How to change password of Bahmni/OpenMRS (and securing the server)

Software Bahmni
,
1

A lot of users seem to install Bahmni/OpenMRS and don’t change the DEFAULT admin credentials. This is a serious security risk.

If you are an ADMIN of any Bahmni server, that is being used in Production / QA / Public exposed – please change the admin/superman credentials, to reduce your security risk. Also don’t use default DB credentials.

Please read

  1. Change password of Bahmni user: https://bahmni.atlassian.net/wiki/spaces/BAH/pages/114361274/Logging+into+Bahmni

  2. OpenELIS: https://bahmni.atlassian.net/wiki/spaces/BAH/pages/48889888/Lab+Security+and+Access+Control+OpenELIS

  3. In Bahmni Configuration Files: https://bahmni.atlassian.net/wiki/spaces/BAH/pages/53837974/List+Of+Configurable+Installation+Variables

  4. Securing Bahmni Server: https://bahmni.atlassian.net/wiki/spaces/BAH/pages/2342780946/Securing+and+Protecting+the+Bahmni+Server

If you still need help, please post a question on our SLACK channel or on this talk forum. Thanks!

3 Likes
2

Bumping this up. We came across another PUBLIC instance of Bahmni today, where the default admin credentials were setup. This is very bad!

Please request everyone to ensure that for Bahmni deployments in production/real world to CHANGE ALL DEFAULT CREDENTIALS. Not doing so can put the implementor / hospital in Legal trouble and serious headaches.

This is true for any OpenMRS/Bahmni deployment. Be responsible. Refer to the links attached in this thread on how to make changes.

1 Like
3

If the Bahmni admin password is changed after the installation then ensure to change the atom feed connect passwords too

for OpenMRS to ODOO sync, change passwords in /opt/bahmni-erp-connect/bahmni-erp-connect/WEB-INF/classes/erp-atomfeed.properties

for openmrs to lab sync, change passwords in /opt/bahmni-lab/bahmni-lab/WEB-INF/classes/atomfeed.properties

1 Like
4

Please see this documentation page too (comprehensive for Bahmni Docker). Thanks to @gokul for the detailed writeup: https://bahmni.atlassian.net/wiki/spaces/BAH/pages/3135995905/Changing+Default+Credentials+of+Bahmni+Docker

1 Like
5

I don’t know if this happens to me only but once I reset the atomfeed password and update the .env file, I see an error message in the openmrs log that says authentication with openelis failed. As soon as I change it back to the default password, the error is cleared. What could be causing this?

I tried changing the password from UI and from the database but the same issue occurs. I’m wondering if there is some place again where the password persists after resetting it.

6

Can you provide some more information. Did you change the openelis creds from UI/DB, and then updated OpenMRS configuration for ELIS passwords (atomfeed files, .env, etc) and still OpenMRS gave an error?

If you can provide the high level sequence of steps you took and which system gave an error, it might help resolve the issue.

I assume since you mentioned .env file, you are using Docker version of Bahmni.

Thanks!

7

Yes its a docker installation.

First sequence

I changed the password from UI then updated the .env file, got the error

Second sequence

I changed the password from DB, then updated the .env file and still got the error.

I see the error message in openmrs log file

8

Can you try the below sequence?

  • Bring all the services down.
  • Update the password in .env file OPENELIS_ATOMFEED_USER and OPENELIS_ATOMFEED_PASSWORD
  • Bring the Bahmni services up.
  • update the new password in UI.
9

I have followed the sequence but as soon as I updated it, the error re-surfaced

bahmni-standard-openmrs-1  | Caused by: org.bahmni.webclients.WebClientsException: Authentication with OpenELIS failed
bahmni-standard-openmrs-1  |    at org.bahmni.webclients.OpenElisAuthenticator.refreshRequestDetails(OpenElisAuthenticator.java:68) ~[web-clients-0.94.3.jar:?]
bahmni-standard-openmrs-1  |    at org.bahmni.webclients.OpenElisAuthenticator.getRequestDetails(OpenElisAuthenticator.java:38) ~[web-clients-0.94.3.jar:?]
bahmni-standard-openmrs-1  |    at org.bahmni.webclients.HttpClient.getCookies(HttpClient.java:39) ~[web-clients-0.94.3.jar:?]
bahmni-standard-openmrs-1  |    at org.bahmni.module.elisatomfeedclient.api.client.OpenElisFeedClient.createAtomFeedClient(OpenElisFeedClient.java:59) ~[elisatomfeedclient.jar:?]
bahmni-standard-openmrs-1  |    at org.bahmni.module.elisatomfeedclient.api.client.OpenElisFeedClient.getAtomFeedClient(OpenElisFeedClient.java:50) ~[elisatomfeedclient.jar:?]
bahmni-standard-openmrs-1  |    at org.bahmni.module.elisatomfeedclient.api.client.impl.OpenElisPatientFailedEventsFeedClientImpl.processFailedEvents(OpenElisPatientFailedEventsFeedClientImpl.java:70) ~[elisatomfeedclient.jar:?]
10

I have retested the behaviour and password change is working as expected.

Steps followed-

  1. Update the password in UI → Error didn’t occur and sync is working fine.

  2. Restarted the OpenMRS container using command docker compose restart openmrs → Error came as expected(Authentication with OpenELIS failed)

  3. Update the credentials for OpenELIS atomfeed in .env file OPENELIS_ATOMFEED_USER and OPENELIS_ATOMFEED_PASSWORD (Same as updated in UI)

  4. Recreate OpenMRS service using the command docker compose up -d → No errors and sync is working fine with the new credentials.

With this we can understand that the password is not cached anywhere and working as expected. If issue still persist please reach out to us through Slack, we can connect.

CC: @mohant @gsluthra

1 Like