Issue Resolution Core operator secret usage

Find out about the secure operation of the Issue Resolution Core operator.

Secrets owned by the Issue Resolution Core operator

The Issue Resolution Core operator's secrets are created automatically when IBM Cloud Pak® for AIOps is installed. Alternatively, you can manually create some or all of these secrets before IBM Cloud Pak for AIOps is installed, with values of your own choosing. If these secrets exist before IBM Cloud Pak for AIOps is installed, then they are not modified (although new properties might be added).

The following table describes the secrets that the Issue Resolution Core operator owns. These secrets contain credentials, encryption keys, and other secrets. Some values can be changed after installation, which might necessitate restarting pods that have access to these secrets, or require additional steps to run. Details are provided in the table.

Table 1. Secrets that belong to the Issue Resolution Core operator
Secret Property Type Purpose Rotation Example commands
aiops-ir-core-cem-users-secret clientid hex15 OAuth client ID Change the secret. aiops-akora-ui, aiops-ir-core-cem-users, aiops-ir-core-esarchiving, aiops-ir-core-ncodl-api, aiops-ir-core-rba-rbs and aiops-ir-core-usercfg will restart automatically. oc set data secret aiops-ir-core-cem-users-secret --from-literal=clientid=$(openssl rand --hex 15)
aiops-ir-core-cem-users-secret clientsecret hex15 OAuth client secret Change the secret. aiops-akora-ui, aiops-ir-core-cem-users, aiops-ir-core-esarchiving, aiops-ir-core-ncodl-api, aiops-ir-core-rba-rbs and aiops-ir-core-usercfg will restart automatically. oc set data secret aiops-ir-core-cem-users-secret --from-literal=clientsecret=$(openssl rand --hex 15)
aiops-ir-core-cem-users-secret oidcclientid hex15 Not used in AIOps This secret can be changed without effect.
aiops-ir-core-cem-users-secret oidcclientsecret hex15 Not used in AIOps This secret can be changed without effect.
aiops-ir-core-cem-users-secret password hex15 Basic auth for https://aiops-ir-core-cem-users:6002 Change the secret. aiops-akora-ui, aiops-ir-core-cem-users, aiops-ir-core-esarchiving, aiops-ir-core-ncodl-api, aiops-ir-core-rba-rbs and aiops-ir-core-usercfg will restart automatically. oc set data secret aiops-ir-core-cem-users-secret --from-literal=password=$(openssl rand --hex 15)
aiops-ir-core-cem-users-secret username hex15 Basic auth for https://aiops-ir-core-cem-users:6002 Change the secret. aiops-akora-ui, aiops-ir-core-cem-users, aiops-ir-core-esarchiving, aiops-ir-core-ncodl-api, aiops-ir-core-rba-rbs and aiops-ir-core-usercfg will restart automatically. oc set data secret aiops-ir-core-cem-users-secret --from-literal=username=$(openssl rand --hex 15)
aiops-ir-core-couchdb admin_password hex15 Basic auth for https://aiops-ir-core-couchdb-api Change the secret and restart c-example-couchdbcluster-m oc set data secret aiops-ir-core-couchdb --from-literal=admin_password=$(openssl rand --hex 15) && oc delete pod -l app.kubernetes.io/component=couchdb
aiops-ir-core-couchdb couchdb_auth_secret hex15 Internal CouchDB use Change the secret and restart c-example-couchdbcluster-m oc set data secret aiops-ir-core-couchdb --from-literal=couchdb_auth_secret=$(openssl rand --hex 15) && oc delete pod -l app.kubernetes.io/component=couchdb
aiops-ir-core-couchdb csrf_secret hex15 Internal CouchDB use Change the secret and restart c-example-couchdbcluster-m oc set data secret aiops-ir-core-couchdb --from-literal=csrf_secret=$(openssl rand --hex 15) && oc delete pod -l app.kubernetes.io/component=couchdb
