How do I change the database passwords for the RHV-M engine?

Solution Verified - Updated -

Environment

  • Red Hat Virtualization (RHV) 4.4 SP1
  • Red Hat Virtualization Manager (RHV-M) 4.4 SP1

Issue

  • To pass audit requirements, I need a procedure I can automate to change the credentials the RHV-M engine process uses to access its database.

Resolution

Follow these steps:

  • In a self-hosted engine environment, set the global HA maintenance mode by running this in one of the hosted-engine hosts:
# hosted-engine --set-maintenance --mode=global
  • Stop the ovirt-engine and ovirt-engine-dwhd services in the RHV-M machine:
# systemctl stop ovirt-engine ovirt-engine-dwhd

  • Configure the new password for the engine user in the following files:

    • /etc/ovirt-engine/engine.conf.d/10-setup-database.conf
    • /etc/ovirt-engine/aaa/internal.properties
    • /etc/ovirt-engine-dwh/ovirt-engine-dwhd.conf.d/10-setup-database.conf

  • The DWH database uses the user ovirt_engine_history. Configure the new password in the following files:

    • /etc/ovirt-engine/engine.conf.d/10-setup-dwh-database.conf
    • /etc/ovirt-engine-dwh/ovirt-engine-dwhd.conf.d/10-setup-database.conf

  • Update the passwords in the database:

# su - postgres -c "psql -c \"ALTER USER engine WITH PASSWORD 'NEW_ENGINE_PASSWORD';\""
# su - postgres -c "psql -c \"ALTER USER ovirt_engine_history WITH PASSWORD 'NEW_DWH_PASSWORD';\""
  • Start the ovirt-engine and ovirt-engine-dwhd services:
# systemctl start ovirt-engine ovirt-engine-dwhd
  • If needed, remove the global HA maintenance mode by running this in one of the hosted-engine hosts:
# hosted-engine --set-maintenance --mode=none

The engine process and Data Warehouse, should now use the new credentials to access the engine database. Test by logging into the RHV-M Admin or user portal. If the login is successful, then engine and the database are communicating as expected.

Root Cause

  • Some audit policies insist on changing all passwords from defaults, even if generated automatically with random characters during installation and initial configuration, and even if the passwords are never exposed to users. In these situations, use the procedure outlined in this article.

  • For situations where audit policies disallow any passwords stored in clear text, auditors may flag this file and force a policy exception. The exception can be justified as follows:

    • All user credentials and other RHV objects are described in the database and well protected.
    • The file /etc/ovirt-engine/engine.conf.d/10-setup-database.conf, describes how RHV interacts with its own database.
    • These credentials could themselves be encrypted, but RHV would then need a private key to decrypt them. And that private key would itself be in clear text.
    • RHV could hard-code that private key, but since RHV is open source, anyone could find and use it, creating a security hole.
    • So the best design decision for RHV is to maintain this one file for RHV to interact with its own database and protect it with strict file system permissions.

Diagnostic Steps

The files /etc/ovirt-engine/engine.conf.d/10-setup-database.conf and /etc/ovirt-engine/engine.conf.d/10-setup-dwh-database.conf, contain the information the RHV-M engine process needs to interact with the database. The default passwords are random strings of characters generated by engine-config during the setup process. The fields in this file are in clear text. The file is protected at the file system level such that only the ovirt and root users can access it.

-rw-r-----.  1 root  ovirt  354 Dec  5 11:41 10-setup-database.conf
-rw-------.  1 ovirt ovirt  369 Dec  5 11:43 10-setup-dwh-database.conf

Jboss auto-generates a few other files with copies of the database credentials at engine startup. Do not edit these other files by hand because they are regenerated every time engine starts up.

RHV-M also keeps a log with answers to setup questions. The default location is /var/lib/ovirt-engine/setup/answers/{DateTimeStamp}-setup.conf. This log is in clear text and kept for the convenience of the RHEV administrator. It can safely be removed.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments