Change_Credentials_on_ServerTech_PDUs.md

Change Credentials on ServerTech PDUs

This procedure changes password used by the admn user on ServerTech PDUs. Either a single PDU can be updated to a new credential, or all ServerTech PDUs in the system can be updated to the same global credentials.

NOTES:

• This procedure does not update the default credentials that RTS uses for new ServerTech PDUs added to a system. To change the default credentials, see Update default ServerTech PDU Credentials used by the Redfish Translation Service.
• ServerTech PDUs running firmware version 8.0q or greater must have the password of the admn user changed before the JAWS REST API will function as expected.
• The default username and password for ServerTech PDUs is admn and admn.

Prerequisites

• The Cray command line interface (CLI) is initialized and configured on the system. See Configure the Cray CLI.

• The PDU is accessible over the network. A PDU can be reachable by its component name (xname) hostname, but may not yet be discovered by HSM.

• PDUs are manufactured by ServerTech.

  (ncn-mw#) This can be verified by the following command

  PDU=x3000m0
  curl -k -s --compressed  https://${PDU} -i | grep Server:

  Expected output for a ServerTech PDU:

  Server: ServerTech-AWS/v8.0v
  

  NOTE: The firmware version is listed after the '/'. In this case, the firmware version is 8.0v.

Procedure

1. (ncn-mw#) List the ServerTech PDUs currently discovered in the system.

   cray hsm inventory redfishEndpoints list --type CabinetPDUController --format json |
       jq -r '.RedfishEndpoints[] | select(.FQDN | contains("rts")).ID'

   Example output:

   x3000m0
   

   If any of the PDUs are not discovered by HSM, then the component name (xname) for each of the ServerTech PDUs on the system must be obtained.

2. (ncn-mw#) Set up Vault password variable and command alias.

   VAULT_PASSWD=$(kubectl -n vault get secrets cray-vault-unseal-keys -o json | jq -r '.data["vault-root"]' |  base64 -d)
   alias vault='kubectl -n vault exec -i cray-vault-0 -c vault -- env VAULT_TOKEN=$VAULT_PASSWD VAULT_ADDR=http://127.0.0.1:8200 VAULT_FORMAT=json vault'

3. (ncn-mw#) Look up the existing password for the admn user.

   • To extract the global credentials from Vault for the PDUs:

     vault kv get secret/pdu-creds/global/pdu

   • To extract the credentials from Vault for a single PDU:

     PDU=x3000m0
     vault kv get secret/pdu-creds/$PDU

4. (ncn-mw#) Store the existing password for the admn user.

   read -s OLD_PDU_PASSWORD

5. Specify the new desired password for the admn user. The new password must follow the following criteria:

   • Minimum of 8 characters
   • At least 1 uppercase letter
   • At least 1 lowercase letter
   • At least 1 number character

   read -s NEW_PDU_PASSWORD

6. Change and update the password for ServerTech PDUs.

   Either change the credentials on a single PDU or change all ServerTech PDUs to the same global default value:

   • Update the password on a single ServerTech PDU

     1. (ncn-mw#) Set the PDU hostname to change the admn credentials:

        PDU=x3000m0

     2. (ncn-mw#) Verify that the PDU is reachable:

        ping $PDU

     3. (ncn-mw#) Change password for the admn user on the ServerTech PDU.

        curl -i -k -u "admn:${OLD_PDU_PASSWORD}" -X PATCH https://${PDU}/jaws/config/users/local/admn \
             -d $(jq --arg PASSWORD "${NEW_PDU_PASSWORD}" -nc '{password: $PASSWORD}')

        Expected output upon a successful password change:

        HTTP/1.1 204 No Content
        Content-Type: text/html
        Transfer-Encoding: chunked
        Server: ServerTech-AWS/v8.0p
        Set-Cookie: C5=1883488164; path=/
        Connection: close
        Pragma: JAWS v1.01
        

     4. (ncn-mw#) Update the PDU credentials stored in Vault.

        vault kv get secret/pdu-creds/$PDU |
                jq --arg PASSWORD "$NEW_PDU_PASSWORD" '.data | .Password=$PASSWORD' |
                vault kv put secret/pdu-creds/$PDU -

   • Update all ServerTech PDUs in the system to the same password.

     NOTE: In order to change the password on all PDUs, the PDUs must be successfully discovered by HSM.

     1. (ncn-mw#) Change password for the admn user on the ServerTech PDUs currently discovered in the system.

        for PDU in $(cray hsm inventory redfishEndpoints list --type CabinetPDUController --format json |
        jq -r '.RedfishEndpoints[] | select(.FQDN | contains("rts")).ID'); do
            echo "Updating password on ${PDU}"
            curl -i -k -u "admn:${OLD_PDU_PASSWORD}" -X PATCH https://${PDU}/jaws/config/users/local/admn \
                -d $(jq --arg PASSWORD "${NEW_PDU_PASSWORD}" -nc '{password: $PASSWORD}')
        done

        Expected output upon a successful password change:

        Updating password on x3000m0
        HTTP/1.1 204 No Content
        Content-Type: text/html
        Transfer-Encoding: chunked
        Server: ServerTech-AWS/v8.0p
        Set-Cookie: C5=1883488164; path=/
        Connection: close
        Pragma: JAWS v1.01
        Updating password on x3001m0
        HTTP/1.1 204 No Content
        Content-Type: text/html
        Transfer-Encoding: chunked
        Server: ServerTech-AWS/v8.0p
        Set-Cookie: C5=1883488164; path=/
        Connection: close
        Pragma: JAWS v1.01
        

     2. (ncn-mw#) Update Vault for all ServerTech PDUs in the system to the same password:

        for PDU in $(cray hsm inventory redfishEndpoints list --type CabinetPDUController --format json |
          jq -r '.RedfishEndpoints[] | select(.FQDN | contains("rts")).ID'); do
            echo "Updating password on ${PDU}"
            vault kv get secret/pdu-creds/${PDU} |
                jq --arg PASSWORD "${NEW_PDU_PASSWORD}" '.data | .Password=$PASSWORD' |
                vault kv put secret/pdu-creds/${PDU} -
        done

        NOTE: After five minutes, the previous credential should stop working as the existing sessions time out.

7. (ncn-mw#) Restart the Redfish Translation Service (RTS) to pickup the new PDU credentials.

   kubectl -n services rollout restart deployment cray-hms-rts
   kubectl -n services rollout status deployment cray-hms-rts

8. (ncn-mw#) Wait for RTS to initialize itself.

   sleep 3m

9. (ncn-mw#) Verify that RTS was able to communicate with the PDUs with the updated credentials.

   kubectl -n services exec -it deployment/cray-hms-rts -c cray-hms-rts-redis -- redis-cli keys '*/redfish/v1/Managers'

   Expected output for a system with two PDUs.

   1) "x3000m0/redfish/v1/Managers"
   2) "x3001m0/redfish/v1/Managers"
   

10. (ncn-mw#) After waiting 10 minutes, Check that the PDU has been correctly discovered by HSM:

    cray hsm inventory redfishEndpoints describe x3000m0 --format json

    Example output:

    {
      "ID": "x3000m0",
      "Type": "CabinetPDUController",
      "Hostname": "x3000m0-rts:8083",
      "Domain": "",
      "FQDN": "x3000m0-rts:8083",
      "Enabled": true,
      "User": "root",
      "Password": "",
      "MACAddr": "000a9c6236a5",
      "RediscoverOnUpdate": true,
      "DiscoveryInfo": {
        "LastDiscoveryAttempt": "2022-11-30T22:11:30.712119Z",
        "LastDiscoveryStatus": "DiscoverOK",
        "RedfishVersion": "2019.1"
      }
    }

    (ncn-mw#)If the FQDN does not contain rts:8083, then a manual update to the HSM record is required:

    cray hsm inventory redfishEndpoints update x3000m0 --fqdn x3000m0-rts:8083 --id x3000m0 --hostname x3000m0-rts:8083

    Recheck cray hsm inventory redfishEndpoints to verify the FQDN was updated. Repeat this step for each ServerTech PDU.