aiops-ir-core-couchdb erlang_cookie hex15 Internal CouchDB use Change the secret and restart c-example-couchdbcluster-m oc set data secret aiops-ir-core-couchdb --from-literal=erlang_cookie=$(openssl rand --hex 15) && oc delete pod -l app.kubernetes.io/component=couchdb
aiops-ir-core-couchdb ibm_password hex15 Internal CouchDB use Change the secret and restart c-example-couchdbcluster-m oc set data secret aiops-ir-core-couchdb --from-literal=ibm_password=$(openssl rand --hex 15) && oc delete pod -l app.kubernetes.io/component=couchdb
aiops-ir-core-model-secret hkeyname ts Identifier for hkeyvalue value See Key rotation.
aiops-ir-core-model-secret hkeyvalue hex16 HMAC key for sensitive data in CouchDB See Key rotation.
aiops-ir-core-model-secret oldhkeys hex16 Previous HMAC keys for sensitive data in CouchDB See Key rotation.
aiops-ir-core-model-secret keyname ts Identifier for keyvalue value See Key rotation.
aiops-ir-core-model-secret keyvalue hex32 Encryption key for sensitive data in CouchDB See Key rotation.
aiops-ir-core-model-secret oldkeys hex32 Previous encryption keys for sensitive data in CouchDB See Key rotation.
aiops-ir-core-ncodl-api-secret password hex15 Basic auth for https://aiops-ir-core-ncodl-api:10011 Change the secret.
- Restart cp4waiops-metricsprocessor.
- aiops-ir-core-ncodl-api restarts automatically.		 oc set data secret aiops-ir-core-ncodl-api-secret --from-literal=password=$(openssl rand -hex 15) && oc delete pod -l connector.aiops.ibm.com/name=cp4waiops-metricsprocessor
aiops-ir-core-ncodl-api-secret username hex15 Basic auth for https://aiops-ir-core-ncodl-api:10011 Change the secret.
- Restart cp4waiops-metricsprocessor.
- aiops-ir-core-ncodl-api restarts automatically.		 oc set data secret aiops-ir-core-ncodl-api-secret --from-literal=username=$(openssl rand -hex 15) && oc delete pod -l connector.aiops.ibm.com/name=cp4waiops-metricsprocessor
aiops-ir-core-ncodl-std-secret password hex15 Basic auth for https://aiops-ir-core-ncodl-std:10011 Change the secret.
-Restart aimanager-aio-ai-platform-api-server, aimanager-aio-change-risk, aimanager-aio-chatops-orchestrator, aimanager-aio-chatops-slack-integrator, aimanager-aio-chatops-teams-integrator, aimanager-aio-controller, aimanager-aio-cr-api, aimanager-aio-log-anomaly-detector, aimanager-aio-log-anomaly-feedback-learning, aimanager-aio-oob-recommended-actions, aimanager-aio-similar-incidents-service.
- aiops-ir-analytics-probablecause, aiops-ir-core-api, aiops-ir-core-ncodl-api, aiops-ir-core-ncodl-if, aiops-ir-core-ncodl-jobmgr, aiops-ir-core-ncodl-std, and aiops-ir-core-rba-as restart automatically.		 oc set data secret aiops-ir-core-ncodl-std-secret --from-literal=password=$(openssl rand -hex 15) && oc delete pod -l app.kubernetes.io/component=ai-platform-api-server && oc delete pod -l app.kubernetes.io/component=change-risk && oc delete pod -l app.kubernetes.io/component=chatops-orchestrator && oc delete pod -l app.kubernetes.io/component=chatops-slack-integrator && oc delete pod -l app.kubernetes.io/component=chatops-teams-integrator && oc delete pod -l app.kubernetes.io/component=controller,app.kubernetes.io/name=aio && oc delete pod -l app.kubernetes.io/component=cr-api && oc delete pod -l app.kubernetes.io/component=log-anomaly-detector && oc delete pod -l app.kubernetes.io/component=log-anomaly-feedback-learning && oc delete pod -l app.kubernetes.io/component=oob-recommended-actions && oc delete pod -l app.kubernetes.io/component=similar-incidents-service
aiops-ir-core-ncodl-std-secret username fixed Basic auth for https://aiops-ir-core-ncodl-std:10011 The username is system. Do not change, included for future flexibility.
aiops-ir-core-omni-secret OMNIBUS_PROBE_PASSWORD hex15 Probe password for ObjectServer See ObjectServer passwords.
aiops-ir-core-omni-secret OMNIBUS_ROOT_PASSWORD hex15 Root password for ObjectServer See ObjectServer passwords.
aiops-ir-core-postgresql caCertificate x509 Root CA certificate for PostgreSQL This value must be copied from <instance>-edb-secret.
aiops-ir-core-postgresql dbname fixed Name of event database in PostgreSQL The database name is aiops_irb. This secret must not be changed and is included for future flexibility.
aiops-ir-core-postgresql host hostname Service name of PostgreSQL cluster This value must be copied from <instance>-edb-secret.
aiops-ir-core-postgresql password hex15 Password for PostgreSQL event runtime user Change the secret.
- aiops-ir-core-ncodl-jobmgr and aiops-ir-core-ncodl-std restart automatically.		 oc set data secret aiops-ir-core-postgresql --from-literal=password=$(openssl rand -hex 15)
aiops-ir-core-postgresql port port Port for PostgreSQL cluster service This value must be copied from <instance>-edb-secret.
aiops-ir-core-postgresql schema fixed Name of event schema in PostgreSQL The schema name is aiops_irb. This secret must not be changed and is included for future flexibility.
aiops-ir-core-postgresql username fixed Name of PostgreSQL event runtime user The username is aiops_irb. This secret must not be changed and is included for future flexibility.
aiops-ir-core-postgresql-admin caCertificate x509 Root CA certificate for PostgreSQL This value must be copied from <instance>-edb-secret.
aiops-ir-core-postgresql-admin dbname fixed Name of event database in PostgreSQL The database name is aiops_irb. This secret must not be changed and is included for future flexibility.
aiops-ir-core-postgresql-admin host hostname Service name of PostgreSQL cluster This value must be copied from <instance>-edb-secret.
aiops-ir-core-postgresql-admin password hex15 Password for PostgreSQL event admin user Change the secret. No pod restarts are required. oc set data secret aiops-ir-core-postgresql-admin --from-literal=password=$(openssl rand -hex 15)
aiops-ir-core-postgresql-admin port port Port for PostgreSQL cluster service This value must be copied from <instance>-edb-secret.
aiops-ir-core-postgresql-admin schema fixed Name of event schema in PostgreSQL The schema name is aiops_irb, and must not be changed. It is included for future flexibility.
aiops-ir-core-postgresql-admin username fixed Name of PostgreSQL event admin user The username is aiops_irb_admin, and must not be changed. It is included for future flexibility.
aiops-ir-core-postgresql-uc caCertificate x509 Root CA certificate for PostgreSQL This value must be copied from <instance>-edb-secret.
aiops-ir-core-postgresql-uc dbname fixed Name of event database in PostgreSQL The database name is aiops_irbuc, and must not be changed. It is included for future flexibility.
aiops-ir-core-postgresql-uc host hostname Service name of PostgreSQL cluster This value must be copied from <instance>-edb-secret.
aiops-ir-core-postgresql-uc password hex15 Password for PostgreSQL event runtime user Change the secret.
- aiops-ir-core-usercfg restarts automatically.		 oc set data secret aiops-ir-core-postgresql-uc --from-literal=password=$(openssl rand -hex 15)
aiops-ir-core-postgresql-uc port port Port for PostgreSQL cluster service This value must be copied from <instance>-edb-secret.
