Changing internal passwords

The Fabric Services System uses several internal passwords to communicate between its internal services. These passwords are set securely by default. From a security standpoint, Nokia recommends that you update these passwords after installation of the platform. You can change the internal passwords for the following services and their users:
  • MongoDB: root and fsp_user users
  • Neo4J: root user

You use the fss-change-passwords.sh command on the deployer VM to change the application passwords. The command then changes the internal passwords for the services and restarts any affected service.

Following is usage information for the fss-change-passwords.sh command:
# /root/bin/fss-change-passwords.sh -h

Usage: /root/bin/fss-change-passwords.sh configure <passwords-json-file>  - Reads passwords json file and configures new passwords.
       /root/bin/fss-change-passwords.sh [help | -h]                      - Prints usage
Passwords have the following requirements:
  • Passwords can consists of the following characters:
    • Alphabetical: a-z, A-Z
    • Numerical: 0-9
    • Special characters: @#$%^&*()_+-=[]{}|.
  • Passwords must be at least 8 characters long.
Note: Passwords must be provided in clear text. Ensure that the configuration file is secure; do not leave it unprotected.
  1. Create a JSON password configuration file.

    In the JSON password configuration file, for each application, provide the supported users and the current and new password for each user.

    The following example shows the contents of the configuration file /root/password-values.json:
    [root@fss-deployer ~]# cat /root/password-values.json
{
  "fss": {
    "passwords": {
      "mongodb": {
        "root": {
          "current": "cleartext",
          "new": "cleartextnew"
        },
        "fsp_user": {
          "current": "cleartext",
          "new": "cleartextnew"
        }
      },
      "neo4j": {
        "root": {
          "current": "cleartext",
          "new": "cleartextnew"
        }
      }
    }
  }
}
  2. Execute the command to change the internal passwords after updating the current passwords and the new passwords.
    The following example shows a successful password change.
    [root@fss-deployer ~]# ./bin/fss-change-passwords.sh configure password-values.json
Creating mongodb fsp-user chart map patch
Creating mongodb root chart map patch
Creating neo4j root chart map patch
Applying chart map patch
helm upgrade prod /var/lib/rancher/k3s/storage/pvc-repo/download/charts/fss-charts -f /tmp/passchg/chart-patch.yaml
Release "prod" has been upgraded. Happy Helming!
NAME: prod
LAST DEPLOYED: Tue Dec 13 01:02:56 2022
NAMESPACE: default
STATUS: deployed
REVISION: 7
NOTES:
mongodb root password change successful
mongodb fsp password change successful
neo4j root password change successful
Restarting required pods
Checking for FSS pods
Waiting for default cp-zookeeper 3 Running
Waiting for FSS pods to comeup
Waiting for default cp-zookeeper 3 Running
Waiting for FSS pods to comeup
Waiting for default fss-auth 1 Running
Waiting for FSS pods to comeup
All FSS pods are running
Checking for FSS digitalsandbox pods
FSS digital sandbox pods are running
Checking for digitalsandbox pods
Digital sandbox pods are running
FSS is ready, you can access FSS using <URL_to_access_the_Fabric_Services_Sytem>
    In case of a failure, the script returns an error message. Depending on the error, the script may still continue with the non-errored password change requests. In the following example, the password change failed for the MongoDB root password because the password does not meet the minimum requirements. The tool still updates the passwords for the other users.
    [root@fss-deployer ~]# ./bin/fss-change-passwords.sh configure password-values.json 
minimum 8 characters required for new mongodb root password, change skipped
Creating mongodb fsp-user chart map patch
Creating neo4j root chart map patch
Applying chart map patch
helm upgrade prod /var/lib/rancher/k3s/storage/pvc-repo/download/charts/fss-charts -f /tmp/passchg/chart-patch.yaml
Release "prod" has been upgraded. Happy Helming!
NAME: prod
LAST DEPLOYED: Tue Dec 13 00:56:38 2022
NAMESPACE: default
STATUS: deployed
REVISION: 2
NOTES:
mongodb fsp password change successful
neo4j root password change successful
Restarting required pods
Checking for FSS pods
Waiting for default cp-zookeeper 3 Running
Waiting for FSS pods to comeup
Waiting for default cp-zookeeper 3 Running
Waiting for FSS pods to comeup
Waiting for default fss-auth 1 Running
Waiting for FSS pods to comeup
All FSS pods are running
Checking for FSS digitalsandbox pods
FSS digital sandbox pods are running
Checking for digitalsandbox pods
Digital sandbox pods are running
FSS is ready, you can access FSS using <<URL_to_access_the_Fabric_Services_Sytem>
[root@fss-deployer ~]#