Changing passwords and re-creating secrets

If any of the passwords that are used by IBM Netcool Operations Insight® change, the secrets that use those passwords must be re-created. The pods that use those secrets must be restarted. Use the following procedure if you need to change any of these passwords.

Procedure

Use this table to help you identify the secrets that use a password, and the pods that use a secret.

Password Corresponding secret Dependent pods
smadmin release_name-was-secret

release_name-webgui-0

release_name-ea-noi-layer-eanoiactionservice

release_name-ea-noi-layer-eanoigateway

release_name-ibm-hdm-common-ui-uiserver

impactadmin release_name-impact-secret

release_name-impactgui-0

release_name-nciserver-0

release_name-nciserver-1

release_name-webgui-0

icpadmin release_name-icpadmin-secret None
IBM® Tivoli® Netcool®/OMNIbus root release_name-omni-secret

release_name-webgui-0

release_name-ea-noi-layer-eanoiactionservice

release_name-ea-noi-layer-eanoigateway

release_name-ibm-hdm-analytics-dev-aggregationnormalizerservice

release_name-ncobackup

release_name-ncoprimary

release_name-nciserver-0

release_name-nciserver-1

LDAP administrator release_name-ldap-secret

release_name-openldap-0

release_name-impactgui-0

release_name-nciserver-0

release_name-nciserver-1

release_name-ncobackup

release_name-ncoprimary

release_name-scala

release_name-webgui-0

couchdb release_name-couchdb-secret
Note: Change the default credentials for CouchDB. When you rotate the CouchDB password, the CouchDB replication must be re-created. For more information, seeReplication external link in the CouchDB documentation.

release_name-couchdb

release_name-ibm-hdm-analytics-dev-aggregationcollaterservice

release_name-ibm-hdm-analytics-dev-trainer

Internal password for inter-pod communication release_name-ibm-hdm-common-ui-session-secret

release_name-ibm-hdm-common-ui-uiserver

Internal password release_name-systemauth-secret

release_name-couchdb

release_name-ibm-hdm-analytics-dev-aggregationcollaterservice

release_name-ibm-hdm-analytics-dev-trainer

hdm release_name-cassandra-auth-secret
Note: When you change the password for Cassandra, restart more than just the cassandra pod and change the password inside the Cassandra database.

release_name-cassandra

release_name-ibm-ea-asm-mime-eaasmmime

release_name-ibm-ea-mime-classification-eaasmmimecls

release_name-ibm-hdm-analytics-dev-archivingservice

release_name-ibm-hdm-analytics-dev-eventsqueryservice

release_name-ibm-hdm-analytics-dev-policyregistryservice

release_name-ibm-hdm-analytics-dev-trainer

release_name-ibm-hdm-analytics-dev-trainer

release_name-ibm-noi-alert-details-service

release_name-metric-api-service-metricapiservice

release_name-metric-spark-service-metricsparkservice

release_name-topology-layout

release_name-topology-merge

release_name-topology-status

release_name-topology-topology

redis release_name-ibm-redis-authsecret release_name-ibm-hdm-analytics-dev-collater-aggregationservice

release_name-ibm-hdm-analytics-dev-dedup-aggregationservice

admin release_name-kafka-client-secret

release_name-ibm-hdm-analytics-dev-archivingservice

release_name-ibm-hdm-analytics-dev-collater-aggregationservice

release_name-ibm-hdm-analytics-dev-dedup-aggregationservice

release_name-ibm-hdm-analytics-dev-inferenceservice

release_name-ibm-hdm-analytics-dev-ingestionservice

release_name-ibm-hdm-analytics-dev-normalizer-aggregationservice

Where release_name is the name for your Netcool Operations Insight deployment in name (OLM UI installation), or metadata.name in noi.ibm.com_noihybrids_cr.yaml (CLI installation).

To change a password, use the following procedure.

  1. Change the password that you want to change.
  2. Use the table to find the secret that corresponds to the password that was changed. Then, delete this secret.
    oc delete secret secretname --namespace namespace
    Where
    • secretname is the name of the secret to be re-created.
    • namespace is the name of the namespace in which the secret to be re-created exists.
  3. Re-create the secret with the new password.
  4. Use the table to find which pods depend on the secret that you re-created, and require restarting.
  5. Restart the necessary pods by running the following command.
    oc delete pod podname
    Where podname is the name of the pod that requires restarting.
  6. To view the list of pods that use the asm-credentials secret, run the following command.
    for pod in `oc get pod -n $NAMESPACE -o name `; do 
       if oc get $pod -o yaml -n $NAMESPACE | grep -q asm-credentials; then 
          echo $pod 
       fi
    done
  7. Restart the pods that use the asm-credentials secret by running the following command.
    for pod in `oc get pod -n $NAMESPACE -o name `; do 
       if oc get $pod -o yaml -n $NAMESPACE | grep -q asm-credentials; then 
          oc delete $pod -n $NAMESPACE 
       fi
    done
  8. For the release_name-cassandra-auth-secret secret, in addition to changing the password in the secret and restarting the pods, you must change the password inside the Cassandra database.
    oc rsh <rel name>-cassandra-0
     /opt/ibm/cassandra/bin/cqlsh -u hdm -p <old password>
    alter user 'hdm' with password 'new password';