aiops-ir-core-postgresql-uc schema fixed Name of event schema in PostgreSQL The schema name is aiops_irbuc, and must not be changed. It is included for future flexibility.
aiops-ir-core-postgresql-uc username fixed Name of PostgreSQL event runtime user The username is aiops_irbuc, and must not be changed. It is included for future flexibility.
aiops-ir-core-postgresql-uc-admin caCertificate x509 Root CA certificate for PostgreSQL This value must be copied from <instance>-edb-secret.
aiops-ir-core-postgresql-uc-admin dbname fixed Name of event database in PostgreSQL The database name is aiops_irbuc, and must not be changed. It is included for future flexibility.
aiops-ir-core-postgresql-uc-admin host hostname Service name of PostgreSQL cluster This value must be copied from <instance>-edb-secret.
aiops-ir-core-postgresql-uc-admin password hex15 Password for PostgreSQL event admin user Change the secret. No pod restarts are required. oc set data secret aiops-ir-core-postgresql-uc-admin --from-literal=password=$(openssl rand -hex 15)
aiops-ir-core-postgresql-uc-admin port port Port for PostgreSQL cluster service This value must be copied from <instance>-edb-secret.
aiops-ir-core-postgresql-uc-admin schema fixed Name of event schema in PostgreSQL The schema name is aiops_irbuc, and must not be changed. It is included for future flexibility.
aiops-ir-core-postgresql-uc-admin username fixed Name of PostgreSQL event admin user The username is aiops_irbuc_admin, and must not be changed. It is included for future flexibility.
aiops-ir-core-rba-devops-secret password hex15 Basic auth for https://aiops-ir-core-rba-as:3080 and https://aiops-ir-core-rba-rbs:3005 Change the secret.
- Restart cp4waiops-metricsprocessor.
- aiops-ir-core-rba-as and aiops-ir-core-rba-rbs restart automatically.		 oc set data secret aiops-ir-core-rba-devops-secret --from-literal=password=$(openssl rand -hex 15) && oc delete pod -l connector.aiops.ibm.com/name=cp4waiops-metricsprocessor
aiops-ir-core-rba-devops-secret username hex15 Basic auth for https://aiops-ir-core-rba-as:3080 and https://aiops-ir-core-rba-rbs:3005 Change the secret.
- Restart cp4waiops-metricsprocessor.
- aiops-ir-core-rba-as and aiops-ir-core-rba-rbs restart automatically.		 oc set data secret aiops-ir-core-rba-devops-secret --from-literal=username=$(openssl rand -hex 15) && oc delete pod -l connector.aiops.ibm.com/name=cp4waiops-metricsprocessor
aiops-ir-core-rba-jwt-secret secret hex15 Key used to sign runbook JSON Web Tokens Change the secret.
- Restart aiops-akora-ui, aiops-ir-core-rba-as, aiops-ir-core-rba-rbs, connector-orchestrator.		 oc set data secret aiops-ir-core-rba-jwt-secret --from-literal=secret=$(openssl rand -hex 15) && oc delete pod -l app.kubernetes.io/component=aiops-aiops-akora-ui && oc delete pod -l app.kubernetes.io/component=rba-as && oc delete pod -l app.kubernetes.io/component=rba-rbs && oc delete pod -l app=connector-orchestrator
aiops-ir-core-usercfg-creds password hex15 Basic auth for https://aiops-ir-core-usercfg:10011 Change the secret. aiops-ir-core-ncodl-api and aiops-ir-core-usercfg will restart automatically. oc set data secret aiops-ir-core-usercfg-creds --from-literal=password=$(openssl rand --hex 15)
aiops-ir-core-usercfg-creds username hex15 Basic auth for https://aiops-ir-core-usercfg:10011 Change the secret. aiops-ir-core-ncodl-api and aiops-ir-core-usercfg will restart automatically. oc set data secret aiops-ir-core-usercfg-creds --from-literal=username=$(openssl rand --hex 15)

