Creating and Maintaining Accounts and Passwords

When the Oracle Private Cloud Appliance system is first powered on, various tasks need to be performed in order to initially set up the system. These tasks include defining the first super-admin user account, configuring system parameters such as system and domain name, and configuring basic networking parameters that make the appliance part of the data center network.

There are three layers of the Oracle Private Cloud Appliance, each of these three layers will be administered in a different way:

Infrastructure - The rack hardware contains default users and passwords. Infrastructure does not usually need to be accessed in day-to-day operations. After installation, update any default passwords and store them in a secure location. Individual accounts are not supported in the infrastructure context. On most infrastructure components there are only two accessible users, the administrative user and an account for Oracle Support Services that can only be accessed with support from the administrative user.
Service Enclave - The administrative user created during installation applies to this layer. Additional users can be added to the Service Enclave to help manage the Oracle Private Cloud Appliance but, in practice, there are few of these users as their operations are across the entire appliance.
Compute Enclave - Users of the Compute Enclave have day-to-day tasks within a tenancy. They may be creating compute instances or monitoring cloud resources. When an administrative user creates a tenancy, they define an administrator for the tenancy that can then expand access to the tenancy from the Compute Enclave console.

Each layer has different requirements and techniques for maintaining the user accounts.

Password Maintenance in the Infrastructure Layer

The infrastructure layer is not accessed in day-to-day operations and is not intended to be a multi-user experience. Infrastructure is largely managed either through the Service Enclave layer, or by the individual software components running within the Service Enclave. Change any default passwords immediately after successful rack installation and configuration.

Passwords to be updated include:

Compute node passwords

Note:
This password does not need updating after the compute node has been provisioned. Provisioning randomizes the compute node password.
Compute node Oracle Integrated Lights Out Manager (ILOM) passwords
Management node passwords
Management node ILOM passwords
Leaf switch password
Management switch password
Spine switch password
Oracle ZFS Storage Appliance password
Oracle ZFS Storage ApplianceILOM password

Note:
Changing the Oracle ZFS Storage Appliance ILOM password is managed through the Oracle ZFS Storage Appliance. A password change issued to the Oracle ZFS Storage Appliance changes both the appliance and ILOM passwords because they are mutually inclusive.

There is a tool available on the management nodes to check for default passwords in the infrastructure that must be changed. To run it:

Log into a management node using the default administrative user and password supplied to you by the installation team.
Run the following command: /var/lib/pca-foundation/scripts/healthcheck.py.

The output of the tool will show passwords to change from factory defaults.

All passwords except the MySQL database password must be updated using the Service Enclave CLI that resides on the management node. Using the various native infrastructure tools will result in Service Enclave failures. An example of why the tool must be used is with the management node passwords. Updating the management nodes using the Service Enclave CLI keeps all management node passwords synchronized. The Service Enclave CLI also stores the password for the management nodes in a service-accessible database, allowing the Service Enclave tools and services to manage the nodes.

If your rack is running a software release earlier than 302-b982153, then the MySQL database password is updated using the following command from each one of the management nodes: /var/lib/pca-foundation/scripts/pca_change_mysql_root_password.py

Note:

You must issue this command on each management node. Updating the password on one management node does not change anything on the other nodes.

If your rack is running software release 302-b982153 or later, then the MySQL database password is updated using the updateMySqlRootPassword command from the Admin CLI:

PCA-ADMIN> updateMySqlRootPassword password="**************" confirmPassword="**************" 
Command: updateMySqlRootPassword password="**************"  confirmPassword="**************" 
Status: Success
Time: 2023-10-23 10:57:13,504 UTC
Data:
    status = true
    message = Mysql root password has been successfully rotated.

You must use double quotes to enclose the password.

Passwords are stored in two locations:

A vault instance where they are stored using 256-bit Advanced Encryption Standard (AES) cipher in the Galois Counter Mode (GCM) with 96-bit nonces.
The native password tool for the infrastructure component

Refer to documentation for the infrastructure component information for password access information.

The password complexity policy for infrastructure components is:

Length is 8 characters to 20 characters for Compute Nodes, Management Nodes, or swtiches. The length is 8 characters to 16 characters (note difference) for Oracle ZFS Storage Appliance and ILOMs.
The password must contain a character from each of the groups:
- Lower case letters (a-z)
- Upper case letters (A-Z)
- Digits (0-9)
- Symbols (@$!#%*&)

The password complexity policy for the infrastructure cannot be changed.

