Vice Admiral Vice Admiral
Vice Admiral
780 views

(SA) Support Tip: How to change the passwords in Server Automation (SA) with passwdChanger?

passwdChanger is a tool that allows you to change one or more passwords of a Server Automation environment.

It is installed via rollup hotfixes under /opt/opsware/support/bin/

OPTIONS

--version

Program Version

--verify <response file>

Verify a response file

--build <response file>

Build change scripts to change passwords to those in <response file>


USAGE

Before changing any password make sure a response file exists that matches the current running system.

The directory /var/opt/opsware/install_opsware/resp/ contains installation response files.

passwordChanger --verify "resp.2015-02-10.06:22:05"


Once a matching response file has been found for your installed system, or if changes are required to be made to a copy of a response file to match your system, you are ready to create the change to response file. This is done with an editor.

The following are the list of password keys inside a response file

%truth.lcrepPwd
%truth.truthPwd
%truth.twistPwd
%truth.aaaPwd
%truth.pubViewsPwd
%truth.vaultPwd
%truth.oaPwd
%truth.spinPwd
%truth.gcPwd
%twist.integration.passwd
%twist.buildmgr.passwd
%truth.detuserpwd
%decrypt_passwd


The password identified by the key %decrypt_passwd is not changed with this tool. This should be done via a Core Recertification.

To generate the change script supply the configuration file that represents the running SA system and the response file that has been editted to reflect the password changes required.

passwordChanger --verify "resp.2015-02-10.06:22:05" --build newresp


This will output the following scripts

* aaaChanges.py * oracleChanges.py * fileChanges.py


OUTPUT SCRIPTS

The generated scripts may be executed multiple times, in the event of a failure that requires it, without causing any additional problem.

aaaChanges.py

Update the SA user passwords for the users: detuser and buildmgr. This will make database table row changes. In a mesh environment the changes made will propagate to the other cores via vault replication transactions. Subsequently it only needs to be executed once.

Usage: ./aaaChanges.py [change]

oracleChanges.py

Change the Oracle user account passwords for the following users: twist, vault, spin, truth, gcamin, aaa, lcrep, opsware_public and opsware_admin. Can be executed in three different modes depending on the mesh configuration.

Usage: ./oracleChanges.py [core|mesh|scripts]

core

Change the oracle user account passwords on the truth database that services the current core.

mesh

For a multi core system where all the oracle passwords are identical across the mesh. This can be used instead of executing the script multiple times at different facilities with the "core" option.

script

If DBA privileges have been removed from the opsware_admin user, preventing the use of the "core" or "mesh" options, an SQL script can be created to be executed by an Oracle DBA using a "sysdba" account.

fileChanges.py

This script changes all crypto files that are present on each slice. It must be copied and executed on each slice.

Usage: ./fileChanges.py [slice]


SAMPLE RUN

Verify that the response file that is going to be updated with new password material matches the installed system.

# ./passwdChanger --verify resp
Validate %truth.detuserpwd in file twist/detuserpwd [OK]
Validate %truth.detuserpwd in file da/detuser.passwd [OK]
Validate %truth.detuserpwd in file hub/twist.pwd [OK]
Validate %truth.detuserpwd in file apxproxy/twist.pwd [OK]
Validate %truth.twistPwd in file da/twist.passwd [OK]
Validate %truth.vaultPwd in file vault/vault.pwd [OK]
Validate %twist.buildmgr.passwd in file buildmgr/twist.passwd [OK]
Validate %twist.buildmgr.passwd in file occ/twist.passwd [OK]
Validate %truth.spinPwd used in /etc/opt/opsware/spin/spin.args [OK]
Validate %truth.twistPwd in file .../CP-TruthPool-jdbc.xml [OK]
Validate %truth.twistPwd for Oracle user twist [OK]
Validate %truth.vaultPwd for Oracle user vault [OK]
Validate %truth.spinPwd for Oracle user spin [OK]
Validate %truth.truthPwd for Oracle user truth [OK]
Validate %truth.gcPwd for Oracle user gcadmin [OK]
Validate %truth.aaaPwd for Oracle user aaa [OK]
Validate %truth.lcrepPwd for Oracle user lcrep [OK]
Validate %truth.pubViewsPwd for Oracle user opsware_public_views [OK]
Validate %truth.oaPwd for Oracle user opsware_admin [OK]
Validate %truth.detuserpwd for SA user detuser [OK]
Validate %twist.buildmgr.passwd for SA user buildmgr [OK]
A copy of the file "resp" has been made to "newresp" and the passwords have been updated. Running the script with the old and new password file will generate CORE/MESH password change scripts. Additionally the file "newresp" has its password validateds for length and character usage compliance.

