Edge for Private Cloud v4.19.01
After you complete the installation, you can reset the following passwords:
Instructions on resetting each of these passwords are included in the sections that follow.
Reset OpenLDAP password
The way you reset the OpenLDAP password depends on your configuration. Depending on your Edge configuration, OpenLDAP can be installed as:
- A single instance of OpenLDAP installed on the Management Server node. For example, in a 2-node, 5-node, or 9-node Edge configuration.
- Multiple OpenLDAP instances installed on Management Server nodes, configured with OpenLDAP replication. For example, in a 12-node Edge configuration.
- Multiple OpenLDAP instances installed on their own nodes, configured with OpenLDAP replication. For example, in a 13-node Edge configuration.
For a single instance of OpenLDAP installed on the Management Server, perform the following:
- On the Management Server node, run the following command to create the new OpenLDAP
password:
/opt/apigee/apigee‑service/bin/apigee‑service apigee‑openldap change‑ldap‑password ‑o OLD_PASSWORD ‑n NEW_PASSWORD
- Run the following command to store the new password for access by the Management Server:
/opt/apigee/apigee‑service/bin/apigee‑service edge‑management‑server store_ldap_credentials ‑p NEW_PASSWORD
This command restarts the Management Server.
In an OpenLDAP replication setup with OpenLDAP installed on Management Server nodes, follow the above steps on both Management Server nodes to update the password.
In an OpenLDAP replication setup with OpenLDAP being on a node other than Management Server, ensure that you first change the password on both OpenLDAP nodes, then on both Management Server nodes.
Reset system admin password
Resetting the system admin password requires you to reset the password in two places:
- Management Server
- UI
To reset the system admin password:
- Edit the silent config file that you used to install the Edge UI to set the following
properties:
APIGEE_ADMINPW=NEW_PASSWORD SMTPHOST=smtp.gmail.com SMTPPORT=465 SMTPUSER=foo@gmail.com SMTPPASSWORD=bar SMTPSSL=y SMTPMAILFROM="My Company <myco@company.com>"
Note that you have to include the SMTP properties when passing the new password because all properties on the UI are reset.
- On the UI node, stop the Edge UI:
/opt/apigee/apigee-service/bin/apigee-service edge-ui stop
- Use the
apigee-setup
utility to reset the password on the Edge UI from the config file:/opt/apigee/apigee-setup/bin/setup.sh -p ui -f configFile
- (Only if TLS is enabled on the UI) Re-enable TLS on the Edge UI as described in Configuring TLS for the management UI.
- On the Management Server, create a new XML file. In this file, set the user ID to "admin"
and define the password, first name, last name, and email address using the following format:
<User id="admin"> <Password><![CDATA[password]]></Password> <FirstName>first_name</FirstName> <LastName>last_name</LastName> <EmailId>email_address</EmailId> </User>
- On the Management Server, execute the following command:
curl ‑u "admin_email_address:admin_password" ‑H \ "Content‑Type: application/xml" ‑H "Accept: application/json" ‑X POST \ "http://localhost:8080/v1/users/admin_email_address" ‑d @your_data_file
Where your_data_file is the file you created in the previous step.
Edge updates your admin password on the Management Server.
- Delete the XML file you created. Passwords should never be permanently stored in clear text.
In an OpenLDAP replication environment with multiple Management Servers, resetting the password on one Management Server updates the other Management Server automatically. However, you have to update all Edge UI nodes separately.
Reset organization user password
To reset the password for an organization user, use the apigee-servce
utility to
invoke apigee-setup
, as the following example shows:
/opt/apigee/apigee-service/bin/apigee-service apigee-setup reset_user_password [-h] [-u USER_EMAIL] [-p USER_PWD] [-a ADMIN_EMAIL] [-P APIGEE_ADMINPW] [-f configFile]
For example:
/opt/apigee/apigee‑service/bin/apigee‑service apigee‑setup reset_user_password ‑u user@myCo.com ‑p Foo12345 ‑a admin@myCo.com ‑P adminPword
cp ~/Documents/tmp/hybrid_root/apigeectl_beta2_a00ae58_linux_64/README.md ~/Documents/utilities/README.md
Shown below is an example config file that you can use with the "-f" option:
USER_NAME=user@myCo.com USER_PWD="Foo12345" APIGEE_ADMINPW=ADMIN_PASSWORD
You can also use the Update user API to change the user password.
SysAdmin and organization user password rules
Use this section to enforce a desired level of password length and strength for your API
management users. The settings use a series of preconfigured (and uniquely numbered) regular
expressions to check password content (such as uppercase, lowercase, numbers, and special
characters). Write these settings to /opt/apigee/customer/application/management-server.properties
file. If that file does not exist, create it.
After editing management-server.properties
, restart the management server:
/opt/apigee/apigee-service/bin/apigee-service edge-management-server restart
You can then set password strength ratings by grouping different combinations of regular expressions. For example, you can determine that a password with at least one uppercase and one lowercase letter gets a strength rating of "3", but that a password with at least one lowercase letter and one number gets a stronger rating of "4".
