Changing default server passwords

Resource Manager adds global configuration parameters that include passwords to the run-time environments (Docker containers) of every service. The default passwords for some servers are the same in all Resource Manager distributions. To avoid security issues, Zenoss recommends changing the default passwords of the servers.

Changes to global configuration parameters persist across upgrades.

The following list associates the affected servers, their Resource Manager services, and their account information.

The list includes both account names and passwords. Zenoss recommends changing the passwords of each account and strongly discourages changing the account names. Changes to either default usernames or passwords may require an update to configuration properties related to the RMMonitor ZenPack.

MariaDB server for the events database

Service: mariadb-events
Administrator account: global.conf.zep-admin-user
Administrator password: global.conf.zep-admin-password
User account: global.conf.zep-user
User password: global.conf.zep-password

MariaDB server for the model database

Service: mariadb-model
Administrator account: global.conf.zodb-admin-user
Administrator password: global.conf.zodb-admin-password
User account: global.conf.zodb-user
User password: global.conf.zodb-password

RabbitMQ server

Service: RabbitMQ
User account: global.conf.amqpuser
User password: global.conf.amqppassword

Zope authentication server

Service: Zauth
User account: global.conf.zauth-username
User password: global.conf.zauth-password

Changing MariaDB passwords

Use this procedure to change the passwords of the MariaDB databases for event and model data.

Change MariaDB passwords only after installing the MariaDB utilities.

To perform this procedure, the mariadb-events and mariadb-model services of Resource Manager must be running.

Log in to the Control Center master host as root or as a user with superuser privileges.
Change the passwords of the events database server.
1. Log in to the Docker container of the mariadb-events service as zenoss.
```
serviced service attach mariadb-events su - zenoss
```
2. Start an interactive session.
```
export TERM=dumb; mysql -u root
```
3. Access the administration database.
```
USE mysql
```
4. Set the password of the root user.
  
  Replace New-Password with a new password:
```
SET PASSWORD FOR 'root'@'127.0.0.1' = PASSWORD('New-Password');
SET PASSWORD FOR 'root'@'localhost' = PASSWORD('New-Password');
```
  Record the password for use in a subsequent step.
5. Update the password of the zenoss user.
  
  Replace New-Password with a new password:
```
SET PASSWORD FOR 'zenoss'@'127.0.0.1' = PASSWORD('New-Password');
SET PASSWORD FOR 'zenoss'@'%' = PASSWORD('New-Password');
```
  Record the password for use in a subsequent step.
6. Exit the interactive session.
```
QUIT
```
  The MariaDB server loads the grant tables into memory immediately when account management statements like SETâ€‰PASSWORD are used, so the FLUSHâ€‰PRIVILEGES statement is not necessary.
7. Log out of the Docker container.
```
exit
```
Change the passwords of the model database server.
1. Log in to the Docker container of the mariadb-model service as zenoss.
```
serviced service attach mariadb-model su - zenoss
```
2. Start an interactive session.
```
export TERM=dumb; mysql -u root
```
3. Access the administration database.
```
USE mysql
```
4. Set the password of the root user.
  
  Replace New-Password with a new password:
```
SET PASSWORD FOR 'root'@'127.0.0.1' = PASSWORD('New-Password');
SET PASSWORD FOR 'root'@'localhost' = PASSWORD('New-Password');
```
  Record the password for use in a subsequent step.
5. Update the password of the zenoss user.
  
  Replace New-Password with a new password:
```
SET PASSWORD FOR 'zenoss'@'127.0.0.1' = PASSWORD('New-Password');
SET PASSWORD FOR 'zenoss'@'%' = PASSWORD('New-Password');
```
  Record the password for use in a subsequent step.
6. Exit the interactive session.
```
QUIT
```
7. Log out of the Docker container.
```
exit
```
Log in to the Control Center browser interface.
In the Applications table, click Zenoss.resmgr.
In the application title line, click Edit Variables.

Initially, the application title line appears immediately below the Control Center banner at the top of the page. When you scroll down the page, the application title line persists at the top of the page.
Update the passwords of the event database server.
1. In the Edit Variables dialog, locate the global.conf.zep-password variable.
2. Replace its value with the password specified previously for the zenoss user of the events database server.
3. Locate the global.conf.zep-admin-password variable.
4. Replace its value with the password specified previously for the root user of the events database server.
Update the passwords of the model database server.
1. Locate the global.conf.zodb-password variable.
2. Replace its value with the password specified previously for the zenoss user of the model database server.
3. Locate the global.conf.zodb-admin-password variable.
4. Replace its value with the password specified previously for the root user of the model database server.
5. At the bottom of the Edit Variables dialog, click Save Changes.
In the application title line, click Restart.

Changing the RabbitMQ server password

Use this procedure to change the password of the RabbitMQ server.

Changing this password will require an update to the zRMMonRabbitUser and zRMMonRabbitPassword configuration properties for this Resource Manager instance if it is being monitored by the RMMonitor ZenPack.

To perform this procedure, the mariadb-model child services of Resource Manager must be running.

Log in to the Control Center master host as root, or as a user with superuser privileges.
Change the password of the zenoss user.
1. Log in to the Docker container of the RabbitMQ service as root.
```
serviced service attach rabbitmq
```
2. Change the password.
  
  Replace New-Password with a new password:
```
rabbitmqctl change_password zenoss New-Password
```
  Record the password for use in a subsequent step.
3. Log out of the Docker container.
```
exit
```
Log in to the Control Center browser interface.
In the Applications table, click Zenoss.
In the application title line, click Edit Variables.

Initially, the application title line appears immediately below the Control Center banner at the top of the page. When you scroll down the page, the application title line persists at the top of the page.
Change the password of the RabbitMQ server.
1. In the Edit Variables dialog, locate the global.conf.amqppassword variable.
2. Replace its value with the new password specified previously.
3. At the bottom of the Edit Variables dialog, click Save Changes.
Restart the RabbitMQ service.
1. Scroll down to the Services table, and then locate the RabbitMQ service.
2. In the Actions column of the service, click the Restart control.

Changing the Zope authentication server password

Use this procedure to change the password of the Zope authentication server.

To perform this procedure, the Resource Manager application must be running. During the procedure, Resource Manager must be restarted.

Log in to the Control Center browser interface.
In the applications table, click Zenoss.resmgr.
Stop all metricshipper, metricconsumer, and centralquery services.
Log in to the Resource Manager browser interface as zenoss_system.

The default password is MY_PASSWORD.
Click the ADVANCED tab, and then click Settings.
From the left column, select Users.
In the UserId table, click the zenoss_system link.
In the USER SETTINGS area, enter a new password in the Set New Password field, and then enter it again, in the Confirm New Password field.

Record the password for use in a subsequent step.
In the Current Password for zenoss_system field, enter the password you used to log in as zenoss_system.
Click Save Settings, and then log out of the browser interface.
In Control Center, go to Applications tab and click Zenoss.resmgr.
In the application title line, click Edit Variables.
Update the password of the zenoss_system user account.
1. In the Edit Variables dialog, locate the global.conf.zauth-password variable.
  
  This variable sets the password of the Zope authentication server.
2. Replace its value with the password specified previously for the zenoss_system user account.
3. At the bottom of the Edit Variables dialog, click Save Changes.
4. In the application title line, click the Restart control.