Creating and Maintaining Accounts and Passwords

When the Oracle Private Cloud Appliance system is first powered on, various tasks need to be performed in order to initially set up the system, including creating the first super-admin user account.

There are three layers of the Oracle Private Cloud Appliance. Each of these three layers will be administered in a different way:

Infrastructure - Operations on rack hardware components are performed by the default administrative user. An Oracle Support Services account can perform infrastructure operations with the support of the default administrative user. Other users cannot perform these operations. After installation, change the default passwords and store the new passwords in a secure location.
Service Enclave - The administrative user created during installation operates in the Service Enclave. Additional users can be added to the Service Enclave to help manage the appliance.
Compute Enclave - Compute Enclave users have day-to-day tasks within a tenancy such as creating compute instances. The Service Enclave administrative user creates Compute Enclave tenancies and creates an administrative user for each tenancy. The tenancy administrator can then create additional users and user groups in the tenancy.

Each layer has different requirements and techniques for maintaining the user accounts.

Password Maintenance in the Infrastructure Layer

The Private Cloud Appliance infrastructure components discussed in this topic are managed either by users in the Service Enclave or by software running in the Service Enclave.

These components have passwords that are set at the factory. Change these passwords immediately after successful rack installation and configuration.

Listing Default Passwords to Change

Use the pca-admin healthcheck tool on the management nodes to list factory-set passwords in the infrastructure that must be changed.

Log into a management node using the default administrative user and password supplied to you by the installation team.
Run the pca-admin healthcheck command.

Passwords that might need to be updated include:

Compute node passwords

Note:
This password does not need to be changed after the compute node has been provisioned. Provisioning randomizes the compute node password.
Compute node Oracle Integrated Lights Out Manager (ILOM) passwords
Management node passwords
Management node ILOM passwords
Leaf switch password
Management switch password
Spine switch password
Oracle ZFS Storage Appliance password
Oracle ZFS Storage Appliance ILOM password

Note:
Changing the Oracle ZFS Storage Appliance ILOM password is managed through the Oracle ZFS Storage Appliance. A password change issued to the Oracle ZFS Storage Appliance changes both the appliance and ILOM passwords.

Password Policy

The password complexity policy for infrastructure components is:

Length is 8 characters to 20 characters for Compute Nodes, Management Nodes, or switches. The length is 8 characters to 16 characters (note the difference) for Oracle ZFS Storage Appliance and ILOMs.
The password must contain at least one character from each of the following groups:
- Lower case letters (a-z)
- Upper case letters (A-Z)
- Digits (0-9)
- The following symbols: @$!*&
Do not include any of the following symbols: ?#%

The password complexity policy for the infrastructure cannot be changed.

Changing the MySQL Password

All passwords except the MySQL database password must be updated using the Service CLI that resides on the management nodes. Using the various native infrastructure tools will result in Service Enclave failures. For example, updating the management node passwords using the Service CLI keeps all management node passwords synchronized. The Service CLI also stores the password for the management nodes in a service-accessible database, allowing the Service Enclave tools and services to manage the nodes.

Use one of the following commands to update the MySQL password:

If your rack is running a software release earlier than 3.0.2-b892153, then update the MySQL database password using the following command on each of the management nodes:
```
/var/lib/pca-foundation/scripts/pca_change_mysql_root_password.py
```
Note:
You must issue this command on each management node. Updating the password on one management node does not change anything on the other nodes.

If your rack is running software release 3.0.2-b892153 or later, then update the MySQL database password using the updateMySqlRootPassword command in the Service CLI:

PCA-ADMIN> updateMySqlRootPassword password="**************" confirmPassword="**************" 
Command: updateMySqlRootPassword password="**************"  confirmPassword="**************" 
Status: Success
Time: 2023-10-23 10:57:13,504 UTC
Data:
    status = true
    message = Mysql root password has been successfully rotated.

You must enclose passwords in double quotation marks.

Changing Other Infrastructure Component Passwords

Passwords are stored in two locations:

A vault instance where they are stored using 256-bit Advanced Encryption Standard (AES) cipher in the Galois Counter Mode (GCM) with 96-bit nonces.
The native password tool for the infrastructure component.

