Changing Administrator Passwords

Download this manual as a PDF file

This section describes how to change every administrator password used in SL1.

Appliances installed as an AWS EC2 instance have the "root" operating system account disabled by default. During the setup process, the user "ec2-user" is automatically added to the operating system configuration. The ec2-user account can be used to perform administrative tasks that require SSH command-line access. The ec2-user account is permitted to perform all operating system commands using the "sudo" command without a password.

Use the following menu options to navigate the SL1 user interface:

  • To view a pop-out list of menu options, click the menu icon ().
  • To view a page containing all of the menu options, click the Advanced menu icon ().

Disabling phpMyAdmin

The phpMyAdmin interface provides a web interface for viewing and managing MySQL databases. By default, you can log in to the Database Server using the phpMyAdmin interface to view and manage the MySQL databases on all Database Servers, Data Collectors, and Message Collectors in the system.

To disable phpMyAdmin, you must disable the service and then disable the ports on which the service runs. To do this:

  1. Either go to the console of your Database Server or All-In-One Appliance, or use SSH to access the Database Server or All-In-One Appliance. Open a shell session on the server. Log in as an administrator.

  2. Edit the file /etc/siteconfig/firewalld-rich-rules.siteconfig: 

    sudo vifirewalld

  3. Add the following lines: 

    rule service name="phpmyadmin" reject\
rule port port="8008" protocol="tcp" reject
  4. Save your changes and exit the file (:wq).

Changing the Password for the Default User Interface Account

To change the password used by the em7admin user account to access the user interface:

  1. Go to the User Accounts page (Registry > Accounts > User Accounts).
  2. Click the wrench icon () for the em7admin user. The Account Permissions page appears.
  3. Enter the new password in the Change Password field.
  4. Re-type the new password in the Confirm Password field.

    You can use the following special characters in the em7admin user account password:

    + _ ) ( * & ^ % $ # @ ! | } { " : ? > < = - \ ] [ ' ; / . ,

  5. Click the Save button. A pop-up window appears, asking you to confirm the change.
  6. Click OK. The message "Password Saved" is displayed.

Changing the Password for the Default Console User

To change the password for the default administrative user em7admin for console logins and SSH access:

  1. Either go to the console of the SL1 appliance or use SSH to access the server.

  2. Log in as user em7admin with the current password.

  3. At the shell prompt, type the following:

    passwd

  4. When prompted, type and re-type the new password.

    You can use the following special characters in the em7admin user account password:

    + _ ) ( * & ^ % $ # @ ! | } { " : ? > < = - \ ] [ ' ; / . ,

Changing the Password for the Web Configuration Utility

If you want to change the password for the Web Configuration Utility on all SL1 appliances, you must log in to the Web Configuration Utility on each node or appliance and perform the steps in this section.

You cannot change the username for the Web Configuration Utility. The username remains em7admin.

To change the password for the Web Configuration Utility:

  1. Log in to the Web Configuration Utility by navigating to https://<ip-address-of-appliance>:7700 and entering your credentials. The Configuration Utilities page appears.
  2. Click the Device Settings button. The Settings page appears.
  3. In the Settings page, type the following:
  • Web Config Password (change only). Type the new password.
  • Confirm Web Config Password. Type the new password again.
  1. Click Save.
  2. Perform steps 1-4 for each node or appliance for which you want to change the password for the Web Configuration Utility.

Changing Database Passwords

The following SL1 appliances include a database instance:

  • All-In-One Appliances
  • Database Servers
  • Data Collectors
  • Message Collectors

By default, SL1 appliances use the following user accounts to access appliance databases:

  • clientdbuser. This user is the default database user for MariaDB. This user has the same password as em7admin and root, and the password is set during the initial installation. The clientdbuser does not have super privileges.
  • ap_user. This user is configured in the Database Server and is used by any appliance with a user interface (Database Server, All-In-One Appliance, Administration Portal) to access the database on a Database Server or All-In-One Appliance. By default, this user account has the user name apuser.

Configuring a New MySQL Password on Database Appliances

Exercise caution when manipulating MySQL user accounts. Do not use the following procedures unless you are confident in MySQL and know how to undo any changes, should something go wrong. Otherwise, contact ScienceLogic Support for assistance.

If you are using a version of SL1 prior to 11.3.0, follow the steps in this Support knowledge base article to change the password for dbuser, which was used in older versions of SL1 instead of clientdbuser: https://support.sciencelogic.com/s/article/1471.

To change the password for the clientdbuser or ap_user account on the database appliance:

  1. Either go to the console of the Database Server or All-In-One Appliance, or use SSH to access the server and log in as em7admin with the appropriate password.

  2. If you have a high-availability (HA) cluster of database appliances, put the cluster into maintenance mode (coro_config). Otherwise, you can skip this step.

  3. Stop SL1 services by running following command:

    sudo siloctl stop

  4. Launch the MySQL prompt:

    silo_mysql mysql

  5. From the MySQL prompt, change the root password by running one of the following SQL queries, depending on which account password you are changing:

    • For the clientdbuser account:

      SET password FOR 'clientdbuser' = PASSWORD('<NEW_PASSWORD>');

    • For the ap_user account:

      SET password FOR 'ap_user' = PASSWORD('<NEW_PASSWORD>');

    where <NEW_PASSWORD> is the password you want to configure for the account.

  6. To effect the change immediately, you can run the following SQL query:

    FLUSH PRIVILEGES;

  7. Ensure you can access the database with the new password. Exit the MySQL interface (exit) and test the new password by running one of the following commands, entering the new password when prompted:

    • For the clientdbuser account:

      mysql -u clientdbuser -p

    • For the ap_user account:

      mysql -u ap_user -p

  8. Restart SL1 services:

    sudo siloctl start

  9. Configure the new password in the Database Server by updating the /etc/silo.conf file. To edit this file, run the following command:

    visilo

  10. In the /etc/silo.conf file, update the following section or sections:

    • For the clientdbuser account:

      [LOCAL]

      dbpasswd = <NEW_PASSWORD>

      [CENTRAL]

      dbpasswd = <NEW_PASSWORD>

    • For the ap_user account:

      [CENTRAL]

      ap_user = apuser

      ap_pass = <NEW_PASSWORD>

  11. Save the file (:wq) and enter y to move the changes to the /etc/siteconfig/siloconf.siteconfig file automatically.

  12. Run the following command:

    systemctl restart nextui php-fpm nginx

  13. Repeat steps 9-12 on every Database Server or Administration Portal in your stack to update the passwords in the /etc/silo.conf file for those appliances as well.

  14. If you have a high-availability (HA) cluster of database appliances and you put the cluster into maintenance mode in step 2, you can use (coro_config) again to remove it from maintenance mode.

Configuring a New MySQL Password on Collector Appliances

Perform the following steps to change the MySQL account password on an SL1 Collector:

  1. Either go to the console of the Database Server, All-In-One Appliance, Data Collector, or Message Collector, or use SSH to access the server and log in as em7admin with the appropriate password.

  2. Run the following command to launch the MySQL prompt:

    silo_mysql mysql

  3. From the MySQL prompt, change the root password by running the following SQL query:

    SET PASSWORD FOR CURRENT_USER()= PASSWORD('new password');

  4. To effect the change immediately, run the following SQL query:

    FLUSH PRIVILEGES;

  5. Ensure you can access the database with the new password. Exit the MySQL interface, and test by running the following command, entering the new password when prompted:

    mysql -u clientdbuser -p

  6. Configure the new password by updating the /etc/silo.conf file. To edit this file, run the following command:

    visilo

  7. In the /etc/silo.conf file, update the following section:

    [LOCAL]

    dbpasswd = <NEW_PASSWORD>

    where <NEW_PASSWORD> is the password you want to configure for the account.

  8. Save the file (:wq) and enter y to move the changes to the /etc/siteconfig/siloconf.siteconfig file automatically.

  9. From the SL1 user interface, go to the Appliance Manager page (System > Settings > Appliances), click the wrench icon ( ) on the Collector, and then update the DB User and DB Password fields to reflect the new values. When you are done, click Save.

  10. Go to the Collector Statuspage (System > Monitor > Collector Status) and confirm that the Collector has a Collector State of "Available".

Editing Silo.Conf

To edit the /etc/silo.conf file:

  1. Either go to the console of the SL1 appliance, or use SSH to access the SL1 appliance or and log in as em7admin with the appropriate password.