To update an infrastructure password

Use the changepassword <component> <password> <confirmPassword> command. For example: changepassword zfs <updated_password> <confirm_updated_password>. The supported components are:

PCA-ADMIN> changepassword ?
                          ComputeNode
                          LeafSwitch
                          ManagementNode
                          ManagementSwitch
                          SpineSwitch
                          User
                          ZFSAppliance
PCA-ADMIN> changepassword computeNode ?
                                      *password
                                      *confirmPassword

Password should always be entered enclosed in double quotes (" ") and never include a question mark (?).

The password update can take a short amount of time to complete even after a successful password update response is returned.

The Power Distribution Units (PDUs) in the PCA racks vary depending on the locale. Refer to the Oracle Private Cloud Appliance Release Notes for potential updates on the infrastructure processes.

The PDU password must be changed from the default value. Refer to the hardware documentation for the specific PDU type for information regarding password changes.

Service Enclave User and Password Maintenance

At installation and configuration time, an initial user with the SuperAdmin Authorization Group and password is set up for the Service Enclave, refer to the configuration chapter of the Oracle Private Cloud Appliance Installation Guide

The Service Enclave is a multi-user environment where users do not share credentials. Because actions in the Service Enclave affect all tenancies on the appliance, very few users are necessary in this space. General security guidelines are:

Do not share credentials.
Create a user for each individual that requires access to the Service Enclave administration tools. This practice enables better audit tracking and easier administration of individual needs.
Apply the rule of least privileges by choosing the authorization group most appropriate for the individual.
When creating a new user, do not use a common password and do not use a default initial password for new users.
Change passwords regularly. There are no proactive password change or timeout notifications in the Service Enclave.

There are 4 important authorization groups in the Service Enclave:

Admin - Authorization for most operations except user management
Monitor - A read-only role that can only manage their own profile or browse service enclave information without changing it
SuperAdmin - Authorization for all capabilities, only a SuperAdmin can create new users for the Service Enclave and change roles for existing users
DrAdmin - Authorization for setting up Disaster Recovery (this group is used only during Day-0 configuration)

In the Service Enclave, the list of authorization groups is static. Existing groups cannot be modified to change authorizations and new groups cannot be created with different authorizations.

The password policy for the Service Enclave is as follows:

Password has a minimum length of 12 characters
Password contains at least one uppercase letter
Password contains at least one lowercase letter
Password contains at least one symbol (@$!#%*&)
Password contains at least one number

The Service Enclave password policy cannot be changed.

Password storage is in the service database and uses Password Based Key Derivation Function 2 (PBKDF2) with a 32 character salt to hash the password.

User maintenance and password maintenance for the Service Enclave for a user in the SuperAdmin group is done using the Service Enclave Administration Console (https://adminconsole.<domain>) or the Admin CLI. A user in the MONITOR or ADMIN group must use the Admin CLI or request a password change from a user in the SuperAdmin authorization group.

From the Admin CLI, use the command to change the password:

changePassword id= <id> password= "<new_password>" confirmPassword= "<new_password>"

To get the ID for the current user, use the command:

show UserPreference

A user in the SuperAdmin group can change the password of any user in the Admin CLI. A list of user IDs can be obtained using the command: list user.

Additional notes on password management in the 3.0.1 software version:

A user in the MONITOR or ADMIN group cannot change their password in the Service Enclave Administration Console.
There is no password recovery or password reset functionality, as a result, it is strongly advised that a second user with SuperAdmin capability is created.
Accounts will not be locked out or disabled with any number of invalid login attempts.

For more information on use of Identity Providers with the Service Enclave layer, see Service Enclave Security Features.

Compute Enclave User and Password Maintenance

There are no default Compute Enclave users or tenancies immediately following an Oracle Private Cloud Appliance Installation Guide install and configuration.

When a Service Enclave administrator creates a tenancy, an initial user is created and a password is assigned.

Have the new tenancy administrator log into the account and change their password using the Compute Enclave console (https://console.<domain>).

Once logged in, use the Change Password drop down located in the top right of the console where the user name is displayed. The tenancy administrator is the only user account that cannot be reset by any user (including themselves). The only option available to the primary tenancy administrator created by the Service Enclave SuperAdmin is to store their password securely and use the Change Password action in the user interface after a successful login.

The password policy for the Compute Enclave is as follows:

Password has a minimum length of 12 characters
Password contains at least one uppercase letter
Password contains at least one lowercase letter
Password contains at least one symbol (@$!#%*&)
Password contains at least one number

The password policy cannot be changed.

Password storage is in the service database and uses Password Based Key Derivation Function 2 (PBKDF2) with a 32 character salt to hash the password.

The tenancy administrator also sets up the CLI with their account so they can start making use of Identity and Access Management (IAM) operations. For instructions on setting up the CLI to use with a tenancy and user on the Oracle Private Cloud Appliance refer to Working in the Service Enclave.

Every tenancy comes with a default administrators group. This group can perform any action on all resources in a tenancy (that is, they have root access to the tenancy). Oracle recommends that you keep the group of tenancy administrators as small as possible but have at least one backup administrator.

Some security recommendations on managing tenancy administrators:

Have security policies granting membership of tenancy administrator group strictly on a as-needed basis.
Tenancy administrators use high-complexity passwords, along with MFA, and periodically rotate their passwords.
After account set up and configuration, Oracle recommends that you don't use the tenancy administrator account for day-to-day operations. Instead, create less privileged users and groups.
Though administrator accounts are not used for daily operations, they are still needed to address emergency scenarios impacting customer tenancy and operations. Specify secure and auditable "break-glass" procedures for using administrator accounts in such emergencies.
Disable tenancy administration access immediately when an employee leaves the organization.
Because the tenancy administrator group membership is restricted, Oracle recommends that you create security policies which prevent administrator account lock-out (for example, if the tenancy administrator leaves the company and no current employees have administrator privileges).

Users in the Compute Enclave other than the default administrator for a tenancy can have their passwords reset by a user in the Administrator group through the Users context in the Compute Enclave console (https://adminconsole.<domain>).

A user can reset their own password if they have the CLI installed and configured via the command:

oci iam user ui-password create-or-reset --user-id <id>

An administrator can use the CLI command to reset any other user's password. After reset, the administrator securely communicates the reset password to the user. The user will be prompted on login to the console to change the password.

For more information on the user of Identity Providers with the Compute Enclave and IAM security features to help administer the Compute Enclave layer, refer to Identity Provider Security Features.

Maintaining the Monitoring and Logging Password

The monitoring and logging facilities for Oracle Private Cloud Appliance are accessed via consoles at:

Grafana: https://grafana.<domain>
Prometheus: https://prometheus.<domain>

In Oracle Private Cloud Appliance 3.0.2, the infrastructure layer has a single user for both Grafana and Prometheus (admin), and they have a default password. Change this password after installation and configuration.

For proper security, it is required that administrators set the new password by running the following Python CLI tool from the management node:

python3 \
/usr/lib/python3.6/site-packages/pca_foundation/secret_service/scripts/sauron_credential_update.py \
-username username -password password

The password policy for Grafana and Prometheus (the monitoring framework) requires that the password:

Must be 12-20 characters long
Must contain at least 1 uppercase character, 1 lowercase character, and 1 digit
Can contain the symbols -_+=

The password rules for appliance infrastructure components are different from the password rules for the monitoring framework. The password rules for appliance infrastructure components are: minimum length of 8 characters, containing at least 1 lower case letter (a-z), upper case letter (A-Z), digit (0-9), and symbol (@$!#%*&). It is possible to run a Service CLI command to apply a password that matches these rules but violates the password policy for the monitoring framework.

When you run the updateSauronCredentials command and the monitoring framework rejects the new password, the error message explains the password rules for appliance infrastructure components, not the password rules for the monitoring framework. In some cases the Service CLI even reports that the password update command was successful although it was not accepted by the monitoring framework.

To avoid this issue, make sure that the password you set for the appliance monitoring framework complies with its specific password policy: length of 12-20 characters, containing at least 1 lower case letter (a-z), upper case letter (A-Z), digit (0-9), and special character (-_+=.).

The monitoring and logging tools in Oracle Private Cloud Appliance 3.0.2 have the following restrictions:

More users cannot be added
The credential update tool does not check the password or return information on success or failure of the request
The Grafana and Prometheus screens do not lock out users after invalid attempts

Due to these characteristics:

Choose a complex password
Designate a user as the focal point for monitoring and logging
Do not share the password for the admin account
Change the password regularly
Do not share the password with tenancy administrators (Grafana and Prometheus contains logs for all tenancies and should therefore not be shared with a tenancy administrator due to information leakage between tenancies)

Viewing Failed Password Log-in Attempts

Security monitoring for all layers (Infrastructure, Service Enclave and Compute Enclave) can be viewed in the Grafana instance (https://grafana.<domain>).

To view logs that include security notifications:

Log into Grafana using the Grafana admin user and password you set in Maintaining the Monitoring and Logging Password
Go to the Explore context
Choose the Loki data source

From that data source, choose the infrastructure or software component to view information. The various components can be filtered using log labels for:

Management and compute nodes, use the host filter, such as {host="pcamn01"}
Oracle ZFS Storage Appliance, use {log="audit"}
Compute Enclave, use {log="api-server"}
Other labels are possible

Some components cannot be monitored at this tier:

Switches (Spine, Leaf and Management)
ILOM

If audit logs are required for those components, log directly into the component.