I am doing a security review of our AEM instance and going through the Security Checklist. It is not clear to me what "Changing the OSGi Web Console Password" actually does. I changed the AEM admin user password to "rainyday". I changed the OSGi Web Console password to something distinct per the instructions - "sunnyday". To get to the OSGi Web Console the AEM admin user password "rainyday" allows access NOT the password set for OSGi Web Console.
Why is is recommended to set an OSGi Web Console password?
When is the password used?
What is the consequence of not setting the OSGi Web Console password?
What is the consequence of setting them to the same thing? "rainyday".
As mentioned in the docs under security checks. We usually update the admin credentials to secure the crx and system/console(OSGI Web Console) as it has all the confidential information on code and jars. So once you update the admin password let's suppose to sunnyday then in that case using the same password you can login to crx as well as OSGI web console.