Monday, January 13, 2020

How to change OS user password for Cell Node, Database Node , ILOM, KVM , Infiniband Switch , GigaBit Ethernet Switch and PDU on Exadata Database Machine (Doc ID 1291766.1)

In this Document
Goal
Solution
References

APPLIES TO:

Oracle Exadata Hardware - Version 11.2.0.1 and later
Oracle Exadata Storage Server Software - Version 11.2.1.2.0 and later
Linux x86-64

GOAL

This note explains how to change the user password for cell node, database node, ILOM, KVM, InfiniBand Switch and Cisco 4948 Ethernet Switch

SOLUTION

For more information on default user accounts on Exadata Database Machine servers and components, please refer to the Exadata Security Guide in the documentation.  
Component: Cell node
Default user accounts: root, celladmin, cellmonitor
Procedure: At the OS prompt, type "passwd" or "passwd <username>" to change the password
To prevent from registering the password in clear in the bash history, please execute just before the dcli :
export HISTIGNORE=' *'
DCLI can be used to change the password on all cells at once
Eg : dcli -g cell_group -l root "echo welcome | passwd --stdin celladmin" 
Use caution when passing special characters to the passwd command, as certain characters have shell-specific functions. Enclose the password in single quotes, as shown in the example below,
to prevent unexpected results.
echo ‘Welcome!99’ | passwd --stdin oracle
Warning : The above command will leave the desired password completely "clear" in the shell history if you didn't export HISTIGNORE before the dcli command 
The command can be executed to any account
Unset HISTIGNORE once finished
unset HISTIGNORE

Component: Database node - user accounts
Default user accounts: root, software owner account (typically "oracle" and/or "grid"), dbmadmin (image 12.1.2.x.x or later), dbmmonitor  (image 12.1.2.x.x or later)
Procedure: At the OS prompt, type "passwd" or "passwd <username>" to change the password
To prevent from registering the password in clear in the bash history, please execute just before the dcli :
export HISTIGNORE=' *'
DCLI can be used to change the password on all compute nodes at once 
Eg : dcli -g dbs_group -l root "echo welcome | passwd --stdin oracle"
Use caution when passing special characters to the passwd command, as certain characters have shell-specific functions. Enclose the password in single quotes, as shown in the example below,
to prevent unexpected results.
echo ‘Welcome!99’ | passwd --stdin oracle
Warning : The above command will leave the desired password completely "clear" in the shell history if you didn't export HISTIGNORE before the dcli command
The command can be executed to any account
Unset HISTIGNORE once finished
unset HISTIGNORE

Component: grub password
Procedure: At the OS prompt, type "grub-md5-crypt" and enter the new password at the prompt. After entering the new password twice (for confirmation), a string will be displayed. Copy that string into the copy buffer. Then find the password line in the /boot/grub/grub.conf file which will look like "password --md5 <hashed string>". Replace the <hashed string> in that line with the new string that you copied from the grub-md5-crypt output earlier. Then save the file. 

Component: ILOM
Default user accounts: root
Procedure: When logged in to the ILOM, use a command like this to reset the password (this example resets the password for the user named "user1"):

-> set /SP/users/user1 password
DCLI can be used to change the password on all ILOMs at once 
Eg : dcli -g dbs_cell_group -l root " ipmitool sunoem cli 'set /SP/users/root password=welcome' welcome "
The command can be executed to any account

Component: KVM
Default user accounts: Admin
Procedure:

- Under User Accounts select Local.
- Under “Users” click the “Admin”
- button. Fill in the values for password
- and click the “Save” button.

Documentation: Oracle® Exadata Database Machine Maintenance Guide E51951-21   - Changing Component Passwords

Component: Infiniband Switch
Default User accounts: root, ilom-admin, ilom-user, ilom-operator, and nm2user
Procedure: Logon using ssh
ssh root@<switch-name>
- check the firmware version running command "version"
  For version 1.3.* please use ILOM to change the password to avoid bug 13494021

    - ssh -l ilom-admin <switch-name>

    - set /SP/users/<username> password

  For later versions 2.0.3 and higher, please execute 

    - In the OS prompt type "passwd <username>"  (Except for ilom-admin that you need to run in the ILOM  set /SP/users/ilom-admin password)
DCLI can be used to change the password on all IB Switches at once 
a. cd /opt/oracle.SupportTools/onecommand

b. place the attached file "ibswitch_group" there

c. Verify if have equivalency with IB switches : dcli -g ibswitch_group -l hostname
       If it doesn't request password skip step d.

d. Set equivalency to switches
Run: #/opt/oracle.SupportTools/setup_ssh_eq.sh ibswitch_group root <password>
When this is done, you should now have equivalency with IB switches, so the following should work:
dcli -g ibswitch_group -l hostname
e. Change passwords for NM2USER on all switches:
dcli -g ib_switch_group -l root "echo welcome | passwd --stdin nm2user"

f. Change passwords for ROOT user on all switches:
dcli -g ib_switch_group -l root "echo welcome | passwd --stdin root"

g. Remove equivalency to switches:
dcli -g ib_switch_group -l root --unkey

h. Verify that the password change worked by logging in on a sample of switches
 Documentation: Oracle® Exadata Database Machine Maintenance Guide E51951-21 - Changing Component Passwords

Component: Cisco 4948 Ethernet Switch
There are two different methods to access the switch.  One is through a serial port and the other is through ssh.  When using the serial access, there are no user accounts, so the enable password is all that is required.  When the switch is accessed via ssh, a user account and password is needed before being able to issue the enable password.  Thus there can be two, or more passwords that can be changed: the enable password and user passwords.  During the installation of the system, the admin user is created and this user can access the switch via ssh.
In changing the user passwords, we take the extra step of "service password-encryption" to make sure the passwords are encrypted when viewing them using the "show running-config" command.  The enable password is encrypted when using the "enable secret" command.
Default user accounts: admin
To change the enable password: Access the switch using telnet, ssh, or via the serial port.  If using the serial port for access, you will not be prompted for a user name or password, you will just get the prompt.
In OEL5 update 5 or higher telnet was removed for security reason, you  may need to install telnet client package in the compute node
SSH have to be enabled in the switch following the steps described in "Configuring SSH on Cisco Catalyst 4948 Ethernet Switch" (Doc ID 1415044.1).
my_host> ssh admin@my_switch
Using keyboard-interactive authentication.
Password:
my_switch> enable
Password:
Switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# no enable password
Switch(config)# enable secret <new password>
Switch(config)# end
Switch# write memory

To change a user password: Access the switch using telnet, ssh, or via the serial port.  If using the serial port for access, you will not be prompted for a user name or password, you will just get the prompt.

my_host> ssh admin@my_switch
Using keyboard-interactive authentication.
Password:
my_switch> enable
Password:
Switch# show running-config all | include service password-encryption
service password-encryption (if this is set to "no service password-encryption" user passwords will be in clear case.  If it is not set to "no" the )
Switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# service password-encryption
Switch(config)# username george password <new password>
Switch(config)# end
Switch# write memory
Documentation: Oracle® Exadata Database Machine Maintenance Guide E51951-21 - Changing Component Passwords

Component: Cisco 93108-1G or 9348 Ethernet Switch
my_host> ssh admin@my_switch
User Access Verification
Password:
Switch# change-password
Enter old password:
Enter new password:
Confirm new password:
Switch# copy running-config startup-config
Switch# exit
Documentation :  Oracle Exadata Database Machine Maintenance Guide E93156-07 - Changing Component Passwords

Component: PDU
Deafult user accounts: admin
Procedure:
- Access the PDU metering unit web interface from a system on the network

- Click on the Net Configuration link and log in as an admin user

- Scroll down the page until you see the Admin/User fields

- Type in up to five users into the Admin/User fields

  Type in a name and password for each user and designate the user an admin or a user

  Note : Use only letters and numbers in user names and passwords

- Click the Submit button to set the PDU users and passwords

Documentation: Sun Rack II documentation for PDU password changes

No comments:

Post a Comment