Resetting Edge Passwords

Edge for Private Cloud v. 4.17.09

You can reset the OpenLDAP, Apigee Edge system administrator, Edge organization user, and Cassandra passwords after the installation is complete.

Reset OpenLDAP Password

Depending on your Edge configuration, OpenLDAP can be installed as:

  • A single instance of OpenLDAP installed on the Management Server node. For example, in a 2-node, 5-node, or 9-node Edge configuration.
  • Multiple OpenLDAP instances installed on Management Server nodes, configured with OpenLDAP replication. For example, in a 12-node Edge configuration.
  • Multiple OpenLDAP instances installed on their own nodes, configured with OpenLDAP replication. For example, in a 13-node Edge configuration.

The way you reset the OpenLDAP password depends on your configuration.

For a single instance of OpenLDAP installed on the Management Server, perform the following:

  1. On the Management Server node, run the following command to create the new OpenLDAP password:
    > /opt/apigee/apigee-service/bin/apigee-service apigee-openldap change-ldap-password -o oldPword -n newPword
  2. Run the following command to store the new password for access by the Management Server:
    > /opt/apigee/apigee-service/bin/apigee-service edge-management-server store_ldap_credentials -p newPword

    This command restarts the Management Server.

In an OpenLDAP replication setup with OpenLDAP installed on Management Server nodes, follow the above steps on both Management Server nodes to update the password.

In an OpenLDAP replication setup with OpenLDAP being on a node other than Management Server, ensure that you first change the password on both OpenLDAP nodes, then on both Management Server nodes.

Reset System Admin Password

Resetting the system admin password requires you to reset the password in two places:

  • Management Server
  • UI

Warning: You should stop the Edge UI before resetting the system admin password. Because you reset the password first on the Management Server, there can be a short period of time when the UI is still using the old password. If the UI makes more than three calls using the old password, the OpenLDAP server locks out the system admin account for three minutes.

To reset the system admin password:

  1. On the UI node, stop the Edge UI:
    > /opt/apigee/apigee-service/bin/apigee-service edge-ui stop
  2. On the Management Server, run the following command to reset the password:
    > /opt/apigee/apigee-service/bin/apigee-service edge-management-server change_sysadmin_password -o currentPW -n newPW
  3. Edit the silent config file that you used to install the Edge UI to set the following properties:
    APIGEE_ADMINPW=newPW
    SMTPHOST=smtp.gmail.com
    SMTPPORT=465
    SMTPUSER=foo@gmail.com
    SMTPPASSWORD=bar
    SMTPSSL=y
    SMTPMAILFROM="My Company <myco@company.com>"

    Note that you have to include the SMTP properties when passing the new password because all properties on the UI are reset.
  4. Use the apigee-setup utility to reset the password on the Edge UI from the config file:
    > /opt/apigee/apigee-setup/bin/setup.sh -p ui -f configFile
  5. (Only if TLS is enabled on the UI) Re-enable TLS on the Edge UI as described in Configuring TLS for the management UI.

In an OpenLDAP replication environment with multiple Management Servers, resetting the password on one Management Server updates the other Management Server automatically. However, you have to update all Edge UI nodes separately.

Reset Organization User Password

To reset the password for an organization user, use the apigee-servce utility to invoke apigee-setup:

/opt/apigee/apigee-service/bin/apigee-service apigee-setup reset_user_password
 [-h] 
 [-u USER_EMAIL] 
 [-p USER_PWD]
 [-a ADMIN_EMAIL] 
 [-P APIGEE_ADMINPW] 
 [-f configFile]

For example:

> /opt/apigee/apigee-service/bin/apigee-service apigee-setup reset_user_password -u user@myCo.com -p foo12345 -a admin@myCo.com -P adminPword

Shown below is an example config file that you can use with the "-f" option:

USER_NAME= user@myCo.com
USER_PWD= "foo12345"
APIGEE_ADMINPW= adminPword

You can also use the Update user API to change the user password.

Sys Admin and Organization User Password Rules

Use this section to enforce a desired level of password length and strength for your API management users. The settings use a series of preconfigured (and uniquely numbered) regular expressions to check password content (such as uppercase, lowercase, numbers, and special characters). Write these settings to /opt/apigee/customer/application/management-server.properties file. If that file does not exist, create it.

After editing management-server.properties, restart the management server:

> /opt/apigee/apigee-service/bin/apigee-service edge-management-server restart

You can then set password strength ratings by grouping different combinations of regular expressions. For example, you can determine that a password with at least one uppercase and one lowercase letter gets a strength rating of "3", but that a password with at least one lowercase letter and one number gets a stronger rating of "4".

Properties

Description

conf_security_password.validation.minimum.
password.length=8

conf_security_password.validation.default.rating=2

conf_security_password.validation.minimum.
rating.required=3

Use these to determine the overall characteristics of valid passwords. The default minimum rating for password strength (described later in the table) is 3.

Notice that the password.validation.default.rating=2 is lower than the minimum rating required, which means that if a password entered falls outside of the rules you configure, the password is rated a 2 and is therefore invalid (below the minimum rating of 3).

Following are regular expressions that identify password characteristics. Note that each one is numbered. For example, "password.validation.regex.5=…" is expression number 5. You’ll use these numbers in a later section of the file to set different combinations that determine overall password strength.

conf_security_password.validation.regex.1=^(.)\\1+$

1 – All characters repeat

conf_security_password.validation.regex.2=^.*[a-z]+.*$

2 – At least one lowercase letter

conf_security_password.validation.regex.3=^.*[A-Z]+.*$

3 – At least one uppercase letter

conf_security_password.validation.regex.4=^.*[0-9]+.*$

4 – At least one digit

conf_security_password.validation.regex.5=^.*[^a-zA-z0-9]+.*$

5 – At least one special character (not including underscore _)

conf_security_password.validation.regex.6=^.*[_]+.*$

6 – At least one underscore

conf_security_password.validation.regex.7=^.*[a-z]{2,}.*$

7 – More than one lowercase letter

conf_security_password.validation.regex.8=^.*[A-Z]{2,}.*$

8 – More than one uppercase letter

conf_security_password.validation.regex.9=^.*[0-9]{2,}.*$

9 – More than one digit

conf_security_password.validation.regex.10=^.*[^a-zA-z0-9]{2,}.*$

10 – More than one special character (not including underscore)

conf_security_password.validation.regex.11=^.*[_]{2,}.*$

11 – More than one underscore

The following rules determine password strength based on password content. Each rule includes one or more regular expressions from the previous section and assigns a numeric strength to it. The numeric strength of a password is compared to the conf_security_password.validation.minimum.rating.required number at the top of this file to determine whether or not a password is valid.

conf_security_password.validation.rule.1=1,AND,0

conf_security_password.validation.rule.2=2,3,4,AND,4

conf_security_password.validation.rule.3=2,9,AND,4

conf_security_password.validation.rule.4=3,9,AND,4

conf_security_password.validation.rule.5=5,6,OR,4

conf_security_password.validation.rule.6=3,2,AND,3

conf_security_password.validation.rule.7=2,9,AND,3

conf_security_password.validation.rule.8=3,9,AND,3

Each rule is numbered. For example, "password.validation.rule.3=…" is rule number 3.

Each rule uses the following format (right of the equals sign):

<regex-index-list>,<AND|OR>,<rating>

regex-index-list is the list of regular expressions (by number from the previous section), along with an AND|OR operator (meaning, consider all or any of the expressions listed).

rating is the numeric strength rating given to each rule.

For example, rule 5 means that any password with at least one special character OR one underscore gets a strength rating of 4. With password.validation.minimum.
rating.required=3 at the top of the file, a password with a 4 rating is valid.

conf_security_rbac.password.validation.enabled=true

Set role-based access control password validation to false when single sign-on (SSO) is enabled. Default is true.

Resetting Cassandra password

By default, Cassandra ships with authentication disabled. If you enable authentication, it uses a predefined user named 'cassandra' with a password of 'cassandra'. You can use this account, set a different password for this account, or create a new Cassandra user. Add, remove, and modify users by using the Cassandra CREATE/ALTER/DROP USER statements.

For information on how to enable Cassandra authentication, see Enable Cassandra authentication.

To reset the Cassandra password, you have to:

  • Set the password on any one Cassandra node and it will be broadcast to all Cassandra nodes in the ring
  • Update the Management Server, Message Processors, Routers, Qpid servers, Postgres servers, and BaaS Stack on each node with the new password

For more information, see http://www.datastax.com/documentation/cql/3.0/cql/cql_reference/cqlCommandsTOC.html.

To reset the Cassandra password:

  1. Log into any one Cassandra node using the cqlsh tool and the default credentials. You only have to change the password on one Cassandra node and it will be broadcast to all Cassandra nodes in the ring:
    > /opt/apigee/apigee-cassandra/bin/cqlsh cassIP 9042 -u cassandra -p cassandra

    Where:
    • cassIP is the IP address of the Cassandra node.
    • 9042 is the Cassandra port.
    • The default user is cassandra.
    • The default password is cassandra. If you changed the password previously, use the current password.
  2. Run the following command as the cqlsh> prompt to update the password:
    cqlsh> ALTER USER cassandra WITH PASSWORD 'NEW_PASSWORD';

    If the new password contains a single quote character, escape it by preceding it with a single quote character.
  3. Exit the cqlsh tool:
    cqlsh> exit
  4. On the Management Server node, run the following command:
    > /opt/apigee/apigee-service/bin/apigee-service edge-management-server store_cassandra_credentials -u CASS_USERNAME -p CASS_PASSWORD

    Optionally, you can pass a file to the command containing the new username and password:
    > apigee-service edge-management-server store_cassandra_credentials -f configFile

    Where the configFile contains the following:
    CASS_USERNAME=CASS_USERNAME
    CASS_PASSWORD=CASS_PASSWROD

    This command automatically restarts the Management Server.
  5. Repeat step 4 on:
    • All Message Processors
    • All Routers
    • All Qpid servers (edge-qpid-server)
    • Postgres servers (edge-postgres-server)
  6. On the BaaS Stack node for version 4.16.05.04 and later:
    1. Run the following command to generate an encrypted password:
      > /opt/apigee/apigee-service/bin/apigee-service baas-usergrid secure_password

      This command prompts you for the plain text password and returns the encrypted password in the form:
      SECURE:ae1b6dedbf6b26aaab8bee815a910737c1c15b55f3505c239e43bc09f8050
    2. Set the following tokens in /opt/apigee/customer/application/usergrid.properties. If that file does not exist, create it:
      usergrid-deployment_cassandra.username=cassandra
      usergrid-deployment_cassandra.password=SECURE:ae1b6dedbf6b26aaab8bee815a910737c1c15b55f3505c239e43bc09f8050

      This example uses the default username for Cassandra. If you changed the username, set the value of usergrid-deployment_cassandra.username accordingly.

      Ensure that you include the "SECURE:" prefix on the password. Otherwise, the BaaS Stack interprets the value as unencrypted.

      Note: Each BaaS Stack node has its own unique key used to encrypt the password. Therefore, you must generate the encrypted value on each BaaS Stack node separetly.
    3. Change ownership of the usergrid.properties file to the 'apigee' user:
      > chown apigee:apigee /opt/apigee/customer/application/usergrid.properties
    4. Configure the Stack node:
      > /opt/apigee/apigee-service/bin/apigee-service baas-usergrid configure
    5. Restart the BaaS Stack:
      > /opt/apigee/apigee-service/bin/apigee-service baas-usergrid restart
    6. Repeat these steps for all BaaS Stack nods.

The Cassandra password is now changed.

Resetting PostgreSQL password

By default, the PostgreSQL database has two users defined: 'postgres' and 'apigee'. Both users have a default password of 'postgres'. Use the following procedure to change the default password.

