Change Service Manager Service Portal initial passwords

Service Manager Service Portal defines a number of initial passwords (for example, initial passwords for users and a keystore file in the out-of-box system). To ensure the best security, Service Manager Service Portal provides a "propeld.yml.example" file, which can be used to change the initial passwords in your production environment.

Note After changing the passwords, you need to run a passwords.yml playbook so that your new passwords take effect.

Service Manager Service Portal initial passwords

The following table provides a list of passwords whose initial values can be changed.

Password category Password names
DB users
  • analytics
  • bpmuser
  • catalog
  • dashboard
  • jumpstart
  • notification
  • postgres
  • sxuser
OS users

postgres

IdM users
  • admin
  • sxCatalogTransportUser
  • searchTransportUser
  • idmTransportUser
  • idmAdmin
  • externalLinkTransportUser
  • diagnosticsTransportUser
  • consumer
  • orgadmin
RabbitMQ rabbitmq
Keystore keystore
  • Your new passwords must use the following format: <password name>:"<password value>". For example:

    admin:"<password value>"
  • Each password value must be longer than 6 characters. and must not contain the following YAML special characters: :{}[],&*#?|-=!%@\. However, this is NOT an exhaustive list, and we strongly recommend using alphanumeric characters for your new passwords.

  • Before running the passwords.yml playbook, make sure that all of the passwords listed above are present in the group_vars/propeld.yml file and have a non-empty value. Do not comment out or delete any of these passwords.
  • Make a note of your new password values, because you may need them in the future if you want to change them again. For example, your own keystore password.

The following paragraphs describe the steps for two installation modes of Service Manager Service Portal: single instance deployment, and distributed (clustered) deployment.

Change initial passwords for a single instance deployment

To do this, follow these steps:

Note Make sure that you have installed Ansible 2.2.0.0 before you perform these steps.

  1. Specify your passwords:

    1. Run the following commands:

      # cd /opt/hp/propel/contrib/propel*
      # cp -a group_vars/propeld.yml.example group_vars/propeld.yml
      # cp -a passwords/group_vars/propeld.yml.example passwords/group_vars/propeld.yml
      
    2. Specify your passwords in the propeld.yml file:

      # vi passwords/group_vars/propeld.yml
  2. Update the hosts.default file:

    # cp -a inventory/hosts.example inventory/hosts.default
    # vi inventory/hosts.default
    

    Update the content as follows:

    [lb]
    <Service Manager Service Portal host FQDN>
    
    [propel]
    <Service Manager Service Portal host FQDN>
    
    [db]
    <Service Manager Service Portal host FQDN>
    
    [propeld:children]
    propel
    
    [propel_shared_src:children]
    propel

    Note You must replace <Service Manager Service Portalhost FQDN> with the fully qualified domain name of your Service Manager Service Portal server host.

  3. Change to the passwords directory:

    # cd passwords 
    
  4. Run the passwords.yml playbook either as the "root" user or the "propel" user:

    Note It takes more time to run the playbook as the "propel" user than as the "root" user.

    • As the "root" user:

      # ansible-playbook passwords.yml -u root
    • As the "propel" user:

      # su - propel
      # ssh-keygen -t rsa -f ~/.ssh/id_rsa
      # ssh-copy-id propel@<Service Manager Service Portal host FQDN>
      # ansible-playbook passwords.yml -c paramiko --ask-become-pass -u propel 2>&1 | tee password.out

Change initial passwords for a distributed deployment

For a distributed deployment, you run the playbook on the load balancer node.

To do this, follow these steps:

  1. Specify your passwords:

    1. Run the following commands:

      # cd /opt/hp/propel/contrib/propel*
      # cp -a passwords/group_vars/propeld.yml.example passwords/group_vars/propeld.yml
    2. Specify your passwords in the passwords/group_vars/propeld.yml file.
  2. Before running the passwords.yml file, make sure that the databases are working well.

    1. Check that both the master db and slave db have a status value of 2

      # sudo -u postgres psql -h   <VIP of DB> -p 9999 -c "show pool_nodes"
    2. Check that the database sync data is not zero (0):

      # sudo -u postgres psql -h <FQDN of master db> -p 5432 -c 'select sent_location,replay_location from pg_stat_replication'
    3. Make sure that the master db is not in recovery by running the following command (the command should return a value of "f"):

      # sudo -u postgres psql -h <FQDN of master db host> -p 5432 -c 'select pg_is_in_recovery()'
    4. Check that the slave db is in recovery by running the following command (the command should return a value of "t"):

      # sudo -u postgres psql -h <FQDN of slave db host> -p 5432 -c 'select pg_is_in_recovery()'
  3. Run the passwords.yml playbook either as the "root" user or as the "propel" user:

    • As the "root" user:

      Tip The highlighted commands can be omitted if you have already run them before on the master node.

      # ssh-keygen -t rsa -f ~/.ssh/id_rsa
      # ssh-copy-id root@<LB node host FQDN>
      # ssh-copy-id root@<application node 1 FQDN>
      # ssh-copy-id root@<application node 2 FQDN
      # ssh-copy-id root@<master DB node FQDN>
      # ssh-copy-id root@<slave DB node FQDN>
      # cd passwords/
      # ansible-playbook passwords.yml -u root 2>&1 | tee password.out
    • As the "propel" user:

      # ansible-playbook passwords.yml -c paramiko --ask-become-pass -u propel 2>&1 | tee password.out