA to make the password change take effect (Yy/Nn)?y
2025-12-16 02:29:30,040 INFO: If there are other nodes in the cluster, perform the same action on the additional nodes with '-w (WildFly credential only)'.
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close