0

I've launched a new AWS EC2 instance (m5.large) based on Matillion's latest AMI (Matillion v1.56.9). The instance is coming up fine and I can reach Matillion's login page at https://[internal IP], but I cannot login with the default credentials which are supposed to be "ec2-user" and the instance id ("i-xxxxxx"). Error message is "Invalid username or password".

The EC2 instance has no public IP, that's why I use a private IP.

I can also ssh into the instance.

Can anyone help me find out why login using the default user doesn't work?

Improve this question
2
  • I have noticed in the documentation (documentation.matillion.com/v156/docs/2957722) that they only use the first 10 characters of the instance ID of the EC2 as the password. Commented Nov 11, 2021 at 7:21
  • Good idea, tried that, but it still doesn't work. We have an older Matillion instance up and running, where the default password equals the full instance id, and login works perfectly there. I guess the documentation is a little unclear, because it doesn't explicitly say the instance id should be cut down to 10 chars, even though the screenshot might suggest it... Commented Nov 11, 2021 at 7:54

1 Answer 1

Reset to default
2

I believe the way it's supposed to work is at first boot the ec2-user password in /usr/share/tomcat8/conf/tomcat-users.xml gets set to the sha512sum of the instance ID. As per your comment Tobie that's a good spot but I think the Matillion documentation is just out of date there, from right back when instance IDs really were just 10 characters long!

I guess it uses the instance metadata service v1 to do that, so if IMDS v1 is not available it might not get created correctly.

In any case, as long as you can SSH into your server and the Admin / User Configuration is in Internal mode (which is the default) you can fix the password manually like this...

Become root with sudo -i

Create the sha512sum of your chosen password like this.

echo -n "schepo" | sha512sum

Make sure you use the -n otherwise it adds a newline and gets the hash wrong. Mine comes out like 55aa...a1cf -

Then stop Tomcat so you can update the password

systemctl stop tomcat8

Fix the relevant line in /usr/share/tomcat8/conf/tomcat-users.xml or add a new one. You have to be really careful to keep the XML valid. Mine ends up like this:

<user username="schepo" password="55aa00778ccb153bc05aa6a8d7ee7c00f008397c5c70ebc8134aa1ba6cf682ac3d35297cbe60b21c00129039e25608056fe4922ebe1f89c7e2c68cf7fbfba1cf" roles="Emerald,API,Admin"/>

Then restart Tomcat

systemctl restart tomcat8

It normally takes about 60 seconds to restart. After that you should be able to login via the UI with your new user and/or password.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

perfect, it's your hint about IMDSv1 being used to receive the instance id. We enforce IMDSv2 as it is supposed to be more secure. I relaunched another instance with IMDSv1 enabled, and the default credentials for "ec2-user" work perfectly! I'd really like to set another password or add some new user to the tomcat-users.xml anyways. I followed your instructions and added a new user to /usr/share/emerald/WEB-INF/classes/tomcat-users.xml (I believe this is the right file, not the one you mentioned, at least for Matillion 1.56), but I couldn't make it work.
Glad that was helpful. I don't know why there are two copies of tomcat-users.xml on the system. On mine when I make a change through Admin / User Configuration in the UI it's only the one under /usr/share/tomcat8/conf/ that Matillion modifies. The other file under WEB-INF/classes is owned by root and is not writable by the tomcat user. I guess it is somehow left over from that initial one-off setup. Modifying /usr/share/tomcat8/conf/tomcat-users.xml always seems to work for me
I accepted this answer as it resolved my problem regarding IMDSv1. Adding users to tomcat-users.xml is another issue, and I'll keep trying...
I was able to verify that /usr/share/tomcat8/conf/tomcat-users.xml is the right file. I got confused about the files, because this one does not hold any groups or users before you first log in to the UI...

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.