Where <instance> is the name of your IBM Cloud Pak for AIOps instance, for example ibm-cp-aiops.

The Type for each secret in the table has one of the following entries:

  • hex15, hex16, hex32 - 15, 16, or 32-byte number encoded in hexadecimal (30, 32 or 64 hex digits).
  • ts - timestamp value that is used as an identifier for another value. The timestamp is not significant and alternative strings can be used. Some restrictions on the characters might exist. ASCII alphanumeric characters are recommended.
  • fixed - do not change this value. The value is included in a secret for future flexibility.
  • x509 - an X.509 certificate
  • hostname - the DNS hostname of a service.
  • port - a TCP port number

Secrets that are used by the Issue Resolution Core operator

The following table describes secrets that are owned by another operator but that are used by the Issue Resolution Core operator. The table shows the Issue Resolution Core components that need to be restarted if these secrets are rotated.

Table 2. Secrets that are used by the Issue Resolution Core operator
Secret Owner Purpose Automatically restarted
aiops-topology-cassandra-auth-secret asm-operator Cassandra contact details aiops-ir-core-archiving, aiops-ir-core-esarchiving
<instance>-couchdb-secret ibm-aiops-orchestrator CouchDB contact details aiops-ir-core-cem-users, aiops-ir-core-rba-as, aiops-ir-core-rba-rbs
<instance>-es-admin-user-connection-secret ibm-aiops-orchestrator Elasticsearch contact details aiops-ir-core-datarouting, aiops-ir-core-ncodl-api
<instance>-kafka-secret ibm-aiops-orchestrator Kafka contact details aiops-ir-core-api, aiops-ir-core-archiving, aiops-ir-core-datarouting, aiops-ir-core-esarchiving, aiops-ir-core-ncodl-if, aiops-ir-core-ncodl-jobmgr, aiops-ir-core-ncodl-std, aiops-ir-core-rba-rbs
<instance>-redis-secret ibm-aiops-orchestrator Redis contact details aiops-ir-core-cem-users, aiops-ir-core-esarchiving, aiops-ir-core-rba-rbs
internal-nginx-svc-tls ibm-zen-operator Trusted CA for Zen aiops-ir-core-cem-users
internal-tls ibm-zen-operator Trusted CA for Zen aiops-ir-core-cem-users
zen-service-broker-secret ibm-zen-operator Token for accessing Zen API aiops-ir-core-cem-users

Where <instance> is the name of your IBM Cloud Pak for AIOps instance, for example ibm-cp-aiops.

Key rotation

Warning: The secret aiops-ir-core-model-secret contains an encryption key and a HMAC key that is used to protect sensitive data that is stored in CouchDB. Care must be taken when rotating these keys since data that is protected with previous keys cannot be recovered if the keys are lost.

Replacement values for keyvalue must be 16 bytes and in hexadecimal format (32 digits). Replacement values for hkeyvalue must be 32 bytes and in hexadecimal format (64 digits).

Each key has an associated identifier. Encrypted data is stored along with the identifier of the key that was used to protect it. The identifier must be changed when and only when the key is changed. When the operator creates a new key, it uses the current time as the identifier (for example 2022-06-13T10:58:10Z). This is a convention but other string formats may be used. If another format is used, there might be some restrictions on the characters that can be used. ASCII alphanumeric characters are recommended.

When rotating keys, all old (key, identifier) pairs must be stored in the oldhkeys and oldkeys properties so that data that is protected with the old keys can be used. The current key is always used when data is stored or modified. The following examples show the use of the old keys' properties.

  1. Secret created by the operator.

    {
  "hkeyname": "2022-06-13T10:58:10Z",
  "hkeyvalue": "2905c99e41fd6594de9e8632382da185eec94cea545cbd96082552274a454d2b",
  "keyname": "2022-06-13T10:58:10Z",
  "keyvalue": "5cc068f45904c0ff998213941684790e"
}

  2. Secret after the first rotation.

    The identifiers myfirsthkey and myfirstkey were used. Time based could have been used.

    {
  "hkeyname": "myfirsthkey",
  "hkeyvalue": "7539eb64abdae09a500659ca0593140babd00046b175c3a83e3ed28f8d79daca",
  "oldhkeys": "{\"keys\":[{\"name\":\"2022-06-13T10:58:10Z\",\"value\":\"2905c99e41fd6594de9e8632382da185eec94cea545cbd96082552274a454d2b\"}]}",
  "keyname": "myfirstkey",
  "keyvalue": "211812c9750778c0175bca4a11cc1e3b",
  "oldkeys": "{\"keys\":[{\"name\":\"2022-06-13T10:58:10Z\",\"value\":\"5cc068f45904c0ff998213941684790e\"}]}"
}

  3. Secret after the second rotation.

    The identifiers mysecondhkey and mysecondkey were used. Time based could have been used.

