IBM Support

IBM Cognos Analytics: How to update the secret when the external content Store (CS) Password Changes

How To


Summary

By default, the Cognos Analytics service on IBM Cloud Pak for Data stores the credentials for the content store as a Tiller secret.  This instance of Tiller is shared with other applications in the cluster namespace which poses a security risk: any application with access to Tiller can access the credentials. However, an administrator can use an OpenShift secret to mitigate this risk.

Objective

This document describes how you can update your configuration to use an OpenShift secret. 

Steps

Prerequisites: 

To successfully complete this task, ensure that the following statements are true:

  • You installed and provisioned the Cognos Analytics service on IBM Cloud Pak for Data.
  • You have access to a Mac OS or Linux machine that:
    • Can connect to the cluster
    • Has the oc command-line interface installed

  • You can log in to the OpenShift cluster as a cluster administrator.

  • You know the name of the OpenShift project where the Cognos Analytics service is installed.

In addition, you must decide what you want the new content store password to be.
 

Procedure: 

  1. From your local client, login to OpenShift as a cluster administrator.

    Tip: You can use the Copy Login Command option in the OpenShift Web Console to get the correct oc login command.
    image-20200626091222-1
     
  2. Convert the new content store password to base64.

    For example, if your new content store password is  Cognos456! run the following command to convert the password:
    echo 'Cognos456!' | base64

    The command returns output similar to:
    Q29nbm9zNDU2IQo=
     
  3. Identify the secret object that is used for the content store.

    Run the following command to get the secrets in the OpenShift project where Cognos Analytics is deployed:
    oc get secrets -n OpenShift_Project | grep cs-creds

    Replace OpenShift_Project with the project where Cognos Analytics is deployed.

    Look for a secret similar to:
    ca1592234996446-cs-creds                             Opaque                                2         25h 
     
  4. Edit the secret that you identified in the previous step.
    1. Run the following command:
      oc edit secret ca-cs-creds_Secret -n OpenShift_Project

      Replace ca-cs-creds_Secret with the ID of the secret from the previous step.
      Replace OpenShift_Project with the project where Cognos Analytics is deployed.
       
    2. In the secret object definition YAML file, update the content_store_password entry.

      Paste the base64 encoded password that you generated in a preceding step. For example:
      content_store_password: Q29nbm9zNDU2IQo=
       
  5. Run the following command to get the list of Cognos Analytics pods that need to be restarted:

    oc get po -n OpenShift_Project | grep "ca.*cm\|ca.*cs\|ca.*biapp" 

    Replace OpenShift_Project with the project where Cognos Analytics is deployed.

    The command returns a list of pods, similar to:
    ca1592234996446-biapp-6c46787bc6-vhb9t                       2/2     Running             0          24h 
    ca1592234996446-cm-0-6cfcf94b5c-vj9hh                  2/2     Running             0          24h 
    ca1592234996446-cs-8c7879fcf-nmxtx                     1/1     Running             0          24h 
     
  6. Restart the pods by running the following command:

    oc delete po biapp_Pod cm_Pod cs_Pod -n OpenShift_Project

    Replace biapp_Pod, cm_Pod, cs_Pod with the ID of the pods from the previous step.
    Replace OpenShift_Project with the project where Cognos Analytics is deployed.
     
  7. Wait until all of the containers are Running and the pods are in the Ready state.
Cognos Analytics now uses the external content store password that is stored in the OpenShift secret.

Document Location

Worldwide

[{"Line of Business":{"code":"LOB10","label":"Data and AI"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSHGYS","label":"IBM Cloud Pak for Data"},"ARM Category":[{"code":"a8m0z000000GoylAAC","label":"Troubleshooting"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"3.0.1"}]

Product Synonym

CA;

Document Information

Modified date:
22 October 2020

UID

ibm16239512

Page Feedback