Platform password management
The Fabric Services System uses several internal passwords to communicate between its
internal services. These passwords are set securely by default. From a security
standpoint, Nokia recommends that you update these passwords after installation of the
platform. You can change the internal passwords for the following services and their
users:
| Service | Users |
|---|---|
| MongoDB |
root fsp_user |
| Neo4J |
root |
| Keycloak |
master fss ztp |
| Postggresq1 |
root keycloak |
| Kafka | — |
Changing passwords for internal services
- Perform this procedure only during a maintenance window. Changing the password for an internal service causes the service to be unavailable for some time.
-
If you are only changing the password for a non-root or non-master user, you must provide the password for the root or master user for the service in the sample-password-values.json file.
Use the fss-change-passwords.sh command on the deployer VM to change
the application passwords. The command then changes the internal passwords for the services
and restarts any affected service.
The following is usage information for the
fss-change-passwords.sh
command:# /root/bin/fss-change-passwords.sh -h
Usage: /root/bin/fss-change-passwords.sh configure <passwords-json-file> - Reads passwords json file and configures new passwords.
/root/bin/fss-change-passwords.sh [help | -h] - Prints usagePasswords have the following requirements:
- Passwords can consists of the following characters:
- alphabetical:
a-z,A-Z - numerical:
0-9 - special characters:
@#$%^&*()_+-=[]{}|.Note:&is not supported for any of the keycloak user passwords.
- alphabetical:
-
Passwords must consist of at least:
- eight characters
- two upper-case characters
- two lower-case characters
- one numerical character
- one special character:
@#$%^&*()_+-=[]{}|.
Note: Passwords must be provided in clear text. Ensure that the
configuration file is secure; do not leave it unprotected.
-
Create a JSON password configuration file.
In the JSON password configuration file, for each application, provide the supported users and the current and new password for each user.
The following example shows the contents of the/root/sample-password-values.jsonconfiguration file that is present on the deployer VM:[root@fss-deployer ~]# cat /root/sample-password-values.json { "fss": { "passwords": { "mongodb": { "fsp_user": { "current": "cleartext", "new": "cleartext_new" }, "root": { "current": "cleartext", "new": "cleartext_new" } }, "neo4j": { "root": { "current": "cleartext", "new": "cleartext_new" } }, "keycloak": { "master": { "current": "cleartext", "new": "cleartext_new" }, "fss": { "current": "cleartext", "new": "cleartext_new_complexpass" } }, "postgresql": { "root": { "current": "cleartext", "new": "cleartext_new" }, "keycloak": { "current": "cleartext", "new": "cleartext_new" }, "ztp": { "current": "cleartext", "new": "cleartext_new" } } } }, "kafka": { "passwords": { "current": "cleartext", "new": "cleartext_new" } } } -
Execute the command to change the internal passwords after updating current passwords
and adding new passwords.
The following example shows a successful password change.
[root@fss-deployer ~]# ./bin/fss-change-passwords.sh configure password-values.json SUCCESS kafka : fss-kafka-admin SUCCESS mongodb : fsp_user SUCCESS mongodb : root SUCCESS neo4j : root SUCCESS postgresql : root SUCCESS postgresql : keycloak Waiting for all the pods to come up... All pods are Running!In case of a failure, the script returns an error message. Depending on the error, the script may still continue with the non-errored password change requests. In the following example, the password change failed for the MongoDB passwords because the current passwords does not match the configured passwords. The tool still updates the passwords for the other users.[root@fss-deployer ~]# ./bin/fss-change-passwords.sh configure sample-password-values.json SUCCESS kafka : fss-kafka-admin ERROR occured for mongodb fsp_user , please make sure you have provided correct credentials ERROR occured for mongodb root , please make sure you have provided correct credentials SUCCESS neo4j : root SUCCESS keycloak : master SUCCESS keycloak : ztp SUCCESS keycloak : admin SUCCESS postgresql : root SUCCESS postgresql : keycloak Waiting for all the pods to come up... All pods are Running!