1. Cloud Native System Administrator's Guide
  2. Basic System Administration of BRM Cloud Native
  3. Managing Passwords in BRM Cloud Native

5 Managing Passwords in BRM Cloud Native

Learn how to manage passwords in your Oracle Communications Billing and Revenue Management (BRM) cloud native environment.

Topics in this document:

Rotating the BRM Root Password

The BRM root password is the password of service with the login ID root.0.0.0.1, which is used by all clients to connect to the Connection Manager (CM). For security reasons, you should change this password at regular intervals.

When you change the BRM root password, it impacts all clients that connect to the CM service: Billing Care, the Billing Care REST API, Business Operations Center, and BRM Web Services. Therefore, you must provide the new password to your clients so they can continue to connect to the CM service.

This shows the procedure for changing the current BRM root password (RootPassword1) to a new root password (RootPassword2) and then providing RootPassword2 to all of your clients:

  1. In your override-values.yaml file for oc-cn-helm-chart, set the keys in Table 5-1.

    Table 5-1 Initial Key Values

    Key Value Description

    ocbrm.rotate_password

    true

    Specify that the password is being changed.

    ocbrm.new_brm_root_password

    RootPassword2

    Set a new password for the root.0.0.0.1 service.

    ocbrm.cm.deployment.load_localized

    0

    Specify to not reload the localized strings into the database.

    This was already done during installation.

    ocbc.bc.wop.serverStartPolicy

    NEVER

    Specify to shut down the WebLogic servers for Billing Care.

    ocbc.bcws.wop.serverStartPolicy

    NEVER

    Specify to shut down the WebLogic servers for the Billing Care REST API.

    ocboc.boc.wop.serverStartPolicy

    NEVER

    Specify to shut down the WebLogic servers for Business Operations Center.

  2. Specify to shut down the WebLogic servers for BRM Web Services. In the oc-cn-helm-chart/templates/domain_brm_wsm.yaml file, set the serverStartPolicy key to NEVER.

  3. Run the helm upgrade command to update the Helm release: 

    helm upgrade BrmReleaseName oc-cn-helm-chart --values OverrideValuesFile -n BrmNameSpace

    where:

    • BrmReleaseName is the release name assigned to your existing oc-cn-helm-chart installation.

    • OverrideValuesFile is the file name and path of your override-values.yaml file.

    • BrmNameSpace is the name space for your existing BRM deployment.

    Updating the release changes the password for service root.0.0.0.1, spins off new pods for the CM and a few other services, and stops services for Billing Care, the Billing Care REST API, Business Operations Center, and BRM Web Services.

  4. Specify to turn off the password rotation indicator and to update the password. In the same override-values.yaml file, set the keys in Table 5-2.

    Table 5-2 Turn Off Password Rotation

    Key Value Description

    ocbrm.rotate_password

    false

    Turn off password rotation. This specifies that the password is not being changed.

    ocbrm.brm_root_password

    RootPassword2

    Provide the updated password for the root.0.0.0.1 service.

  5. Update the password in the Infranet.properties file and wallet for Billing Care, the Billing Care REST API, and Business Operations Center by either reinstalling oc-cn-op-job-helm-chart or updating the wallet in-place in the persistent volume (PV).

    To reinstall oc-cn-op-job-helm-chart, do this:

    1. Delete the release of oc-cn-op-job-helm-chart: 

      helm delete --namespace NameSpace OpJobReleaseName

      where OpJobReleaseName is the name of the oc-cn-op-job-helm-chart release.

    2. Clean up the domain home from the PV for Billing Care, Billing Care REST, and Business Operations Center:

      rm -rf DomainHome/domains/DomainUID

      where:

      • DomainHome is the location specified in the domainVolHostPath key under groups ocbc.bc.wop, ocbc.bcws.wop, and ocboc.boc.wop.

      • DomainUID is the domain name specified in the domainUID key under groups ocbc.bc.wop, ocbc.bcws.wop, and ocboc.boc.wop. Typically, the defaults are billingcare-domain, bcws-domain, and boc-domain respectively.

    3. Clean up the application home from the PV for Billing Care and the Billing Care REST API:

      rm -rf ApplicationHome/billingcare

      where ApplicationHome is the location specified in the appVolHostPath key under groups ocbc.bc.wop and ocbc.bcws.wop.

    4. Clean up the application home from the PV for Business Operations Center:

      rm -rf ApplicationHome/BOC

      where ApplicationHome is the location specified in the appVolHostPath key under group ocboc.boc.wop.

    5. Install oc-cn-op-job-helm-chart again: 

      helm install OpJobReleaseName oc-cn-op-job-helm-chart --namespace NameSpace --values OverrideValuesFile

      Wait for the jobs to complete their tasks.

    6. Delete the policy job for Billing Care, the Billing Care REST API, and Business Operations Center:

      kubectl --namespace NameSpace delete job DomainUID-policy-job

      where DomainUID is the domain name specified in the domainUID key under groups ocbc.bc.wop, ocbc.bcws.wop, and ocboc.boc.wop in the override-values.yaml file. Typically, the defaults are billingcare-domain, bcws-domain, and boc-domain respectively.

