Change the Service Portal Master Password

Service Portal uses a master password (or Key Encryption Key – KEK) to encrypt sensitive data, such as passwords for integration accounts and database connections. HPE recommends that you change the default master password for improved security.

The Service Portal master password is implemented using Shamir’s Secret Sharing Scheme (SSSS) to split the master password into multiple cryptographically-secure KEK shares and store them in distributed file locations.

The master password for individual Service Portal applications can be changed, and not all Service Portal applications need to have the master password changed.

The following must be done to change the Service Portal master password:

• Split the Service Portal Master Password
• Update All KEK Share Files for an Service Portal Application
• Update all Encrypted Values for an Service Portal Application

Split the Service Portal Master Password

Perform the following procedure to split the new master password:

1. On the Service Portal host, log in as root and navigate to the /usr/bin directory.

2. Run the passwordUtil.js command to split the new master password into three separate values:

   # ./node /opt/hp/propel/launchpad/bin/passwordUtil.js --split
Please enter the password to split <hidden_password>
Please enter the File prefix or blank to skip file creation
Shares are (801d3c957e144c6a9d2725315,802b88f01df3c91dfb974a689,8036a46333e1457066b76f5fd)

3. Save the three encrypted values (KEK shares) from the output of step 2. They will be used to update the KEK share files in an Service Portal application.

Update All KEK Share Files for an Service Portal Application

After you split a new master password into three encrypted values, you insert the values into all of the KEK share files (KEK stores) under the parent directory of an Service Portal application. The various Service Portal applications have copies of these KEK stores with files named: kekshare1, kekshare2, and kekshare3. The following application directories under the /opt/hp/propel parent directory contain the kekshare* files: catalog-ui, subscription-ui, idmAdmin, msvc, sxUI, sxClient, launchpad, autopassUI, portal, mpp, and diagnostics-ui.

• If a keyfile* file exists, delete it. The location of the keyfile* file is specified in the keyfile attribute of an application’s configuration file. For example, inspect the $PROPEL_HOME/launchpad/app.json configuration file for the location of the Launchpad application’s keyfile.
• Locate and update every KEK store file with the newly encrypted values (from splitting the master password). That is, using the first encrypted value from the master password split, update the kekshare1 file. Update all kekshare1, kekshare2, and kekshare3 files with the three corresponding encrypted values from the master password split. For example, locate and update all kekshare* files under the /opt/hp/propel/launchpad parent directory when splitting the master password for the Launchpad application.

Update all Encrypted Values for an Service Portal Application

After updating all KEK share files for an Service Portal application, all of the application’s encrypted passwords must be regenerated using the passwordUtil.js utility. In the following example, all encrypted values for the Launchpad application are regenerated.

1. Encrypt a new value for a password with the following commands:

   # cd /usr/bin
# ./node /opt/hp/propel/launchpad/bin/passwordUtil.js
Please enter the password to encrypt
Encrypted password is enc(4W6uYbNm6uWsaptPzjxPGQ==)

2. Using the encrypted value from step 1, Edit the $PROPEL_HOME/launchpad/app.json file and update all encrypted values for the following attributes: idmPassword, passphrase, sessionCookieSecret, and connectionPassword.