1. Security Guide
  2. Secure Deployments Checklist
  3. Account and Password Security Checklists

Account and Password Security Checklists

When the Oracle Private Cloud Appliance system is first powered on, various tasks need to be performed in order to initially set up the system. The accounts and passwords established must be watched to make sure that no unexpected changes oocur.

Infrastructure Account and Password Security Checklist

Change any default passwords immediately after successful rack installation and configuration.

Passwords to be updated include:

  • Compute node passwords

  • Compute node Oracle Integrated Lights Out Manager (ILOM) passwords

  • Management node passwords

  • Management node ILOM passwords

  • Leaf switch password

  • Management switch password

  • Spine switch password

  • Oracle ZFS Storage Appliance password

  • Oracle ZFS Storage ApplianceILOM password

There is a tool available on the management nodes to check for default passwords in the infrastructure that must be changed. To run it:

  1. Log into a management node using the default administrative user and password supplied to you by the installation team.

  2. Run the following command: /var/lib/pca-foundation/scripts/healthcheck.py.

The output of the tool will show passwords to change from factory defaults.

Service Enclave Account and Password Security Checklist

At installation and configuration time, an initial user with the SuperAdmin Authorization Group and password is set up for the Service Enclave, refer to the Oracle Private Cloud Appliance Installation Guide.

The Service Enclave is a multi-user environment where users do not share credentials. Because actions in the Service Enclave affect all tenancies on the appliance, very few users are necessary in this space. General security guidelines are:

  • Do not share credentials.

  • Create a user for each individual that requires access to the Service Enclave administration tools. This practice enables better audit tracking and easier administration of individual needs.

  • Apply the rule of least privileges by choosing the authorization group most appropriate for the individual.

  • When creating a new user, do not use a common password and do not use a default initial password for new users.

  • Change passwords regularly. There are no proactive password change or timeout notifications in the Service Enclave.

There are 3 authorization groups in the Service Enclave:

  • Admin - Authorization for most operations except user management.

  • Monitor - A read-only role that can only manage their own profile or browse Service Enclave information without changing it.

  • SuperAdmin - Authorization for all capabilities, only a SuperAdmin can create new users for the Service Enclave and change roles for existing users.

In the Service Enclave, the list of authorization groups is static. Existing groups cannot be modified to change authorizations and new groups cannot be created with different authorizations.

Service Customer Account and Password Security Checklist

There are no default Customer Enclave users or tenancies immediately following a Oracle Private Cloud Appliance Installation Guide install and configuration.

When a Service Enclave administrator creates a tenancy, an initial user is created and a password is assigned.

Have the new tenancy administrator log into the account and change their password using the Compute Enclave console (https://adminconsole.<domain>).

Once logged in, use the Change Password drop down located in the top right of the console where the user name is displayed. The tenancy administrator is the only user account that cannot be reset by any user (including themselves). The only option available to the primary tenancy administrator created by the Service Enclave SuperAdmin is to store their password securely and use the Change Password action in the user interface after a successful login.

The password policy for the Compute Enclave is as follows:

  • Password has a minimum length of 12 characters

  • Password contains at least one uppercase letter

  • Password contains at least one lowercase letter

  • Password contains at least one symbol (@$!#%*?&)

  • Password contains at least one number

The password policy cannot be changed.

Monitoring and Logging Account and Password Security Checklist

The monitoring and logging facilities for Oracle Private Cloud Appliance are accessed via consoles at:

  • Grafana: https://grafana.<domain>

  • Prometheus: https://prometheus.<domain>

In Oracle Private Cloud Appliance, this tier has a single user for both platforms (admin) and is delivered with a default password. Change this password after installation and configuration. To change the password, log into one of the management nodes in the infrastructure layer using root and the password that was updated in Password Maintenance in the Infrastructure Layer.

Once logged in, update the password using the Python 3 runtime and this program:

python3 /lib/python3.6/site-packages/pca_foundation/secret_service/scripts/sauron_credential_update.py -username <username> -password <password>

The password policy requires that the password:

  • Must be 12-20 characters long

  • Must contain at least 1 uppercase, 1 lowercase and one digit

  • Can contain the symbols -_+=

The monitoring and logging tools in Oracle Private Cloud Appliance have the following restrictions

  • More users cannot be added

  • The credential update tool does not check the password or return information on success or failure of the request

  • The Grafana and Prometheus screens do not lock out users after invalid attempts