Changing the Cloud Pak administrator access credentials

You can update the administrator username and password.

Note: cpadmin is the default admin user name.

Before you begin

Supported languages

You can change the default administrator username cpadmin to a custom username. The username can be in the following languages:

Table 1. Supported languages
Language Language code
Brazilian Portuguese pt_br
English en
French fr
German de
Italian it
Japanese ja
Korean ko
Chinese Simplified zh_CN
Chinese Traditional zh_TW
Spanish es

Changing the administrator username

Complete the following steps to rename a default admin user in Platform UI:

  1. Review the current admin and password.

     oc -n <your-foundational-services-namespace> get secret platform-auth-idp-credentials -o yaml | grep admin |xargs -l  bash -c 'echo -n "$0  " ; echo "$1" | base64 -d && echo'
    

    The sample output:

     admin_password:  IRXkjnsZg8nUUK8S2BBVFJeIOW0wVrhD
     admin_username:  cpadmin
    
  2. Get the access token. For more information, see Preparing to run API commands.

  3. Run the following CURL command to update default admin username:

     curl -X PUT 'https://cp-console.apps.mycluster.mydomain.fyre.ibm.com/idmgmt/identity/api/v1/users/defaultAdmin' \
         --header 'Content-Type: application/json' \
         --header 'Accept: application/json' \
         --header "Authorization: Bearer $ACCESS_TOKEN" \
         -d "{\"username\": \"${new_admin_username}\"}" \
         --insecure
    
  4. Restart the platform-identity-provider and platform-auth-service pods by deleting them.

    1. Get the platform-identity-provider pod name and platform-auth-service pod name .

      oc get pods -n <your-foundational-services-namespace> | grep platform-identity-provider
      
      oc get pods -n <your-foundational-services-namespace> | grep platform-auth-service
      
  1. Delete the platform-identity-provider pod and platform-auth-service pod.

    oc delete pod <platform-identity-management-pod-name> -n <your-foundational-services-namespace>
    
    oc delete pod <platform-auth-service-pod-name> -n <your-foundational-services-namespace>
    
  1. After the pods restart, login to cp-console to test whether the default username has changed.

    oc get routes -n <your-foundational-services-namespace> |grep -i cp-console
    

Changing the administrator password

The administrator password is stored in a Kubernetes Secret.

Complete the following steps to change the administrator password in Platform UI:

  1. Review the current admin and password.

     oc -n <your-foundational-services-namespace> get secret platform-auth-idp-credentials -o yaml | grep admin |xargs -l  bash -c 'echo -n "$0  " ; echo "$1" | base64 -d && echo'
    

    The sample output:

     admin_password:  IRXkjnsZg8nUUK8S2BBVFJeIOW0wVrhD
     admin_username:  admin
    
  2. Update the admin_password field in the platform-auth-idp-credentials secret with the new password.

    • In the namespace where foundational services is installed, edit the platform-auth-idp-credentials secret:

      oc edit secret platform-auth-idp-credentials -n "${SERVICES_NAMESPACE}"
      

      Where, {SERVICES_NAMESPACE} is the namespace name where foundational services is installed.

      • Search for admin_password value in platform-auth-idp-credentials secret and replace it with the new password. The new password must be base64-encoded password.
  3. Restart the platform-auth-service pod by deleting it.

    • Get the platform-auth-service pod name.

       oc get pods -n <your-foundational-services-namespace> | grep platform-auth-service
      
    • Delete platform-auth-service pod.

       oc delete pod <platform-auth-service-pod-name> -n <your-foundational-services-namespace>
      

After the pod restart, login to cp-console to test whether the password has changed.

   oc get routes -n <your-foundational-services-namespace> |grep -i cp-console

The password must follow the defined password rules.

Password rules

Password rules are optional, regular expressions (regex) that are used to set and validate managed password values within a namespace. The update-secret command checks password rules before changing the values in the secret. It validates if rules exist on the namespace that the secret is in, and that the secret data element name change contains pass or pwd in any case combination.

Note: You can use the following regex expressions from the command line. Ensure that you wrap the expressions in single quotation marks:

Table 2. List of rules for Regex expressions
Rule Regex
Min length 10 ^.{10,}
Max length 10 ^.{0,10}$
Length range ^.{10,20}$
Require lower .*[a-z].*
Require upper .*[A-Z].*
Require num .*[0-9].*
Require spec .*[!@#\$%\^&\*].*