JSON change-password request to /ssl/user-manage-passwords failed

Hi, I am trying to change the Admin password on our newly installed ODK -Aggregate 2.0.1 (tomcat8, postgresql 9.5, ubuntu 16.04LTS) and get an error message when saving the new password "JSON change-password request to /ssl/user-manage-passwords failed"
We have SSL installed and working. I saw that this had been posted earlier (JSON change-password) without it being clear what actually solved the issue. I tried following the link in previous post but didnt find anything about "Unsupported Webserver Configuration". Session cookies in browser are enabled.

I hope someone will be able to help

Welcome to the ODK forum, @Axlm! We're glad you're here. When you get a chance, please introduce yourself here. I'd also encourage you to add a real picture as your avatar because it helps build community.

The most common cause for this issue is a misconfigured security.properties file. The location of this file may vary depending on the method you choose to deploy aggregate. Did you use the installer or did you compiled Aggregate yourself?

Another factor that we need to take into account is whether your users are accessing Aggregate directly or via some proxy or load balancer. Can you tell us more details about your deployment?

Txs for the welcome. I have written a short introduction, but will add a picture as well.

I used the installer to deploy Aggregate and our users are accessing Aggregate directly. The solution is running on VM in Azure.
Where do I find security.properties? Is there anything there I can look for or change?

Thank you for your assistance

Thanks for the info!

The installer packs all configuration files into a JAR file located at WEB-INF/lib/ODKAggregate-settings.jar. You can unzip that file to get the security.properties file. We need to check what values are defined int the keys:


Thanks. Here is the info from the security.properties file.
In addition the security.server.hostname= is blank


Hi @Axlm!

The configuration you've shared is OK for your setup. You could change some settings to better fit your scenario, but the one you have is actually OK.

When security.server.hostname is empty, Aggregate detects a valid IP address automatically when starting, which works in most situations.

You could try to set a specific value in security.server.hostname, though. That would prevent issues in case Aggregate has detected an IP address different than the one users are using to access it, which would explain why changing passwords fails.

In order to do that, you can follow these steps:

  • Stop Tomcat
  • Create a backup of the whole directory where Aggregate is deployed
  • Unzip WEB-INF/lib/ODKAggregate-settings.jar into WEB-INF/classes
  • Delete WEB-INF/lib/ODKAggregate-settings.jar << this is important
  • Edit WEB-INF/classes/security.properties and set security.server.hostname with the IP address or hostname that the users will be using to access Aggregate
  • Start Tomcat

Hi @ggallo,

unfortunately it didn't work. I tried both with IP address and hostname, but with the same result. I am able to create a new user on the Site Admin page but I get the same message as before when I try the Change Password button. Anything else I could try?

Hi @ggalmazor,
A colleague found a previous post in the forum that had similar problem, but that was related to some port issues. We are running our solution on port 8443 and noticed when we changed to security.server.hostname to ip address and disabled the port 8080 connector (which redirected to 8443) in the server.xml we got an error message complaining about not able to find ipaddress:8080 when tried to Change Password. This seemed to indicate that even it was using port 8443 it tried to switch to port 8080 when pressing the Change Password button. We also notice that if we activate developer mode in the browser and as soon as we press Change Password to send the password we get a 404 on /ssl/user-manage_passwords. I hope that this might be of any help to clarify the problem.

Hi @Axlm!

In that case, you can solve it by setting both security.server.secureChannelType, and security.server.channelType keys to REQUIRES_SECURE_CHANNEL.

This page has more information of all the conf params: https://github.com/opendatakit/aggregate/blob/master/docs/aggregate-config.md

Hi @ggalmazor,
unfortunately this didn't help either but led us to a temporary solution and maybe the key to the problem. We used the developer tools in Chrome again and noticed we still got 404 message as soon as we pressed the Change Password button after entering the new passwords. I double clicked on the error message in the developer tools and it opened the 404 URL in a new window . There I saw that it tried to open the following URL https://odk.cmi.no:8443/ssl/user-manage-passwords?username=... but ODKAggregate was missing in the URL. However changing the URL to this: https://odk.cmi.no:8443/ODKAggregate/ssl/user-manage-passwords?username=.. enabled us to change the passwords. So there seems to be something like a base URL or something somewhere that is not correct. It works for now, but I don't know if this will affect other functionality of ODKAggregate as well.
Thank you for your help so far!

Did you, by any chance, install v2.0.0 before updating to v2.0.1? In that case, you might have a cached version of the javascript code that generates those URLs. You can test that by accessing Aggregate in incognito mode.

Yes, I did, and we experienced the same error as was reported and fixed in 2.0.1. I have tried two different browser in incognito mode, but still get the same error message

Thanks for the info! This commit was supposed to fix that issue, but apparently there's still something going on. I'm on it!


Hopefully, we will be able to release a v2.0.2 patch release very soon

After trying the solutions in this post I'm, also still experiencing this issue on a fresh install of 2.01 on Windows Server 2016 / Tomcat 8.5 and Azure PostgreSQL.

[EDIT] Reading the post by @Axlm I will try to install ODKAggregate as ROOT application, then the url without 'ODKAggregate' would be correct (-:

{EDIT AGAIN}: @Axlm @ggalmazor This workaround works.

Heads up! Aggregate v2.0.2 has been released with a fix for this issue :slight_smile:


On the day I found the workaround (-: (-: (-:

1 Like

Sorry, we'll try to work slower next time! :laughing:

Thank you for all your help!
We also managed to find a workaround, but will upgrade to 2.0.2 in the coming days for a permanent change.

Hey @ggalmazor..

I'm also facing the same issue of password change failed but on windows server 2008. It doesnt give me any error on windows 10 pro.

Still im upgrading my version to 2.0.2 on windows server. Lets see if it works. Ill give headsup once done.


Hey @ggalmazor,

Cheers for successfully able to install v2.0.2 on windows server 2008 R2 without fail. It works like a charm with no error "JSON change-password request to /ssl/user-manage-passwords failed"

Thanks to you and team.. Kudos..
@yanokwa @gt3o0o
Keep up..