Change the password on all Postgres master nodes. If you have two Postgres servers configured in master/standby mode, then you only have to change the Password on the master node. See Set up Master-Standby Replication for Postgres for more.

  1. On the Master Postgres node, change directory to /opt/apigee/apigee-postgresql/pgsql/bin.
  2. Set the PostgreSQL 'postgres' user password:
    1. Login to PostgreSQL database using the command:
      > psql -h localhost -d apigee -U postgres
    2. When prompted, enter the 'postgres' user password as 'postgres'.
    3. At the PostgreSQL command prompt, enter the following command to change the default password:
      apigee=> ALTER USER postgres WITH PASSWORD 'apigee1234';
    4. Exit PostgreSQL database using the command:
      apigee=> \q
  3. Set the PostgreSQL 'apigee' user password:
    1. Login to PostgreSQL database using the command:
      > psql -h localhost -d apigee -U apigee
    2. When prompted, enter the 'apigee' user password as 'postgres'.
    3. At the PostgreSQL command prompt, enter the following command to change the default password:
      apigee=> ALTER USER apigee WITH PASSWORD 'apigee1234';
    4. Exit PostgreSQL database using the command:
      apigee=> \q
  4. Set APIGEE_HOME:
    > export APIGEE_HOME=/opt/apigee/edge-postgres-server
  5. Encrypt the new password:
    > sh /opt/apigee/edge-postgres-server/utils/scripts/utilities/passwordgen.sh apigee1234

    This command returns the encrypted password as shown below. The encrypted password starts after the ":" character and does not include the ":".
    Encrypted string :WheaR8U4OeMEM11erxA3Cw==
  6. Update the Management Server node with the new encrypted passwords for the 'postgres' and 'apigee' users.
    1. On the Management Server, change directory to /opt/apigee/customer/application.
    2. Edit the management-server.properties file to set the following properties. If this file does not exist, create it:
      Note: Some properties take the encrypted 'postgres' user password, and some take the encrypted 'apigee' user password.
      • conf_pg-agent_password=newEncryptedPasswordForPostgresUser
      • conf_pg-ingest_password=newEncryptedPasswordForPostgresUser
      • conf_query-service_pgDefaultPwd=newEncryptedPasswordForApigeeUser
      • conf_query-service_dwDefaultPwd=newEncryptedPasswordForApigeeUser
      • conf_analytics_aries.pg.password=newEncryptedPasswordForPostgresUser
    3. Make sure the file is owned by 'apigee' user:
      > chown apigee:apigee management-server.properties
  7. Update all Postgres Server and Qpid Server nodes with the new encrypted password.
    1. On the Postgres Server or Qpid Server node, change directory to /opt/apigee/customer/application.
    2. Edit the following files. If these files do not exist, create them:
      • postgres-server.properties
      • qpid-server.properties
    3. Add the following properties to the files:
      Note: All of these properties take the encrypted 'postgres' user password.
      • conf_pg-agent_password=newEncryptedPasswordForPostgresUser
      • conf_pg-ingest_password=newEncryptedPasswordForPostgresUser
      • conf_query-service_pgDefaultPwd=newEncryptedPasswordForPostgresUser
      • conf_query-service_dwDefaultPwd=newEncryptedPasswordForPostgresUser
      • conf_analytics_aries.pg.password=newEncryptedPasswordForPostgresUser
    4. Make sure the files are owned by 'apigee' user:
      > chown apigee:apigee postgres-server.properties
      > chown apigee:apigee qpid-server.properties
  8. Restart the following components in this order:
    1. PostgreSQL database:
      > /opt/apigee/apigee-service/bin/apigee-service apigee-postgresql restart
    2. Qpid Server:
      > /opt/apigee/apigee-service/bin/apigee-service edge-qpid-server restart
    3. Postgres Server:
      > /opt/apigee/apigee-service/bin/apigee-service edge-postgres-server restart
    4. Management Server:
      > /opt/apigee/apigee-service/bin/apigee-service edge-management-server restart