Refer to documentation for the infrastructure component for password access information.

Use the changepasswordService CLI command to update an infrastructure password.

Log into one of the management nodes as the Service Enclaveadmin user.

Run the changepassword command. Enclose passwords in double quotation marks.

changepassword component "password" "confirmPassword"

Example:

PCA-ADMIN> changepassword zfs "newPassword" "confirmNewPassword"

The following command lists the supported components:

PCA-ADMIN> changepassword ?
                          ComputeNode
                          LeafSwitch
                          ManagementNode
                          ManagementSwitch
                          SpineSwitch
                          User
                          ZFSAppliance
PCA-ADMIN> changepassword computeNode ?
                                      *password
                                      *confirmPassword

The password update can take a short amount of time to complete even after a successful password update response is returned.

The Power Distribution Units (PDUs) in the appliance vary depending on the locale. Refer to the Oracle Private Cloud Appliance Release Notes for potential updates on the infrastructure processes.

The PDU password must be changed from the default value. Refer to the hardware documentation for the specific PDU type for information regarding password changes.

Service Enclave User and Password Maintenance

At installation and configuration time, an initial user with the SuperAdmin Authorization Group and password is set up for the Service Enclave.

The Service Enclave is a multi-user environment. Actions in the Service Enclave can affect all tenancies on the appliance. General security guidelines are:

Do not share credentials.
Create a user for each individual that requires access to the Service Enclave administration tools. This practice enables better audit tracking and easier administration of individual needs.
Apply the rule of least privileges by choosing the authorization group that is most appropriate for each user.
When creating a new user, do not use a common or default initial password.
Change passwords regularly. There are no proactive password change or timeout notifications in the Service Enclave.

Authorization Groups

There are four important authorization groups in the Service Enclave:

Initial - Authorization for initial Private Cloud Appliance system operations
OCIApp - Authorization for Oracle Cloud Infrastructure app operations
OracleServiceAdmin - Authorization for Oracle service operations
SuperAdmin - Authorization for all capabilities. Only a SuperAdmin can create new users for the Service Enclave and change roles for existing users.

In the Service Enclave, the list of authorization groups is static. Existing groups cannot be modified to change authorizations and new groups cannot be created with different authorizations.

Password Policy

Passwords for users in the Service Enclave are at least 12 characters long and contain at least one character from each of the following groups:

Lower case letters (a-z)
Upper case letters (A-Z)
Digits (0-9)
The following symbols: @$!*&

The Service Enclave password policy cannot be changed.

Password storage is in the service database and uses Password Based Key Derivation Function 2 (PBKDF2) with a 32-character salt to hash the password.

Changing a User Password

User maintenance and password maintenance for the Service Enclave for a user in the SuperAdmin group is done using the Service Enclave Administration Console (https://adminconsole.pca-name.domain) or the Service CLI. A user in the MONITOR or ADMIN group must use the Service CLI or request a password change from a user in the SuperAdmin authorization group.

From the Service CLI, use the following command to change the password for a user:

PCA-ADMIN> changePassword User id=id password="newPassword" confirmPassword="confirmNewPassword"

Example:

PCA-ADMIN> changePassword User id=1b23dc83-af7f-4b88-a4db-nnnnn password="************" 
confirmPassword="************"
Command: changePassword User id=1b23dc83-af7f-4b88-a4db-nnnnn password="************" 
confirmPassword="************"
Status: Success

To get the ID for the current user, use the following command:

PCA-ADMIN> show UserPreference

To get a list of user IDs, use the list user command.

A user in the SuperAdmin group can change the password of any Service Enclave user by using the Service CLI.

The following are notes about password management in the Private Cloud Appliance 3.0.1 software version:

A user in the MONITOR or ADMIN group cannot change their password in the Service Enclave Administration Console.
There is no password recovery or password reset functionality. As a result, it is strongly advised that a second user with SuperAdmin capability is created.
Accounts will not be locked out or disabled with any number of invalid login attempts.

For more information about the use of Identity Providers with the Service Enclave layer, see Service Enclave Security Features.

Compute Enclave User and Password Maintenance

There are no default Compute Enclave users or tenancies immediately following an Oracle Private Cloud Appliance install and configuration.

When a Service Enclave administrator creates a tenancy, an initial user is created and a password is assigned.

The new tenancy administrator must log into the account and change their password using the Compute Enclave console (https://console.pca-name.domain).

Once logged in, use the Change Password drop down located in the top right of the console where the user name is displayed. The tenancy administrator is the only user account that cannot be reset by any user (including themselves). The only option available to the primary tenancy administrator created by the Service Enclave SuperAdmin is to store their password securely and use the Change Password action in the user interface after a successful login.

Passwords for users in the Service Enclave are at least 12 characters long and contain at least one character from each of the following groups:

Lower case letters (a-z)
Upper case letters (A-Z)
Digits (0-9)
The following symbols: @$!%*#&

The password policy cannot be changed.

Password storage is in the service database and uses Password Based Key Derivation Function 2 (PBKDF2) with a 32 character salt to hash the password.

The tenancy administrator also sets up the CLI with their account. See "Using the OCI CLI" in the Working in the Compute Enclave chapter in the Oracle Private Cloud Appliance User Guide.

Every tenancy comes with a default administrators group. This group can perform any action on all resources in a tenancy. Oracle recommends that you keep the group of tenancy administrators as small as possible but have at least one backup administrator.

The following are security recommendations for managing tenancy administrators:

Have security policies granting membership of tenancy administrator group strictly on a as-needed basis.
Tenancy administrators use high-complexity passwords, along with MFA, and periodically rotate their passwords.
After account set up and configuration, Oracle recommends that you don't use the tenancy administrator account for day-to-day operations. Instead, create less privileged users and groups.
Though administrator accounts are not used for daily operations, they are still needed to address emergency scenarios impacting customer tenancy and operations. Specify secure and auditable "break-glass" procedures for using administrator accounts in such emergencies.
Disable tenancy administration access immediately when an employee leaves the organization.
Because the tenancy administrator group membership is restricted, Oracle recommends that you create security policies which prevent administrator account lock-out (for example, if the tenancy administrator leaves the company and no current employees have administrator privileges).

Compute Enclave users can request a new temporary password from a tenancy administrator, and can set or change their own password by using the Compute Web UI or the OCI CLI. See "Creating and Managing User Accounts" in the Identity and Access Management chapter of the Oracle Private Cloud Appliance User Guide.

An tenancy administrator can generate a new temporary password for any other Compute Enclave user. After reset, the administrator securely communicates the new temporary password to the user. The user will be prompted on login to the console to change the password.

For more information about the use of Identity Providers with the Compute Enclave and IAM security features to help administer the Compute Enclave layer, refer to Identity Provider Security Features.

Maintaining the Monitoring and Logging Password

Private Cloud Appliance monitoring and logging components are accessed on the Service Enclave as Grafana and Prometheus. See "Using Grafana" in the Status and Health Monitoring chapter of the Oracle Private Cloud Appliance Administrator Guide.

Like the infrastructure components discussed in Password Maintenance in the Infrastructure Layer, the monitoring and logging components have a password that is set at the factory. After appliance installation, reset this password.

This topic describes how to reset the monitoring and logging components password. Oracle recommends that you update this password periodically.

Password Update Parameter Values

The value of username is admin. This is not the same as the Service Enclave admin user.

The password has the following requirements:

Must be at least 12 characters long and no more than 20 characters long.
Must contain at least one uppercase character (A-Z), one lowercase character (a-z), and one digit (0-9).

The password also can contain one or more of the following symbols: -_+=

Resetting the Monitoring and Logging Password

Use one of the following methods to change the monitoring and logging password:

sauron_credential_update Python script

Log into one of the management nodes as the root user, using the password that was updated in Password Maintenance in the Infrastructure Layer.

Run the sauron_credential_update.py script:
```
python3 \
/usr/lib/python3.6/site-packages/pca_foundation/secret_service/scripts/sauron_credential_update.py \
--username admin --password password
```
The sauron_credential_update.py tool does not check the password or return information on success or failure of the request.
updateSauronCredentialsService CLI command

Log into one of the management nodes as the Service Enclave admin user.

Run the updateSauronCredentials command:
```
PCA-ADMIN> updateSauronCredentials username=admin password=password
```