How do I change the engine database password for the RHEVM engine?

Solution In Progress - Updated -

Environment

  • Red Hat Enterprise Virtualization 3.5
  • Red Hat Enterprise Virtualization 4.2

Issue

  • To pass audit requirements, I need a procedure I can automate to change the credentials the RHEVM engine process uses to access its database.

Resolution

Follow these steps:

  • Stop the ovirt-engine process.
service ovirt-engine stop

If you are also running the RHEVM Data Warehouse, stop that service too.

service ovirt-engine-dwhd stop
  • Note the contents of the file, /etc/ovirt-engine/engine.conf.d/10-setup-database.conf.
cd /etc/ovirt-engine/engine.conf.d
[root@rhevm2014 engine.conf.d]# more 10-setup-database.conf 
ENGINE_DB_HOST="localhost"
ENGINE_DB_PORT="5432"
ENGINE_DB_USER="engine"
ENGINE_DB_PASSWORD="QKVtmcSNdAovIuqPbDjK5K"
ENGINE_DB_DATABASE="engine"
ENGINE_DB_SECURED="False"
ENGINE_DB_SECURED_VALIDATION="False"
ENGINE_DB_DRIVER="org.postgresql.Driver"
ENGINE_DB_URL="jdbc:postgresql://${ENGINE_DB_HOST}:${ENGINE_DB_PORT}/${ENGINE_DB_DATABASE}?sslfactory=org.postg
resql.ssl.NonValidatingFactory"
[root@rhevm2014 engine.conf.d]# 
  • Edit the above file to change the credentials the engine process sends to the database.

    • The name of the user in ENGINE_DB_USER and database in ENGINE_DB_DATABASE are both "engine" by default. Do not change these without a good reason.
    • The default password in ENGINE_DB_PASSWORD is a random string of auto-generated characters from engine-setup.
    • Use your preferred text editor to change the ENGINE_DB_PASSWORD line with the new password you want.
    • Save your changes.
  • Change the credentials the database expects to receive by issuing a SQL query. Assume the database and database user are both named "engine" and the postgres database runs as Linux user "postgres."

RHEV 3.x / RHV 4.0/4.1

[root@rhevm2014 engine.conf.d]# su - postgres -c "psql -c \"ALTER USER engine with PASSWORD 'MyNewPassword'\""
ALTER ROLE
[root@rhevm2014 engine.conf.d]# 

RHV 4.2

 # su - postgres
 # scl enable rh-postgresql95 -- psql

 postgres=# ALTER USER engine with PASSWORD '$NEW-PASS' ;
  • If you are also running RHEV Data Warehouse, you will also need to edit the file, /etc/ovirt-engine-dwh/ovirt-engine-dwhd.conf.d/10-setup-database.conf. Change the ENGINE_DB_PASSWORD value here to match what you put in above. The Data Warehouse reads from the engine database and writes to its own database. So the engine credentials it uses must also match what the database expects to receive.

  • Restart ovirt-engine

service ovirt-engine start
  • Restart the Data Warehouse service if installed.
service ovirt-engine-dwhd start

The engine process, and Data Warehouse if installed, should now use the new credentials to access the engine database. Test by logging into the RHEV Admin or user portal. If the login is successful, then engine and the database are communicating as expected.

Root Cause

  • Some audit policies insist on changing all passwords from defaults, even if generated automatically with random characters during installation and initial configuration, and even if the passwords are never exposed to users. In these situations, use the procedure outlined in this article.

  • For situations where audit policies disallow any passwords stored in clear text, auditors may flag this file and force a policy exception. The exception can be justified as follows:

    • All user credentials and other RHEV objects are described in the database and well protected.
    • The file /etc/ovirt-engine/engine.conf.d/10-setup-database.conf, describes how RHEV interacts with its own database.
    • These credentials could themselves be encrypted, but RHEV would then need a private key to decrypt them. And that private key would itself be in clear text.
    • RHEV could hard-code that private key, but since RHEV is open source, anyone could find and use it, creating a security hole.
    • So the best design decision for RHEV 3.5 is to maintain this one file for RHEV to interact with its own database and protect it with strict file system permissions.

Diagnostic Steps

The file, /etc/ovirt-engine/engine.conf.d/10-setup-database.conf, contains the information the RHEVM engine process needs to interact with the engine database. The default password is a random string of characters generated by engine-config during the setup process. The fields in this file are in clear text. The file is protected at the file system level such that only the ovirt and root users can access it.

-rw-------.  1 ovirt ovirt  392 Dec 20  2014 10-setup-database.conf

Jboss auto-generates a few other files with copies of the database credentials at engine startup. Do not edit these other files by hand because they are regenerated every time engine starts up.

RHEVM also keeps a log with answers to setup questions. The default location is /var/lib/ovirt-engine/setup/answers/{DateTimeStamp}-setup.conf. This log is in clear text and kept for the convenience of the RHEV administrator. It can safely be removed.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

1 Comments

After following the steps to change the password, I can no longer login to the administration portal webui. If I change the password back to the original password, then the portal login works again.