Changing the password seed
As an administrator, you can change the password seed that is used when you install the server software to provide enhanced security to HCL OneTest™ Server.
Before you begin
You must have completed the following tasks:
-
Installed HCL OneTest™ Server. See Installation of the server software.
-
Installed the JSON command-line tool, jq, and ensured that the jq is in your environment PATH. For information about jq, refer to jq documentation.
-
Installed the Curl command line tool. For more information refer to curl documentation.
About this task
When you install HCL OneTest™ Server, you supply a password seed when you run the helm install
command. This password seed is used to generate several Kubernetes secrets.
Kubernetes Secrets can contain the following information:
-
The authentication credentials for micro-services.
-
An encryption key for the user-created secrets collection or other secrets.
When you change the password seed for HCL OneTest™ Server, you must consider the following scenarios:
-
HCL OneTest™ Server cannot communicate until you reconcile the passwords which are in Kubernetes Secrets by using the old and a new password seed.
-
Users cannot read secret collections or other secrets that they have created in HCL OneTest™ Server until you re-encrypt them using a new password seed.
Important: You must provide an offline token and old password seed that you used during the installation of server software to re-encrypt user secrets.
Procedure
-
Run the following command to change the password seed for HCL OneTest™ Server:
helm upgrade {my-ots} ./hcl-onetest-server -n test-system \ --reuse-values \ --set global.hclOneTestPasswordAutoGenSeed= {my-new-super-secret}
Notes: You must substitute the value of the following variables with the actual value in the command:-
{my-ots}
with the release name that you used during the installation of the server software. -
{my-new-super-secret}
with a new value of your choice as the password seed. -
You must run the following
helm upgrade
command from the same directory where thehelm install
command was run during the installation of the server software. Because the upgrade is dependent on the helm charts and .yaml file values used during the run time of thehelm install
command.
-
-
Run the following script to generate new server secrets from the updated
password seed and to save them to the persistent storage:
./hcl-onetest-server/files/reconcile-secrets.sh -n test-system {my-ots}
-
Run the following command to restart all the pods:
kubectl delete pods -n test-system \ -lapp.kubernetes.io/instance={my-ots} \ -lapp.kubernetes.io/managed-by=Helm
-
Run the following commands to re-encrypt the user-created secrets collection or
other secrets by providing the old password seed:
export ACCESS_TOKEN=$(curl -k -X POST {SERVER_URL}/rest/tokens/ \ -H "Content-Type: application/x-www-form-urlencoded" \ -H "accept: application/json" \ -d "refresh_token={OFFLINE_TOKEN}" | jq -r '.access_token') curl -k -X POST {SERVER_URL}/rest/secrets/re-encrypt/ \ -H "Authorization: Bearer $ACCESS_TOKEN" \ -H "Content-Type: application/json" \ -d "{\"type\":\"helm\",\"password_auto_gen_seed\":\"{OLD_SEED}\"}"
Note: You must substitute the value of the following variables with the actual value in the following commands:-
{SERVER_URL}
with the URL of your HCL OneTest™ Server UI. -
{OFFLINE_TOKEN}
with the offline token that belongs to a user with the administrator role. -
{OLD_SEED}
with the previous password seed that you used during the installation of the server software.
-
-
Run the following command to display the log file of the gateway pod:
kubectl logs {my-ots}-gateway-abcdefghij-abcde -n test-system
Note: You must substitute the value of the following variables with the actual value in the command:-
{my-ots}
with the release name that you used during the installation of the server software. -
abcdefghij-abcde
with an identifier that is assigned to the name of the gateway pod.You can run the
kubectl get pods -n test-system
command to obtain the identifier that is assigned to the gateway pod.
The following message is displayed when re-encryption is completed:reEncrypt complete. StringyReEncryptor [total=100, fixed=100, broken=0, noop=0]
-