Property | Description |
---|---|
conf_security_password.validation.minimum.password.length=8 conf_security_password.validation.default.rating=2 conf_security_password.validation.minimum.rating.required=3 |
Use these to determine the overall characteristics of valid passwords. The default minimum rating for password strength (described later in the table) is 3. Notice that the password.validation.default.rating=2 is lower than the minimum rating required, which means that if a password entered falls outside of the rules you configure, the password is rated a 2 and is therefore invalid (below the minimum rating of 3). |
Following are regular expressions that identify password characteristics. Note
that each one is numbered. For example,
|
|
conf_security_password.validation.regex.1=^(.)\\1+$ |
1: All characters repeat |
conf_security_password.validation.regex.2=^.*[a-z]+.*$ |
2: At least one lowercase letter |
conf_security_password.validation.regex.3=^.*[A-Z]+.*$ |
3: At least one uppercase letter |
conf_security_password.validation.regex.4=^.*[0-9]+.*$ |
4: At least one digit |
conf_security_password.validation.regex.5=^.*[^a-zA-z0-9]+.*$ |
5: At least one special character (not including underscore _) |
conf_security_password.validation.regex.6=^.*[_]+.*$ |
6: At least one underscore |
conf_security_password.validation.regex.7=^.*[a-z]{2,}.*$ |
7: More than one lowercase letter |
conf_security_password.validation.regex.8=^.*[A-Z]{2,}.*$ |
8: More than one uppercase letter |
conf_security_password.validation.regex.9=^.*[0-9]{2,}.*$ |
9: More than one digit |
conf_security_password.validation.regex.10=^.*[^a-zA-z0-9]{2,}.*$ |
10: More than one special character (not including underscore) |
conf_security_password.validation.regex.11=^.*[_]{2,}.*$ |
11: More than one underscore |
The following rules determine password strength based on password content. Each rule includes one or more regular expressions from the previous section and assigns a numeric strength to it. The numeric strength of a password is compared to the conf_security_password.validation.minimum.rating.required number at the top of this file to determine whether or not a password is valid. |
|
conf_security_password.validation.rule.1=1,AND,0 conf_security_password.validation.rule.2=2,3,4,AND,4 conf_security_password.validation.rule.3=2,9,AND,4 conf_security_password.validation.rule.4=3,9,AND,4 conf_security_password.validation.rule.5=5,6,OR,4 conf_security_password.validation.rule.6=3,2,AND,3 conf_security_password.validation.rule.7=2,9,AND,3 conf_security_password.validation.rule.8=3,9,AND,3 |
Each rule is numbered. For example,
Each rule uses the following format (right of the equals sign): regex-index-list,[AND|OR],rating regex-index-list is the list of regular expressions (by number from
the previous section), along with an rating is the numeric strength rating given to each rule. For example, rule 5 means that any password with at least one special character OR one
underscore gets a strength rating of 4. With |
conf_security_rbac.password.validation.enabled=true |
Set role-based access control password validation to false when single sign-on (SSO) is enabled. Default is true. |
Reset Cassandra password
By default, Cassandra ships with authentication disabled. If you enable authentication, it
uses a predefined user named "cassandra" with a password of "cassandra". You can use this account,
set a different password for this account, or create a new Cassandra user. Add, remove, and
modify users by using the Cassandra CREATE/ALTER/DROP USER
statements.
For information on how to enable Cassandra authentication, see Enable Cassandra authentication.
To reset the Cassandra password, you must:
- Set the password on any one Cassandra node and it will be broadcast to all Cassandra nodes in the ring
- Update the Management Server, Message Processors, Routers, Qpid servers, and Postgres servers on each node with the new password
For more information, see http://www.datastax.com/documentation/cql/3.0/cql/cql_reference/cqlCommandsTOC.html.
To reset the Cassandra password:
- Log into any one Cassandra node using the
cqlsh
tool and the default credentials. You only have to change the password on one Cassandra node and it will be broadcast to all Cassandra nodes in the ring:/opt/apigee/apigee-cassandra/bin/cqlsh cassIP 9042 -u cassandra -p cassandra
Where:
cassIP
is the IP address of the Cassandra node.9042
is the Cassandra port.- The default user is
cassandra
. - The default password is
cassandra
. If you changed the password previously, use the current password.
- Run the following command as the
cqlsh>
prompt to update the password:ALTER USER cassandra WITH PASSWORD 'NEW_PASSWORD';
If the new password contains a single quote character, escape it by preceding it with a single quote character.
- Exit the
cqlsh
tool:exit
- On the Management Server node, run the following command:
/opt/apigee/apigee-service/bin/apigee-service edge-management-server store_cassandra_credentials -u CASS_USERNAME -p CASS_PASSWORD
Optionally, you can pass a file to the command containing the new username and password:
apigee-service edge-management-server store_cassandra_credentials -f configFile
Where the configFile contains the following:
CASS_USERNAME=CASS_USERNAME CASS_PASSWORD=CASS_PASSWROD
This command automatically restarts the Management Server.
