Changing passwords and secrets

You can change the passwords and secrets that were used during the deployment process.

About this task

This task applies to the Controller +n compute, High Availability (HA) controller +n compute, or Distributed database topologies. Customizing passwords and secrets is not done for the Minimal topology.
Note: This procedure only applies to passwords and secrets that are found in the Data bags topic. Note the exceptions in the following restriction list.
Restrictions:
  • With IBM Cloud Manager with OpenStack 4.3 FP2, a new secret is available called orchestration_auth_encryption_key. This secret is the configuration option value as auth_encryption_key in /etc/heat/heat.conf for OpenStack orchestration. Be careful when dealing with this secret and follow the instructions here if you are performing the update cloud deployment tasks described in Updating a deployed topology:
    • The secret is not configurable prior to IBM Cloud Manager with OpenStack 4.3 FP2. If you manually configured this value in /etc/heat/heat.conf, you need to set the secret to the value you manually configured with the procedures below. This should be done before you perform the update procedure described in Updating a deployed topology.
    • If you did not customize this option value for OpenStack orchestration in a previous deployment, do not set the value in your update procedure. The update procedure ensures that the previous default value is used after the deployment update. If you set the value to something else, it may cause OpenStack orchestration to not function properly.
  • After you deploy the HA controller +n compute topology, do not change the passwords of these specific data bags.
    • db_passwords: Do not change any of the database passwords.
    • secrets:
      • corosync_secret
      • openstack_identity_bootstrap_token
    • service_passwords: rabbit_cookie
    • user_passwords: hacluster

Use the following instructions to change passwords and secrets.

Procedure

  1. You need to refresh your topology deployment to apply the password changes. You also change the secrets as part of this step.
    1. Log in to the deployment system as the root user. This is the system where IBM Cloud Manager with OpenStack was installed.
    2. Change to the directory where you stored the files for the topology that you deployed. Change your-deployment-name to the name for your deployment.
      $ cd your-deployment-name
    3. Download and decrypt the data bags that contain the passwords and secrets for your deployment and store them in the data_bags directory. The data_bags directory contains a subdirectory for each data bag that is used by your deployment. The subdirectories contain the data bag items for your deployment.
      $ knife os manage get passwords --topology-file your-topology-name.json data_bags
    4. Change the passwords and secrets in the data bag items for your deployment. The password changes must be based on any prior changes. To change the password, you must change the value of the data bag item name.
      For example, for the admin.json data bag item, change the value at CHANGEME to the password.
      {
        "id": "admin",
        "admin": "CHANGEME"
      }
    5. Upload the changed data bags for your deployment.
      $ knife os manage update passwords --topology-file your-topology-name.json data_bags
    6. Refresh the topology deployment with the changed passwords and secrets.
       $ knife os manage update topology your-topology-name.json
  2. For PowerVC and z/VM®, the following are supported to be changed using the appropriate management interface.
    • For a PowerVC instance:
      • pvcadmin: Password for the PowerVC admin user. You need to use the proper PowerVC management interface to change it.
      • pvcqpid: Password for the PowerVC Qpid powervc_qpid user. You must not change this password.
      • pvcrabbit: Password for the PowerVC RabbitMQ powervcdriver_mq user. This password can be changed with following command on a PowerVC instance.
        su - rabbitmq -c '/usr/lib/rabbitmq/bin/rabbitmqctl change_password <powervcdriver_mq user> <powervcdriver_mq password>'
    • For a z/VM instance:
      • xcat: Password for the z/VM xcat admin user.
      • xcatmnadmin: Password for the z/VM xcat mnadmin user.
      • zlinuxroot: Password for the instances that are created by z/VM root user.