1. Cloud Native System Administrator's Guide
  2. Basic System Administration of BRM Cloud Native
  3. Managing Passwords in BRM Cloud Native

5 Managing Passwords in BRM Cloud Native

Learn how to manage passwords in your Oracle Communications Billing and Revenue Management (BRM) cloud native environment.

Topics in this document:

Rotating the BRM Root Password

The BRM root password is the password of service with the login ID root.0.0.0.1, which all clients use to connect to the Connection Manager (CM). For security reasons, you should change this password at regular intervals.

Changing the BRM root password impacts all clients that connect to the CM service: Billing Care, the Billing Care REST API, Business Operations Center, and BRM Web Services. Therefore, you must provide the new password to your clients so they can continue to connect to the CM service.

This shows the procedure for changing the current BRM root password (RootPassword1) to a new root password (RootPassword2) and then providing RootPassword2 to all of your clients:

  1. In your override-values.yaml file for oc-cn-helm-chart, set the keys in Table 5-1.

    Table 5-1 Initial Key Values

    Key Value Description

    ocbrm.rotate_password

    true

    Specify that the password is being changed.

    ocbrm.new_brm_root_password

    RootPassword2

    Set a new password for the root.0.0.0.1 service.

    ocbrm.cm.deployment.load_localized

    0

    Specify to not reload the localized strings into the database.

    This was already done during installation.

    ocbc.bc.wop.serverStartPolicy

    NEVER

    Specify to shut down the WebLogic servers for Billing Care.

    ocbc.bcws.wop.serverStartPolicy

    NEVER

    Specify to shut down the WebLogic servers for the Billing Care REST API.

    ocboc.boc.wop.serverStartPolicy

    NEVER

    Specify to shut down the WebLogic servers for Business Operations Center.

  2. Specify to shut down the WebLogic servers for BRM Web Services. In the oc-cn-helm-chart/templates/domain_brm_wsm.yaml file, set the serverStartPolicy key to NEVER.

  3. Run the helm upgrade command to update the Helm release: 

    helm upgrade BrmReleaseName oc-cn-helm-chart --values OverrideValuesFile -n BrmNameSpace

    where:

    • BrmReleaseName is the release name assigned to your existing oc-cn-helm-chart installation.

    • OverrideValuesFile is the file name and path of your override-values.yaml file.

    • BrmNameSpace is the namespace for your existing BRM deployment.

    Updating the release changes the password for service root.0.0.0.1, spins off new pods for the CM and a few other services, and stops services for Billing Care, the Billing Care REST API, Business Operations Center, and BRM Web Services.

  4. Specify to turn off the password rotation indicator and to update the password. In the same override-values.yaml file, set the keys in Table 5-2.

    Table 5-2 Turn Off Password Rotation

    Key Value Description

    ocbrm.rotate_password

    false

    Turn off password rotation. This specifies that the password is not being changed.

    ocbrm.brm_root_pass

    RootPassword2

    Provide the updated password for the root.0.0.0.1 service.

  5. Update the password in the Infranet.properties file and wallet for Billing Care, the Billing Care REST API, and Business Operations Center by either reinstalling oc-cn-op-job-helm-chart or updating the wallet in place in the persistent volume (PV).

    To reinstall oc-cn-op-job-helm-chart, do this:

    1. Delete the release of oc-cn-op-job-helm-chart: 

      helm delete --namespace NameSpace OpJobReleaseName

      where OpJobReleaseName is the name of the oc-cn-op-job-helm-chart release.

    2. Clean up the domain home from the PV for Billing Care, Billing Care REST, and Business Operations Center:

      rm -rf DomainHome/domains/DomainUID

      where:

      • DomainHome is the location specified in the domainVolHostPath key under groups ocbc.bc.wop, ocbc.bcws.wop, and ocboc.boc.wop.

      • DomainUID is the domain name specified in the domainUID key under groups ocbc.bc.wop, ocbc.bcws.wop, and ocboc.boc.wop. Typically, the defaults are billingcare-domain, bcws-domain, and boc-domain respectively.

    3. Clean up the application home from the PV for Billing Care and the Billing Care REST API:

      rm -rf ApplicationHome/billingcare

      where ApplicationHome is the location specified in the appVolHostPath key under groups ocbc.bc.wop and ocbc.bcws.wop.

    4. Clean up the application home from the PV for Business Operations Center:

      rm -rf ApplicationHome/BOC

      where ApplicationHome is the location specified in the appVolHostPath key under group ocboc.boc.wop.

    5. Install oc-cn-op-job-helm-chart again: 

      helm install OpJobReleaseName oc-cn-op-job-helm-chart --namespace NameSpace --values OverrideValuesFile

      Wait for the jobs to complete their tasks.

    6. Delete the policy job for Billing Care, the Billing Care REST API, and Business Operations Center:

      kubectl --namespace NameSpace delete job DomainUID-policy-job

      where DomainUID is the domain name specified in the domainUID key under groups ocbc.bc.wop, ocbc.bcws.wop, and ocboc.boc.wop in the override-values.yaml file. Typically, the defaults are billingcare-domain, bcws-domain, and boc-domain respectively.

    To update the wallet in place in the PV, do this:

    1. For Billing Care and the Billing Care REST API, update the password in the wallet by following the instructions in "Storing Configuration Entries in the Billing Care Wallet" in BRM Security Guide. The wallet for these clients is located at ApplicationHome/billingcare/wallet/client.

    2. For Business Operations Center, update the password in the wallet by following the instructions in "Storing Configuration Entries in the Business Operations Center Wallet" in BRM Security Guide. The wallet for Business Operations Center is located at ApplicationHome/BOC/wallet/client.

    where ApplicationHome is the location specified in the appVolHostPath key under groups ocbc.bc.wop, ocbc.bcws.wop, and ocboc.boc.wop.

  6. Delete the PDC and PCC deployments:

    kubectl --namespace NameSpace delete deploy pdc-deployment pcc-deployment

  7. Specify to start the WebLogic servers for BRM Web Services. In the oc-cn-helm-chart/templates/domain_brm_wsm.yaml file, set the serverStartPolicy key to IF_NEEDED.

  8. Update the release of oc-cn-helm-chart to bring up all client services with the updated CM connection details: 

    helm upgrade --namespace NameSpace ReleaseName oc-cn-helm-chart --values OverrideValuesFile

  9. Update the BRM root password in your ECE pods by doing this:

    1. Connect to any of the charging server (ecs) pods through JConsole. See "Creating a JMX Connection to ECE Using JConsole" for more information.

    2. Expand the ECE Configuration node.

    3. Navigate to the BRM Connection node.

    4. Expand Operations.

    5. Enter the new BRM root password (RootPassword2) along with the existing wallet password in the setPassword method and then run it.

    6. Perform a test connection to validate that the connection is successful.

    7. Rebounce the brmgateway pods for the new password to take effect and for the connection pool to BRM to be re-created.

Rotating the BRM Root Key

You should rotate your root keys regularly to increase security.

To rotate the BRM root key:

  1. Ensure that the cm and dm-oracle pods are up and running.

  2. In your override-values.yaml file for oc-cn-helm-chart, set the ocbrm.root_key_rotate key to true.

  3. Run the helm upgrade command to update your Helm release: 

    helm upgrade BrmReleaseName oc-cn-helm-chart --values OverrideValuesFile -n BrmNameSpace

    where:

    • BrmReleaseName is the release name for oc-cn-helm-chart and is used to track this installation instance.

    • OverrideValuesFile is the file name and path to your override-values.yaml file.

    • BrmNameSpace is the namespace in which to create BRM Kubernetes objects for the BRM Helm chart.

  4. Restart the cm and dm-oracle pods.

If successful, the root key is rotated and a new one is generated in the Oracle wallet. You can set ocbrm.root_key_rotate to false to avoid rotating the root key again.

Note:

The Oracle wallet is located in the path specified in the BRM_WALLET environment variable.

After you rotate the root key once, use one of the following methods to rotate the root key again:

Rotating the Root Key Method 1

One method for rotating the root key after you have rotated it once:

  1. Delete the dm-oracle deployment.

  2. In your override-values.yaml file for oc-cn-helm-chart, ensure that the ocbrm.root_key_rotate key is set to true.

  3. Run the helm upgrade command to update your Helm release: 

    helm upgrade BrmReleaseName oc-cn-helm-chart --values OverrideValuesFile -n BrmNameSpace

Rotating the Root Key Method 2

Use this method to rotate the root key if you are pointing an existing on-premises system to a cloud native environment or upgrading from a previous release.

To rotate the root key after you have rotated it once:

  1. In your override-values.yaml file for oc-cn-helm-chart, do the following:

    • ocbrm.root_key_rotate: Set this key to false.

    • ocbrm.existing_rootkey_wallet: Set this key to true.

  2. Ensure the latest root-key wallet is stored in the Helm charts path, such as oc-cn-helm-chart/existing_wallet/path.

  3. Run the helm upgrade command and ensure that the new dm-oracle pod is created: 

    helm upgrade BrmReleaseName oc-cn-helm-chart --values OverrideValuesFile -n BrmNameSpace

  4. In your override-values.yaml file for oc-cn-helm-chart, set the ocbrm.root_key_rotate key to true.

  5. Delete the dm-oracle deployment.

  6. Run the helm upgrade command again: 

    helm upgrade BrmReleaseName oc-cn-helm-chart --values OverrideValuesFile -n BrmNameSpace

  7. Restart the dm-oracle and cm pods.

Rotating the BRM Password

To rotate the BRM password, stop and restart your pods.

