DB-Tier Authentication and Authorization
The DB-Tier provides a highly available multisite database used to store NF state and configuration. When installed, the MySQL DB is configured with a root account whose password is randomly generated. Each NF must have additional accounts for that particular NF. The procedures in this section explains how to change these account passwords. Additionally, communication between the NFs and the MySQL query nodes are protected using TLS.
Procedure: Modify MySQL NDB Root Password
This procedure is typically executed by the DB Administrator
Table 6-1 Modify MySQL NDB Root Password
| Step | Description | Est Time |
|---|---|---|
| 1. | Log into the next query node using ssh:
$ ssh admusr@<mysql query node> |
1m |
| 2. | Become root: $ sudo su
|
1m |
| 3. | Invoke mysql using existing DB Root
credentials:
<enter
existing root password>
|
1m |
| 4. | Change the DB Root credentials: mysql> ALTER USER'root'@'localhost'IDENTIFIED BY'<NEW_PASSWORD>'; mysql> FLUSH PRIVILEGES; | 1m |
| 5 | Repeat steps 1 through 4 for each MySQL Query node. |
Note:
If you are accessing a DB instance for the first time, the DB Root password is stored in the
/var/occnedb/mysqld_expired.log file. (The system generates a random password at installation time)
Note:
Recommendation: Separation of Roles
The roles of DB Administrator and Cluster Administration must be kept separate. The DB Administrator must be responsible for securing and maintaining the DB-Tier MySQL NDM cluster. The Cluster Administrator must be responsible for securing and operating the Bastion Host and K8s Cluster. When 5G NFs are installed, the DB Administrator will be required to create new NF database and NF DB accounts (using the DB Root credentials). Once this is completed, the Cluster Administrator installs the NF (using helm).
Note:
Recommendation: Use Strong Passwords
The DB Administrator must choose a complex DB Root password as per their organization's security guidelines.