    {
  "hkeyname": "mysecondhkey",
  "hkeyvalue": "07a290a68d6ff7eb45b7febbfd8c5079da5ee40c068f2e1bb87293c22c39b712",
  "oldhkeys": "{\"keys\":[{\"name\":\"2022-06-13T10:58:10Z\",\"value\":\"2905c99e41fd6594de9e8632382da185eec94cea545cbd96082552274a454d2b\"},{\"name\":\"myfirsthkey\",\"value\":\"7539eb64abdae09a500659ca0593140babd00046b175c3a83e3ed28f8d79daca\"}]}",
  "keyname": "mysecondkey",
  "keyvalue": "f01b36adba59c50841a1444cee8eb09e",
  "oldkeys": "{\"keys\":[{\"name\":\"2022-06-13T10:58:10Z\",\"value\":\"5cc068f45904c0ff998213941684790e\"},{\"name\":\"myfirstkey\",\"value\":\"211812c9750778c0175bca4a11cc1e3b\"}]}"
}

    If the oldhkeys and oldkeys properties exist, they must hold the JSON representation of an object with a single property (the name does not matter, this example used keys) that has an array of objects. Each of the inner objects has a name and a value property holding the identifier and value of a previous key.

    oc delete pod -l app.kubernetes.io/component=rba-as && oc delete pod -l app.kubernetes.io/component=rba-rbs

ObjectServer passwords

Use the following steps to change the ObjectServer password. Ensure that you retain a copy of the original password until these steps are complete.

  1. Run the following command to obtain the current passwords from the aiops-ir-core-omni-secret secret.

    For example:

    oc get secret aiops-ir-core-omni-secret -o json | jq -r '.data.OMNIBUS_PROBE_PASSWORD|@base64d'`
oc get secret aiops-ir-core-omni-secret -o json | jq -r '.data.OMNIBUS_ROOT_PASSWORD|@base64d'`

  2. Open a session on the primary ObjectServer pod.

    oc rsh aiops-ir-core-ncoprimary-0

  3. Log in to the OMNIbus query tool nco_sql, and supply the root password when prompted.

    $NCHOME/omnibus/bin/nco_sql -u root -s AGG_P_C

  4. If you want to change the root password, enter the following command.

    alter user 'root' set password '<NEWPASSWORD>';
go

    Where <NEWPASSWORD> is the password that you want to set.

  5. If you also want to change the probe password, enter the following command.

    alter user 'probe' set password '<PROBE_PASSWORD>';
go

    Where <PROBE_PASSWORD> is the password that you want to set.

  6. Test the new root password by entering quit to leave the SQL prompt, and then log in again and supply the new root password when prompted.

    $NCHOME/omnibus/bin/nco_sql -u root -s AGG_P_C

  7. Exit the oc rsh session.

  8. Wait for 60 seconds to ensure that the password updates have been transferred to the backup ObjectServer.

  9. Remote shell into the backup ObjectServer, and test the new root password.

    oc rsh -c objserv aiops-ir-core-ncobackup-0`

  10. Log in to the OMNIbus query tool nco_sql, and supply the root password when prompted.

    $NCHOME/omnibus/bin/nco_sql -u root -s AGG_B_C

  11. Exit the oc rsh session.

  12. Update the aiops-ir-core-omni-secret with one or more new passwords.

    For example,

    oc set data secret aiops-ir-core-omni-secret --from-literal=OMNIBUS_PROBE_PASSWORD=<PROBE_PASSWORD>
oc set data secret aiops-ir-core-omni-secret --from-literal=OMNIBUS_ROOT_PASSWORD=<NEWPASSWORD>

    Where

    • <NEWPASSWORD> is the new root password
    • <PROBE_PASSWORD> is the new probe password

  13. If you changed the root password, run the following command to restart aiops-ir-core-ncodl-if

    oc delete pod -l app.kubernetes.io/component=ncodl-if