# ./passwdChanger.py --verify resp --build newresp
Validate %truth.detuserpwd for OI password requirements [OK]
Validate %truth.twistPwd for OI password requirements [OK]
Validate %truth.vaultPwd for OI password requirements [OK]
Validate %twist.buildmgr.passwd for OI password requirements [OK]
Validate %truth.spinPwd for OI password requirements [OK]
Validate %truth.twistPwd for Oracle password requirements [OK]
Validate %truth.vaultPwd for Oracle password requirements [OK]
Validate %truth.spinPwd for Oracle password requirements [OK]
Validate %truth.truthPwd for Oracle password requirements [OK]
Validate %truth.gcPwd for Oracle password requirements [OK]
Validate %truth.aaaPwd for Oracle password requirements [OK]
Validate %truth.lcrepPwd for Oracle password requirements [OK]
Validate %truth.pubViewsPwd for Oracle password requirements [OK]
Validate %truth.oaPwd for Oracle password requirements [OK]
Validate %truth.detuserpwd for OI password requirements [OK]
Validate %twist.buildmgr.passwd for OI password requirements [OK]
Changing %truth.detuserpwd in file twist/detuserpwd
Changing %truth.detuserpwd in file da/detuser.passwd
Changing %truth.detuserpwd in file hub/twist.pwd
Changing %truth.detuserpwd in file apxproxy/twist.pwd
Changing %truth.twistPwd in file da/twist.passwd
Changing %truth.vaultPwd in file vault/vault.pwd
Changing %twist.buildmgr.passwd in file buildmgr/twist.passwd
Changing %twist.buildmgr.passwd in file occ/twist.passwd
Changing %truth.spinPwd used in /etc/opt/opsware/spin/spin.args
Changing %truth.twistPwd in file .../CP-TruthPool-jdbc.xml
Wrote: fileChanges.py
Changing %truth.twistPwd for Oracle user twist
Changing %truth.vaultPwd for Oracle user vault
Changing %truth.spinPwd for Oracle user spin
Changing %truth.truthPwd for Oracle user truth
Changing %truth.gcPwd for Oracle user gcadmin
Changing %truth.aaaPwd for Oracle user aaa
Changing %truth.lcrepPwd for Oracle user lcrep
Changing %truth.pubViewsPwd for Oracle user opsware_public_views
Changing %truth.oaPwd for Oracle user opsware_admin
Wrote: oracleChanges.py
Changing %truth.detuserpwd in DA Oracle table
Changing %truth.detuserpwd for SA user detuser
Changing %twist.buildmgr.passwd for SA user buildmgr
Wrote: aaaChanges.py
Change AAA users

# ./aaaChanges.py change
Changing DA Password
Changing User detuser
Changing User buildmgr
Change all Oracle users

# ./oracleChanges.py core
Database @ truth.CYAN
Changing twist
Changing opsware_public_views
Changing aaa
Changing lcrep
Changing truth
Changing vault
Changing gcadmin
Changing spin
Changing opsware_admin
Change all crypto files (run on each SLICE)

# ./fileChanges.py slice
Updating /var/opt/opsware/crypto/twist/detuserpwd
Updating /var/opt/opsware/crypto/da/detuser.passwd
Updating /var/opt/opsware/crypto/hub/twist.pwd
Updating /var/opt/opsware/crypto/apxproxy/twist.pwd
Updating /var/opt/opsware/crypto/da/twist.passwd
Updating /var/opt/opsware/crypto/vault/vault.pwd
Updating /var/opt/opsware/crypto/buildmgr/twist.passwd
Updating /var/opt/opsware/crypto/occ/twist.passwd
Updating /etc/opt/opsware/spin/spin.args
Updating /var/opt/opsware/twist/config/jdbc/CP-TruthPool-jdbc.xml
Restart all SA components - and you are done.

# service opsware-sas restart

Micro Focus Customer Support

If you find that this or any post resolves your issue, please be sure to mark it as an accepted solution.
Labels (1)
0 Likes
0 Replies
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.