Help : cannot change default passwords in Wazuh even after running securityadmin.sh

[nprime496]

Hi, I'm experiencing an issue with Wazuh 4.14.1 where password changes in internal_users.yml are not being applied despite the securityadmin.sh script reporting success. The old default passwords continue to work even after updating the file and running the security admin tool.

Environment

• Wazuh Version: 4.14.1
• Deployment: Docker Compose (single-node)
• OS: Linux

Current Behavior

1. Default password kibanaserver:kibanaserver works for authentication
2. After updating internal_users.yml with new bcrypt hashes and running securityadmin.sh, the script reports "SUCC:"
3. However, the old password still works and new passwords fail
4. This suggests the security configuration is not actually being applied to the running cluster

What I've Tried

1. Verified File Consistency

# Confirmed both source and mounted files are identical
cat /path/to/source/internal_users.yml | grep -A 5 kibanaserver
cat /path/to/mounted/internal_users.yml | grep -A 5 kibanaserver
# Results: Files are identical with updated hash

2. Verified Container File Mount

docker exec wazuh-indexer-container cat /usr/share/wazuh-indexer/opensearch-security/internal_users.yml | grep -A 5 kibanaserver
# Results: Container sees the updated file with new hash

3. Multiple Security Admin Runs

# Standard approach
docker exec -it wazuh-indexer-container bash -c "
export INSTALLATION_DIR=/usr/share/wazuh-indexer
export CONFIG_DIR=\$INSTALLATION_DIR/config
CACERT=\$CONFIG_DIR/certs/root-ca.pem
KEY=\$CONFIG_DIR/certs/admin-key.pem
CERT=\$CONFIG_DIR/certs/admin.pem
export JAVA_HOME=/usr/share/wazuh-indexer/jdk
bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh \
  -cd \$CONFIG_DIR/opensearch-security/ \
  -insecure -nhnv \
  -cacert \$CACERT -cert \$CERT -key \$KEY \
  -p 9200 -icl
"
# Results: "Done with success" but no actual change

This was done according to https://documentation.wazuh.com/current/deployment-options/docker/changing-default-password.html

4. Container Restarts

docker restart wazuh-indexer-container
# Results: Old passwords still work after restart

5. Authentication Testing

# Old password works
docker exec wazuh-indexer-container curl -k -u kibanaserver:kibanaserver https://localhost:9200/_cluster/health
# Returns: {"cluster_name":"opensearch","status":"green"...}

# New password fails  
docker exec wazuh-indexer-container curl -k -u kibanaserver:newpassword https://localhost:9200/_cluster/health
# Returns: "Unauthorized"

Questions

1. Is there a cache or persistent storage that might be preventing the securityadmin.sh tool from actually updating the security configuration, even though it reports success?

2. Could there be permission issues preventing the security index from being written to, while still allowing the script to complete without errors?

3. Are there additional steps required after running securityadmin.sh to ensure the configuration is actually loaded into the running OpenSearch instance?

Current internal_users.yml Structure

kibanaserver:
  hash: "$2y$12$NRToq" # NOT the hash of 'kibanaserver'
  reserved: true
  backend_roles:
  - "kibanaserver"
  description: "Demo kibanaserver user"

Any insights into what might be preventing the security configuration from being properly applied would be greatly appreciated!

Here is the output of securityadmin.sh

docker exec -it wazuh-wazuh.indexer-1 bash -c "
export INSTALLATION_DIR=/usr/share/wazuh-indexer
export CONFIG_DIR=\$INSTALLATION_DIR/config
CACERT=\$CONFIG_DIR/certs/root-ca.pem
KEY=\$CONFIG_DIR/certs/admin-key.pem
CERT=\$CONFIG_DIR/certs/admin.pem
export JAVA_HOME=/usr/share/wazuh-indexer/jdk

bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh \
  -cd \$CONFIG_DIR/opensearch-security/ \
  -insecure \
  -nhnv \
  -cacert \$CACERT \
  -cert \$CERT \
  -key \$KEY \
  -p 9200 \
  -icl
"
Security Admin v7
Will connect to localhost:9200 ... done
Connected as "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
OpenSearch Version: 2.19.3
Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ...
Clustername: opensearch
Clusterstate: GREEN
Number of nodes: 1
Number of data nodes: 1
nsecure index already exists, so we do not need to create one.
Populate config from /usr/share/wazuh-indexer/config/opensearch-security/
Will update '/config' with /usr/share/wazuh-indexer/config/opensearch-security/config.yml 
   SUCC: Configuration for 'config' created or updated
Will update '/roles' with /usr/share/wazuh-indexer/config/opensearch-security/roles.yml 
   SUCC: Configuration for 'roles' created or updated
Will update '/rolesmapping' with /usr/share/wazuh-indexer/config/opensearch-security/roles_mapping.yml 
   SUCC: Configuration for 'rolesmapping' created or updated
Will update '/internalusers' with /usr/share/wazuh-indexer/config/opensearch-security/internal_users.yml 
   SUCC: Configuration for 'internalusers' created or updated
Will update '/actiongroups' with /usr/share/wazuh-indexer/config/opensearch-security/action_groups.yml 
   SUCC: Configuration for 'actiongroups' created or updated
Will update '/tenants' with /usr/share/wazuh-indexer/config/opensearch-security/tenants.yml 
   SUCC: Configuration for 'tenants' created or updated
Will update '/nodesdn' with /usr/share/wazuh-indexer/config/opensearch-security/nodes_dn.yml 
   SUCC: Configuration for 'nodesdn' created or updated
Will update '/whitelist' with /usr/share/wazuh-indexer/config/opensearch-security/whitelist.yml 
   SUCC: Configuration for 'whitelist' created or updated
Will update '/audit' with /usr/share/wazuh-indexer/config/opensearch-security/audit.yml 
   SUCC: Configuration for 'audit' created or updated
Will update '/allowlist' with /usr/share/wazuh-indexer/config/opensearch-security/allowlist.yml 
   SUCC: Configuration for 'allowlist' created or updated
SUCC: Expected 10 config types for node {"updated_config_types":["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","actiongroups","config","internalusers"],"updated_config_size":10,"message":null} is 10 (["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","actiongroups","config","internalusers"]) due to: null

[kevinruffus]

I originally had this same issue with single node initially.
I had taken things down to run a multi node setup, but I'll try getting a single node spun up and run through. I vaguely remember having to change something with permissions... Maybe...

[kevinruffus]

Ah, log into the dashboard PRIOR to restarting the containers after running:

docker exec -it wazuh-wazuh.indexer-1 bash

export INSTALLATION_DIR=/usr/share/wazuh-indexer
export CONFIG_DIR=\$INSTALLATION_DIR/config
CACERT=\$CONFIG_DIR/certs/root-ca.pem
KEY=\$CONFIG_DIR/certs/admin-key.pem
CERT=\$CONFIG_DIR/certs/admin.pem
export JAVA_HOME=/usr/share/wazuh-indexer/jdk

bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh -cd $CONFIG_DIR/opensearch-security/ -nhnv -cacert  $CACERT -cert $CERT -key $KEY -p 9200 -icl

[nprime496]

Thank you for your suggestion ! I will try that this week-end and update on how it went.