  2. Type the following at the command line:

    sudo visilo

  3. Edit the file as needed.

  4. Save and close the file (:wq).

Updating the master.system_settings_licenses Table

To update the master.system_settings_licenses table after you have changed the root password on a Data Collector or Message Collector:

  1. Go to the Appliance Manager page (System > Settings > Appliances).
  2. Locate the Data Collector or Message Collector in the list of appliances. Note the value in the ID column for the Data Collector or Message Collector.
  3. Go to the Database Tool page (System > Tools > DB Tool).

    4. The Database Tool page is available only in versions of SL1 prior to 12.2.1 and displays only for users that have sufficient permissions to access the page.

  4. Enter the following in the SQL Query field, replacing <new password> with the new password and <ID value of Collector> with the value you noted in step 2:

    UPDATE master.system_settings_licenses SET db_user='root', db_pass=<new password> WHERE id=<ID value of Collector>;

    If you want to update all Data Collectors and Message Collectors with the same password, enter the following in the SQL Query field, replacing <new password> with the new password:

    UPDATE master.system_settings_licenses SET db_user='root', db_pass='<new password>' WHERE function in (5,6);

  5. Click the Go button.

Recovering the Root MySQL Password

To reset the root MySQL password if you become locked out:

  1. Either go to the console of the Database Server or use SSH to access the server in CLI mode.

  2. Log in as em7admin with the appropriate password.

  3. Stop the em7 and mariadb services:

    systemctl stop em7 mariadb

  4. Start the mariadb service with the "--skip-grant-tables" option:

    systemctl set-environment MYSQLD_OPTS="--skip-grant-tables" systemctl start mariadb

  5. Access the MySQL database:

    mysql -u root mysql

  6. Reset the root password from the MySQL prompt:

    UPDATE user SET password=PASSWORD('<new password>') WHERE User='root';

  7. Stop the mariadb service again, unset the environment variable, and restart the service, using the following sequence of commands:

    systemctl stop mariadb

    systemctl unset-environment MYSQLD_OPTS

    systemctl start mariadb

  8. Ensure that you can access the MySQL database with the new password:

    mysql -u root -p

  9. Restart the em7 service:

    systemctl start em7

  10. Ensure that the password you set is also updated in the /etc/silo.conf dbpasswd variable. For more information, see Configuring a New MySQL Password on Database Appliances

Recovering the MySQL SNMP User Account on Data Collector

If you have removed the SNMP user account from the Data Collector's MySQL database in an attempt to harden your system, you must recover the account so that SL1 can insert incoming SNMP traps into the database for processing.

To restore the SNMP user account:

  1. Either go to the console of the Database Server or use SSH to access the server in CLI mode.

  2. Log in as em7admin with the appropriate password.

  3. Run the following command to restore the SNMP user account:

    /opt/em7/share/scripts/em7_firstboot.d/30_trap_listener-db_init.sh

Changing the MariaDB Password on SL1 Appliances

This procedure should be used only when you do not know the current password and the SL1 application cannot log in to the database.

Use the following instructions to change the MariaDB password in Database Servers, Data Collectors, Message Collectors, and All-In-One Appliances:

  1. Either go to the console of the Database Server or use SSH to access the server in CLI mode.

  2. Log in as em7admin with the appropriate password.

  3. Determine the username that SL1 uses for MariaDB access:

    sl1-config silo LOCAL dbuser

  4. Stop all SL1 services:

    sudo siloctl stop

  5. Access the MariaDB database with the super privileged account:

    sudo /bin/mysql -u root mysql

  6. Reset the password for the username that you identified in step 3 from the MariaDB prompt:

    SET PASSWORD FOR '<username from step 3>'@'%' = PASSWORD('<new password>');

    where:

    • <username from step 3> is the MariaDB username that you determined in step 3.
    • <new password> is the updated password you want to establish for that username.

  7. Exit the MariaDB database prompt:

    \q

  8. Edit the silo.conf file, as described in Editing Silo.Conf. Change the dbpasswd variable to the new password in both the [LOCAL] and [CENTRAL] sections.

    If you have clustered database appliances, be sure to update the silo.conf file for all cluster members.

    Upon saving, visilo will validate that the password works. If the password fails, ensure that you are typing it correctly, or that you set the password for the correct account from step 3.

  9. Restart all SL1 services:

    siloctl start