    To update the wallet in-place in the PV, do this:

    1. For Billing Care and the Billing Care REST API, update the password in the wallet by following the instructions in "Storing Configuration Entries in the Billing Care Wallet" in BRM Security Guide. The wallet for these clients is located at ApplicationHome/billingcare/wallet/client.

    2. For Business Operations Center, update the password in the wallet by following the instructions in "Storing Configuration Entries in the Business Operations Center Wallet" in BRM Security Guide. The wallet for Business Operations Center is located at ApplicationHome/BOC/wallet/client.

    where ApplicationHome is the location specified in the appVolHostPath key under groups ocbc.bc.wop, ocbc.bcws.wop, and ocboc.boc.wop.

  6. Delete the PDC and PCC deployments:

    kubectl --namespace NameSpace delete deploy pdc-deployment pcc-deployment

  7. Specify to start the WebLogic servers for BRM Web Services. In the oc-cn-helm-chart/templates/domain_brm_wsm.yaml file, set the serverStartPolicy key to IF_NEEDED.

  8. Update the release of oc-cn-helm-chart to bring up all client services with the updated CM connection details: 

    helm upgrade --namespace NameSpace ReleaseName oc-cn-helm-chart --values OverrideValuesFile

  9. Update the BRM root password in your ECE pods by doing this:

    1. Connect via JMX to any of the charging server (ecs) pods.

    2. Navigate to the BRM Connection MBean.

    3. Navigate to the Operations section.

    4. Enter the new BRM root password (RootPassword2) along with the existing wallet password in the setPassword method and then run it.

    5. Perform a test connection to validate that the connection is successful.

    6. Rebounce the brmgateway pods for the new password to take effect and for the connection pool to BRM to be re-created.

Rotating the BRM Root Key

You should rotate your root keys on a regular basis to increase security.

To rotate the BRM root key:

  1. Ensure that the cm and dm_oracle pods are up and running.

  2. In your override-values.yaml file for oc-cn-helm-chart, set the ocbrm.root_key_rotate key to true.

  3. Run the helm upgrade command to update your Helm release: 

    helm upgrade BrmReleaseName oc-cn-helm-chart --values OverrideValuesFile -n BrmNameSpace

    where:

    • BrmReleaseName is the release name for oc-cn-helm-chart and is used to track this installation instance.

    • OverrideValuesFile is the file name and path to your override-values.yaml file.

    • BrmNameSpace is the name space in which to create BRM Kubernetes objects for the BRM Helm chart.

  4. Restart the cm and dm_oracle pods.

If successful, the root key is rotated and a new root key is generated in the Oracle wallet (the /oms/root-key-wallet/key_rotated file mounted in the PVC). If a key_rotated file already exists in the PVC, you can update the Helm release to avoid rotating the root key again.

After you rotate the root key once, use one of the following methods to rotate the root key again:

Rotating the Root Key Method 1

One method for rotating the root key after you have rotated it once:

  1. Delete the dm_oracle deployment.

  2. Remove the /oms/root-key-wallet/key_rotated file from the PVC.

  3. In your override-values.yaml file for oc-cn-helm-chart, ensure that the ocbrm.root_key_rotate key is set to true.

  4. Run the helm upgrade command to update your Helm release: 

    helm upgrade BrmReleaseName oc-cn-helm-chart --values OverrideValuesFile -n BrmNameSpace

Rotating the Root Key Method 2

Another method for rotating the root key after you have rotated it once:

  1. Copy the Oracle wallet from the PVC to the oc-cn-helm-chart/existing_wallet/ directory.

  2. In your override-values.yaml file for oc-cn-helm-chart, do the following:

    • ocbrm.root_key_rotate: Set this key to false.

    • ocbrm.existing_rootkey_wallet: Set this key to true.

  3. Run the helm upgrade command and ensure that the new dm_oracle pod is created: 

    helm upgrade BrmReleaseName oc-cn-helm-chart --values OverrideValuesFile -n BrmNameSpace

  4. In your override-values.yaml file for oc-cn-helm-chart, set the ocbrm.root_key_rotate key to true.

  5. Delete the dm_oracle deployment.

  6. Run the helm upgrade command again: 

    helm upgrade BrmReleaseName oc-cn-helm-chart --values OverrideValuesFile -n BrmNameSpace

  7. Restart the dm_oracle and cm pods.

Rotating the BRM Password

To rotate the BRM password, you must stop and then restart your pods.

To rotate the BRM password:

  1. In your override-values.yaml file for oc-cn-helm-chart, set the ocpdc.labels.isEnabled key to false.

  2. Run the helm upgrade command to update the Helm release: 

    helm upgrade BrmReleaseName oc-cn-helm-chart --values OverrideValuesFile -n BrmNameSpace

    where:

    • BrmReleaseName is the release name assigned to your existing oc-cn-helm-chart installation.

    • OverrideValuesFile is the file name and path of your override-values.yaml file.

    • BrmNameSpace is the name space for your existing BRM deployment.

  3. In your override-values.yaml file for oc-cn-helm-chart, set the ocpdc.labels.isEnabled key to true.

  4. Run the helm upgrade command to update the Helm release. 

    helm upgrade BrmReleaseName oc-cn-helm-chart --values OverrideValuesFile -n BrmNameSpace