- Repeat step 4 on:
- All Message Processors
- All Routers
- All Qpid servers (edge-qpid-server)
- Postgres servers (edge-postgres-server)
The Cassandra password is now changed.
Reset PostgreSQL password
By default, the PostgreSQL database has two users defined: "postgres" and "apigee". Both users have a default password of "postgres". Use the following procedure to change the default password.
Change the password on all Postgres master nodes. If you have two Postgres servers configured in master/standby mode, then you only have to change the Password on the master node. See Set up Master-Standby Replication for Postgres for more.
- On the Master Postgres node, change directories to
/opt/apigee/apigee-postgresql/pgsql/bin
. - Set the PostgreSQL "postgres" user password:
- Login to PostgreSQL database using the command:
psql -h localhost -d apigee -U postgres
- When prompted, enter the existing "postgres" user password as "postgres".
- At the PostgreSQL command prompt, enter the following command to change the default
password:
ALTER USER postgres WITH PASSWORD 'new_password';
On success, PostgreSQL responds with the following:
ALTER ROLE
- Exit PostgreSQL database using the following command:
\q
- Login to PostgreSQL database using the command:
- Set the PostgreSQL "apigee" user password:
- Login to PostgreSQL database using the command:
psql -h localhost -d apigee -U apigee
- When prompted, enter the "apigee" user password as "postgres".
- At the PostgreSQL command prompt, enter the following command to change the default
password:
ALTER USER apigee WITH PASSWORD 'new_password';
- Exit PostgreSQL database using the command:
\q
You can set the "postgres" and "apigee" users' passwords to the same value or different values.
- Login to PostgreSQL database using the command:
- Set
APIGEE_HOME
:export APIGEE_HOME=/opt/apigee/edge-postgres-server
- Encrypt the new password:
sh /opt/apigee/edge-postgres-server/utils/scripts/utilities/passwordgen.sh new_password
This command returns an encrypted password. The encrypted password starts after the ":" character and does not include the ":"; for example, the encrypted password for "apigee1234" is:
Encrypted string:WheaR8U4OeMEM11erxA3Cw==
- Update the Management Server node with the new encrypted passwords for the
"postgres" and "apigee" users.
- On the Management Server, change directory to
/opt/apigee/customer/application
. - Edit the
management-server.properties
file to set the following properties. If this file does not exist, create it. - Make sure the file is owned by "apigee" user:
chown apigee:apigee management-server.properties
- On the Management Server, change directory to
- Update all Postgres Server and Qpid Server nodes with the new encrypted password.
- On the Postgres Server or Qpid Server node, change to the following directory:
/opt/apigee/customer/application
- Open the following files for edit:
postgres-server.properties
qpid-server.properties
If these files do not exist, create them.
- Add the following properties to the files:
conf_pg-agent_password=newEncryptedPasswordForPostgresUser
conf_pg-ingest_password=newEncryptedPasswordForPostgresUser
conf_query-service_pgDefaultPwd=newEncryptedPasswordForPostgresUser
conf_query-service_dwDefaultPwd=newEncryptedPasswordForPostgresUser
conf_analytics_aries.pg.password=newEncryptedPasswordForPostgresUser
- Make sure the files are owned by "apigee" user:
chown apigee:apigee postgres-server.properties
chown apigee:apigee qpid-server.properties
- On the Postgres Server or Qpid Server node, change to the following directory:
- Update the SSO component (if SSO is enabled):
Connect to or log in to the node on which the
apigee-sso
component is running. This is also referred to as the SSO server.In AIO or 3-node installations, this node is the same node as the Management Server.
If you have multiple nodes running the
apigee-sso
component, you must perform these steps on each node.- Open the following file for edit:
/opt/apigee/customer/application/sso.properties
If the file does not exist, create it.
- Add the following line to the file:
conf_uaa_database_password=new_password_in_plain_text
For example:
conf_uaa_database_password=apigee1234
- Execute the following command to apply your configuration changes to the
apigee-sso
component:/opt/apigee/apigee-service/bin/apigee-service apigee-sso configure
- Repeat these steps for each SSO server.
- Restart the following components in the following order:
- PostgreSQL database:
/opt/apigee/apigee-service/bin/apigee-service apigee-postgresql restart
- Qpid Server:
/opt/apigee/apigee-service/bin/apigee-service edge-qpid-server restart
- Postgres Server:
/opt/apigee/apigee-service/bin/apigee-service edge-postgres-server restart
- Management Server:
/opt/apigee/apigee-service/bin/apigee-service edge-management-server restart
- SSO server:
/opt/apigee/apigee-service/bin/apigee-service apigee-sso restart
- PostgreSQL database: