This page addresses various security related matters.

Database passwords

The database user name and password is configured via the toolbox configure command which stores the configuration in:


When the database is created, these are used to create a corresponding MySQL database user.

If the database user name or password is changed*:

  • toolbox configure needs to be re-run to update the file
  • toolbox war needs to be re-run to package the web application with the updated
  • the openvpms.war file needs to be redeployed

* For information on setting the MSQL password see:

Administrator password

The default installation creates an OpenVPMS user named 'admin', with password 'admin'. This should be changed using either:

  • toolbox user --setpassword admin -p somestrongpassword
  • Administration - Users in the web application

User passwords

User passwords can be configured using:

  • toolbox user --setpassword admin -p somestrongpassword
  • Administration - Users in the web application

There is little restriction on what passwords may be entered, but it is recommended that strong passwords are used.


File permissions

The OpenVPMS and Tomcat installation directories should only be accessible to a single user with a strong password.

These directories contain files that could enable an attacker to gain access to the OpenVPMS web application, or the MySQL database.

Tomcat and HTTPS

For security, Tomcat should be configured to use HTTPS connections. These encrypt data travelling between the browser and web server.

See SSL/TLS Configuration HOW-TO in the Apache Tomcat documentation.


The default configuration disables SSL access to the MySQL database server by specifying useSSL=false in the JDBC connection string i.e.:

db.url = jdbc:mysql://localhost:3306/openvpms_dev?useSSL=false

To connect to a MySQL server securely, see Connecting Securely Using SSL in the MySQL documentation.




Syndicate content