Overview

Skill Level: Beginner

Intended for ICO administrators.

This recipe lists steps to modify the passwords in the Deployment Service environment [chef, job topologies] and in the IBM® Cloud Orchestrator servers automatically, at runtime, using a new script introduced in ICO 2.4.0.4.

Ingredients

IBM Cloud Orchestrator v2.4.0.4

Step-by-step

  1. Password Rules

    1. Passwords can comprise of the following: [a – z], [A – Z], [0 – 9] and _.

    2. Passwords of the following users and IBM HTTP Server keystore (key.kdb) must be the same.

      1. The IBM Cloud Orchestrator administrator (admin).

      2. The OpenStack service users (e.g. nova, glance, cinder, neutron, ceil).

      3. The Business Process Manager DB user (bpmuser).

      4. The Business Process Manager administrator (bpm_admin).

      5. IBM HTTP Server keystore (key.kdb).

    3. Passwords of the following DB2 users must be the same:

      1. DB2 administrator (db2das1).

      2. DB2 fenced user (db2fenc1).

      3. DB2 instance user (db2inst1).

  2. Scripts

    1. Located at /opt/<ico_install_2404>/installer/tools on deployment server.

    2. passwords.sh – used to change passwords in your IBM Cloud Orchestrator environment. This script can only be used in environments where existing passwords comprise of [a – z], [A – Z], [0 – 9] and _. Note that this script is used to change passwords in the IBM Cloud Orchestrator environment. The script changes the passwords of the users of all the IBM Cloud Orchestrator servers except the Deployment Server VM itself.

    3. upgradePre-ReqCheck.sh – used to validate if passwords in the deployment service environment match that of the users in your IBM Cloud Orchestrator environment prior to starting the upgrade. Additionally, this script validates if the passwords comply with the passwords rules mentioned above. In case of a password mismatch, this script can also be used to update the passwords in the deployment service environment. Note that this script is not used to change passwords in the IBM Cloud Orchestrator environment.

  3. Prerequisites

    1. Ensure that the ds job-list commands shows a list of the deployment jobs, including the job used in the Central Server installation. If any of the job in the list is in ERROR status, you must remove it.

    2. Ensure that the “nologin” feature is not enabled for users in the IBM® Cloud Orchestrator environment by following steps in the Security Hardening Guide.

    3. Ensure that users in the IBM® Cloud Orchestrator environment are unlocked and available for login.

    4. Log onto deployment server as root user and create a temporary directory such as ~/tools.

    5. Navigate to /opt/<ico_install_2404>/installer/tools directory and copy its contents to ~/tools.

  4. Notes

    1. Ensure you are logged in as the root user on the deployment server.

    2. When you run the passwords.sh script, you are prompted to specify if your IBM Cloud Orchestrator environment was deployed in a High-Availability topology.

    3. By using the passwords.sh script, you can validate the passwords of db2das1 and db2fenc1 users, but you cannot change their passwords with the script. If validation shows any mismatch, fix the issue manually.

    4. admin, serviceuser, bpmuser and bpm_admin users must have the same password. If the password of any of these users is changed, you must also change the password of the remaining users. Additionally, you must also change the password of the IBM HTTP Server keystore (key.kdb) password to match that of these users by following this step:

      1. Log onto primary and secondary Central Server 2 (if ICO was migrated from v2.3 to v2.4, then log onto Central Server 4 instead of Central Server 2) and run the following command (on one line) to change the IBM HTTP Server keystore (key.kdb) password:

        /opt/IBM/HTTPServer/bin/gskcmd -keydb -changepw –db /opt/IBM/HTTPServer/bin/key.kdb -pw <old_password> -new_pw <new_password>

        where <old_password> is passw0rd, if it was not modified from the original installation, and <new_password> is the recently modified password of admin, serviceuser, bpmuser and bpm_admin users.

  5. Usage

    ./passwords.sh help

    Print usage information.

    ./passwords.sh backup environment

    Create a backup of the current environment. The program downloads or copies the current environment into the ./passwords.sh-backup directory and then creates an archive file ./passwords.sh-backup-<timestamp>.tgz. The actual and modified Deployment Service environment files are located in the /var/chef/environment directory.

    ./passwords.sh change <user> passwords [to <value>]

    Modify the respective passwords on the target ICO system as well as in the deployment service environment. Possible values for <user> are:

    • rootuser — Change the operating system root password for all the IBM Cloud Orchestrator systems except the external DB server (if it exists).
    • admin — Change the ICO administrator “admin” user password.
    • serviceuser — Change the Openstack service user passwords.
    • iwduser — Change the IWD user password. Note that the command changes theWorkload Deployer user password only on the Central Server and not on the Region Server where you have to change it manually.
    • bpmuser — Change the BPM database user password.
    • bpm_admin — Change the BPM administrator “bpm_admin” user password.
    • databaseuser — Change the Openstack database user passwords.

    ./passwords.sh change all passwords [to <value>]

    Modify all the passwords, except the root user, on the target system as well as in the deployment service environment.

  6. Example 1: Change all passwords to ‘P4ssW0rD’

    1. Login as root user on the deployment server.

    2. Navigate to the ~/tools directory created under the ‘Prerequisites’ section above.

    3. Run the following command:

      ./passwords.sh change all passwords to P4ssW0rD

  7. Example 2: Change rootuser password to ‘P4ssW0rD’

    1. Login as root user on the deployment server.

    2. Navigate to the ~/tools directory created under the ‘Prerequisites’ section above.

    3. Run the following command:

      ./passwords.sh change rootuser passwords to P4ssW0rD

  8. Example 3: Change bpmuser password to ‘P4ssW0rD’

    1. Login as root user on the deployment server.

    2. Navigate to the ~/tools directory created under the ‘Prerequisites’ section above.

    3. Run the following command:

      ./passwords.sh change bpmuser passwords to P4ssW0rD

    4. Important: As per the restriction mentioned in the ‘Password Rules’ section above, these additional changes are needed:

      1. ./passwords.sh change admin passwords to P4ssW0rD

      2. ./passwords.sh change serviceuser passwords to P4ssW0rD

      3. ./passwords.sh change bpm_admin passwords to P4ssW0rD

      4. Log onto primary and secondary Central Server 2 (if ICO was migrated from v2.3 to v2.4, then log onto Central Server 4 instead of Central Server 2) and run the following command (on one line) to change the IBM HTTP Server keystore (key.kdb) password:

        /opt/IBM/HTTPServer/bin/gskcmd -keydb -changepw –db /opt/IBM/HTTPServer/bin/key.kdb -pw <old_password> -new_pw P4ssW0rD

        where <old_password> is passw0rd if it was not modified from the original installation.

  9. What to do next?

    To protect the confidentiality of the passwords, you must manually remove the working directory and log file after changing the passwords. The password values that are available in the following files are shown as clear text:

    • Files in the /var/chef/environment directory
    • Files in the passwords.sh-backup working directory
    • Log file passwords.sh-log.txt
    • Backup archive files named passwords.sh-backup-<timestamp>.tgz
  10. Additional information

    If you wish to optionally change the passwords at runtime manually, follow the steps on ‘Manually change the various passwords’ page in the ICO 2.4.0.4 knowledge center.

Join The Discussion