Change the Service Manager Service Portal Master Password

Search for	Example	Results
A single word	`cat`	Topics that contain the word "cat". You will also find its grammatical variations, such as "cats".
A phrase. You can specify that the search results contain a specific phrase.	`"cat food"` (quotation marks)	Topics that contain the literal phrase "cat food" and all its grammatical variations. Without the quotation marks, the query is equivalent to specifying an OR operator, which finds topics with one of the individual words instead of the phrase.

Search for	Operator	Example
Two or more words in the same topic	`AND` `and` `+` (plus symbol) `&` (ampersand)	`cat AND dog` `"cat food"+milk` `"cat food"&"dog food"`
Either word in a topic	`OR` `or` `\|` (pipe)	`cat OR dog` `cat \| dog`
Topics that do not contain a specific word or phrase	`NOT` `not` `!` (exclamation point)	`NOT cat` `! dog`
Topics that contain one string and do not contain another	`^` (caret)	`cat ^ mouse`
A combination of search types	`( )` parentheses	`cat + (dog \| mouse)` `cat \| dog + (! mouse)`

Service Manager Service Portal uses a master password (or Key Encryption Key – KEK) to encrypt sensitive data, such as passwords for integration accounts and database connections. We recommend that you change the default master password for improved security.

The Service Manager Service Portal master password is implemented using Shamir’s Secret Sharing Scheme (SSSS) to split the master password into multiple cryptographically-secure KEK shares and store them in distributed file locations.

The master password for individual Service Manager Service Portal applications can be changed, and not all Service Manager Service Portal applications need to have the master password changed.

The following must be done to change the Service Manager Service Portal master password:

Split the Service Manager Service Portal Master Password

Perform the following procedure to split the new master password:

On the Service Manager Service Portal host, log in as root and navigate to the /usr/bin directory.

Run the passwordUtil.js command to split the new master password into three separate values:

# ./node /opt/hp/propel/launchpad/bin/passwordUtil.js --split Please enter the password to split <hidden_password> Please enter the File prefix or blank to skip file creation Shares are (801d3c957e144c6a9d2725315,802b88f01df3c91dfb974a689,8036a46333e1457066b76f5fd)

Save the three encrypted values (KEK shares) from the output of step 2. They will be used to update the KEK share files in an Service Manager Service Portal application.

Update All KEK Share Files for an Service Manager Service Portal Application

After you split a new master password into three encrypted values, you insert the values into all of the KEK share files (KEK stores) under the parent directory of an Service Manager Service Portal application. The various Service Manager Service Portal applications have copies of these KEK stores with files named: kekshare1, kekshare2, and kekshare3. The following application directories under the /opt/hp/propel parent directory contain the kekshare* files: catalog-ui, subscription-ui, idmAdmin, msvc, sxUI, sxClient, launchpad, autopassUI, portal, mpp, and diagnostics-ui.

Important: When resetting the master password, all KEK share files in an Service Manager Service Portal application must have their KEK stores updated and sensitive data re-encrypted. However, you can reset the master password for individual Service Manager Service Portal applications, and not all applications must be done immediately. For each application:

If a keyfile* file exists, delete it. The location of the keyfile* file is specified in the keyfile attribute of an application’s configuration file. For example, inspect the $PROPEL_HOME/launchpad/app.json configuration file for the location of the Launchpad application’s keyfile.

Locate and update every KEK store file with the newly encrypted values (from splitting the master password). That is, using the first encrypted value from the master password split, update the kekshare1 file. Update all kekshare1, kekshare2, and kekshare3 files with the three corresponding encrypted values from the master password split. For example, locate and update all kekshare* files under the /opt/hp/propel/launchpad parent directory when splitting the master password for the Launchpad application.

Update all Encrypted Values for an Service Manager Service Portal Application

After updating all KEK share files for an Service Manager Service Portal application, all of the application’s encrypted passwords must be regenerated using the passwordUtil.js utility. In the following example, all encrypted values for the Launchpad application are regenerated.

Encrypt a new value for a password with the following commands:

# cd /usr/bin # ./node /opt/hp/propel/launchpad/bin/passwordUtil.js Please enter the password to encrypt Encrypted password is enc(4W6uYbNm6uWsaptPzjxPGQ==)

Using the encrypted value from step 1, Edit the $PROPEL_HOME/launchpad/app.json file and update all encrypted values for the following attributes: idmPassword, passphrase, sessionCookieSecret, and connectionPassword.

Tip: When you change the master password for an Service Manager Service Portal instance, it is also good practice to change the JWT signing key. For more information on changing the signing key, see Change the JWT Signing Key.

Connect

Micro Focus Marketplace

ITSM Blog for IT Service Management

ITSM Community

Documentation Forum

Learn

Software Support Online

Software Support Downloads

Software Education Services

Contact

Send Help Center feedback

Submit Service Request

View Service Requests