Customizing passwords and secrets

You can customize the passwords and secrets that are used during the deployment process.

The following information provides details about supported options.

Table 1. Summary of support details
Support options	Details
Supported hypervisor types?	All
Support for post-deployment customization?	No, see Changing passwords and secrets for customization post-deployment.
Supported topologies?	All, except Minimal.

If you are deploying a Minimal topology, then all passwords and secrets are the same as their associated user name (for example, admin/admin). Customization is not enabled for the topology.

If you are deploying any other topology, then by default, all passwords, and secrets are obtained through encrypted data bags. An example secret key (/opt/ibm/cmwo/chef-repo/data_bags/example_data_bag_secret) and data bags (/opt/ibm/cmwo/chef-repo/data_bags/) are provided by the IBM Cloud Manager with OpenStack installation. The following steps guide you through customizing these examples for your deployment:

Create passwords and secrets file with example file password file. By default, this example file ensures that all passwords and secrets are randomly generated for your deployment. The example file is on /opt/ibm/cmwo/chef-repo/data_bags/example_passwords_file.json, you create a copy and update the password and secret to create your own password file. To explicitly set the user password for the cloud administrator (admin), change the password entry for admin from RANDOM to your desired password. The same can be done for the cloud messaging service user (qpidclient or rabbitclient). If you are deploying a cloud environment with PowerVC or z/VM®, you must set the passwords for those environments as well. For more information about the passwords and secrets that are used by a deployment, see Data bags.
```
$ cp /opt/ibm/cmwo/chef-repo/data_bags/example_passwords_file.json ./your_passwords_file.json
```
Note: This step assumes the default IBM Cloud Manager with OpenStack installation path on the deployment server (/opt/ibm/cmwo).

Set the passwords and secrets for your deployment.

$ knife os manage set passwords -E your-environment-name.json --secret-file your-secret-file --topology-file your-topology-name.json your_passwords_file.json

This command also creates a secret key, your-secret-file, that is used to encrypt the data bags.

(z/VM® only) Edit the following z/VM related data bag items: xcat, xcatmnadmin, and zlinuxroot. These values set host-specific passwords for z/VM and update the data bags.
1. Download and decrypt the data bags that contain the passwords and secrets for your deployment. The information is stored in the data_bags directory. The data_bags directory contains a subdirectory for each data bag that is used by your deployment. The subdirectories contain the data bags items for your deployment. Ensure that you remove the data_bags directory when you are done using it.
```
 $ knife os manage get passwords --topology-file your-topology-name.json data_bags
```
2. Edit the following data bag items: xcat, xcatmnadmin, and zlinuxroot.
  Here is an example using the data bag xcat, using your_env_user_passwords/xcat.json:
```
{
      "id": "xcat",
      "xcat_server1": "CHANGEME",
      "xcat_server2": "CHANGEME"
    }
```
  You must change the xcat_server1 (xcat_server2) to the corresponding value of the attribute ibm-openstack.zvm-driver.#host.xcat.server in your attribute file. The value can be an IP address or a host name. Then, change the password to match xcat.json. What you must update depends on how many hosts you have, even if all the hosts use the same xcat server. Make similar changes to match xcatmnadmin.json.
  Here is an example for data bag zlinuxroot item, using your_env_user_passwords/zlinuxroot.json:
```
{
      "id": "zlinuxroot",
      "host1": "CHANGEME",
      "host2": "CHANGEME"
   }
```
  You must change the host1(host2) to the corresponding value of the attribute ibm-openstack.zvm-driver.hosts in your attribute file, and then change the password.
3. Update the changed data bags.
```
 $ knife os manage update passwords --topology-file your-topology-name.json data_bags
```
4. Remove the data bag directory because it is no longer needed.
```
$ rm -rf data_bags
```
(VMware only) Edit the following VMware related data bag items: openstack_vmware_secret_name
1. Download and decrypt the data bags that contain the passwords and secrets for your deployment. The following command downloads the data bags into a local directory "data_bags", in which there are several subdirectories with the prefix <your-environment-name>.
```
$ knife os manage get passwords --topology-file your-topology-name.json data_bags
```
2. Edit the VMware related data bag item "openstack_vmware_secret_name".
```
$ vim data_bags/<your-environment-name>_secrets/openstack_vmware_secret_name.json
{
  "id": "openstack_vmware_secret_name",
  "openstack_vmware_secret_name": "vmware_password"
}
```
  Note: In this example, "vmware_password" represents the actual password. You must change it based on your specific deployment.
3. Update the changed data bags.
```
$ knife os manage update passwords --topology-file your-topology-name.json data_bags
```
4. Remove the data bag directory. It is no longer needed.
```
$ rm -rf data_bags
```
Remove your passwords file because it is no longer needed.
```
$ rm –f your_passwords_file.json
```
Note: You can use the following command to download and decrypt the data bags that contain the passwords and secrets for your deployment. The information is stored in the data_bags directory. The data_bags directory contains a subdirectory for each data bag that is used by your deployment. The subdirectories contain the data bags items for your deployment. Ensure that you remove the data_bags directory when you are done using it.
```
$ knife os manage get passwords --topology-file your-topology-name.json data_bags
```