To rotate the BRM password:

  1. In your override-values.yaml file for oc-cn-helm-chart, set the ocpdc.labels.isEnabled key to false.

  2. Run the helm upgrade command to update the Helm release: 

    helm upgrade BrmReleaseName oc-cn-helm-chart --values OverrideValuesFile -n BrmNameSpace

    where:

    • BrmReleaseName is the release name assigned to your existing oc-cn-helm-chart installation.

    • OverrideValuesFile is the file name and path of your override-values.yaml file.

    • BrmNameSpace is the namespace for your existing BRM deployment.

  3. In your override-values.yaml file for oc-cn-helm-chart, set the ocpdc.labels.isEnabled key to true.

  4. Run the helm upgrade command to update the Helm release. 

    helm upgrade BrmReleaseName oc-cn-helm-chart --values OverrideValuesFile -n BrmNameSpace

Rotating BRM Role Passwords

You set the initial passwords for each role in your BRM cloud native system when you deploy or upgrade your BRM cloud native server and database schema. These passwords are stored in the Oracle wallet. After your system is deployed, you should rotate your role passwords regularly.

To rotate your BRM role passwords after deployment:

  1. Open your override-values.yaml file for oc-cn-helm-chart.

  2. Set the ocbrm.rotate_brm_role_passwords key to true.

  3. Specify the old and new passwords for each role password that you want to rotate using this format:

    ocbrm:
   brm_role_pass:
      old_roleName.0.0.0.1: oldPassword
      roleName.0.0.0.1: newPassword

    where:

    • oldPassword is the old password in Base64-encoded format.

    • newPassword is the new password in Base64-encoded format.

    • roleName is one of the following:

      • acct_recv for the Accounts Receivable role. Users with this role can run the AR utilities such as pin_refund and pin_monitor_balance.

      • bc_client for the Billing Care role. Users with this role can run the Billing Care application.

      • bill_inv_pymt_sub for the Invoice Payments role. Users with this role can run the invoicing utilities such as pin_inv_accts and pin_upd_assoc_bus_profile.

      • billing for the Billing role. Users with this role can run billing applications such as pin_bill_accts and pin_rollover.

      • boc_client for the Business Operations Center role. Users with this role can run the Business Operations Center application.

      • collections for the Collections role. Users with this role can run the collections utilities such as pin_collections_process and pin_collections_send_dunning.

      • crypt_utils for the Encryption role. Users with this role can run the encryption utilities such as pin_crypt_upgrade and pin_crypt_upgrade_keys.

      • cust_center for the Customer Center role. Users with this role can run the Customer Center application.

      • cust_mgnt for the Customer Management role. Users with this role can run the customer management utilities such as pin_contracts and pin_state_change.

      • invoicing for the Invoicing role. Users with this role can run the invoicing utilities such as pin_inv_accts and pin_inv_doc_gen.

      • java_client for the Java Applications role. Users with this role can run Java applications such as Account Migration Manager and Conversion Manager.

      • load_utils for the Load Utilities role. Users with this role can run the load utilities such as load_config and load_pin_calendar.

      • payments for the Payments role. Users with this role can run the payment utilities such as pin_installments and pin_recover.

      • pcc_client for the Pipeline Configuration Center role. Users with this role can run the Pipeline Configuration Center application.

      • rerating for the Rerating role. Users with this role can run the rerating utilities such as pin_rerate and pin_rate_change.

      • rsm for the REST Services Manager role. Users with this role can call the BRM REST Services Manager API operations.

      • super_user for the Super User role. Users with this role can create, update, and delete other roles.

      • ui_client for the Thick Clients role. Users with this role can run the thick clients such as Payment Center and Number Administration Center.

      • ece for the ECE role. Users with this role can run Elastic Charging Engine (ECE).

    For example, to rotate the Business Operations Center and Pipeline Configuration Center roles, you would enter the following:

    ocbrm:
   brm_role_pass:
      old_boc_client.0.0.0.1: oldBOCPassword
      boc_client.0.0.0.1: newBOCPassword
      old_pcc_client.0.0.0.1: oldPCCPassword
      pcc.0.0.0.1: newPCCPassword

  4. Keep all other role passwords in the file.

  5. Run the helm upgrade command to update your Helm release: 

    helm upgrade BrmReleaseName oc-cn-helm-chart --values OverrideValuesFile -n BrmNameSpace

    where:

    • BrmReleaseName is the release name for oc-cn-helm-chart and is used to track this installation instance.

    • OverrideValuesFile is the file name and path to your override-values.yaml file.

    • BrmNameSpace is the namespace in which to create BRM Kubernetes objects for the BRM Helm chart.

If successful, BRM cloud native:

  • Rotates the passwords for role names prefixed with old_.

  • Generates the new role passwords in the Oracle wallet.

All other passwords remain the same. You can set ocbrm.rotate_brm_role_passwords to false to avoid rotating the role passwords again.