Hi @anasustic,
What you’re seeing is expected behavior, and it explains the confusion: the OsgiManager username/password only applies when the JCR repository is unavailable.
In AEM, Felix Web Console authentication is delegated to the Sling WebConsoleSecurityProvider, which authenticates against the JCR repository. If you look at the OsgiManager config description closely, it says: “This property is ignored if a WebConsoleSecurityProvider is used for authentication.” That’s why admin:admin still works after your restart, it’s authenticating as the repository admin user, not via your OSGi config.
So two separate fixes:
1. Post-startup access (your current issue): change the repository admin password (Tools → Security → Users, or /crx/explorer). The web console will follow it immediately.
2. The startup window (your original question): this is exactly when the repository is down and the OsgiManager fallback credentials do apply. To protect it, don’t set them via ConfigMgr (too late in the lifecycle), deploy them as a config file picked up at boot:
crx-quickstart/install/org.apache.felix.webconsole.internal.servlet.OsgiManager.cfg.json
with your custom username/password. This way the fallback credentials are non-default from the very first second of startup.
3. Defense in depth: regardless of credentials, /system/console should never be network-reachable in production, block it at the dispatcher (/filter deny) and firewall it to localhost/VPN on author. On publish, consider whether the web console bundle is needed at all. (For reference, AEM as a Cloud Service removes /system/console access entirely, that’s the direction Adobe itself went.)
So: repository admin password covers normal runtime, the boot-time config file covers the startup window, and network restriction covers everything else.