Changing Passwords

Download this manual as a PDF file

This section describes how to change every administrator password used in SL1.

Appliances installed as an AWS EC2 instance have the "root" operating system account disabled by default. During the setup process, the user "ec2-user" is automatically added to the operating system configuration. The ec2-user account can be used to perform administrative tasks that require SSH command-line access. The ec2-user account is permitted to perform all operating system commands using the "sudo" command without a password.

Use the following menu options to navigate the SL1 user interface:

  • To view a pop-out list of menu options, click the menu icon ().
  • To view a page containing all of the menu options, click the Advanced menu icon ().

Disabling phpMyAdmin

The phpMyAdmin interface provides a web interface for viewing and managing MySQL databases. By default, you can log in to the Database Server using the phpMyAdmin interface to view and manage the MySQL databases on all Database Servers, Data Collectors, and Message Collectors in the system.

To disable phpMyAdmin, you must disable the service and then disable the ports on which the service runs. To do this:

  1. If you are using a distributed system, either go to the console of the Database Server or use SSH to access the Database Server. Open a shell session on the server. Log in as an administrator.
  2. If you are using an All-In-One Appliance, either go to the console of the All-In-One Appliance or use SSH to access the All-In-One Appliance. Open a shell session on the server. Log in as an administrator.
  3. NOTE: For details on enabling and using SSH, see the manual System Administration. For details and warnings about root access and instructions on how to make root access secure, see the manual System Administration.

  4. Edit the file /etc/siteconfig/firewalld-rich-rules.siteconfig:

    sudo vifirewalld
  5. Add the following lines:

    rule service name="phpmyadmin" reject\
    rule port port="8008" protocol="tcp" reject
  6. Save your changes and exit the file (:wq).

Changing the Password for the Default User Interface Account

To change the password used by the em7admin user account to access the user interface:

  1. Go to the User Accounts page (Registry > Accounts > User Accounts).
  2. Click the wrench icon () for the em7admin user. The Account Permissions page appears.
  3. Enter the new password in the Change Password field.
  4. Re-type the new password in the Confirm Password field.

    You can use the following special characters in the em7admin user account password:

    + _ ) ( * & ^ % $ # @ ! | } { " : ? > < = - \ ] [ ' ; / . ,

  5. Click the Save button. A pop-up window appears, asking you to confirm the change.
  6. Click OK. The message "Password Saved" is displayed.

Changing the Password for the Default Console User

To change the password for the default administrative user em7admin for console logins and SSH access:

  1. Either go to the console of the SL1 appliance or use SSH to access the server.

  2. Log in as user em7admin with the current password.

  3. At the shell prompt, type the following:

    passwd

  4. When prompted, type and re-type the new password.

    You can use the following special characters in the em7admin user account password:

    + _ ) ( * & ^ % $ # @ ! | } { " : ? > < = - \ ] [ ' ; / . ,

Changing the Password for the Web Configuration Utility

If you want to change the password for the Web Configuration Utility on all SL1 appliances, you must log in to the Web Configuration Utility on each node or appliance and perform the steps in this section.

You cannot change the username for the Web Configuration Utility. The username remains em7admin.

To change the password for the Web Configuration Utility:

  1. Log in to the Web Configuration Utility by navigating to https://<ip-address-of-appliance>:7700 and entering your credentials. The Configuration Utilities page appears.
  2. Click the Device Settings button. The Settings page appears.
  3. In the Settings page, type the following:
  • Web Config Password (change only). Type the new password.
  • Confirm Web Config Password. Type the new password again.
  1. Click Save.
  2. Perform steps 1-4 for each node or appliance for which you want to change the password for the Web Configuration Utility.

Changing Database Passwords

The following SL1 appliances include a database instance:

  • All-In-One Appliances
  • Database Servers
  • Data Collectors
  • Message Collectors

By default, SL1 appliances use the following user accounts to access appliance databases:

  • ap_user. This user is used by the user interface to access the database on a Database Server or All-In-One Appliance. This user account is configured in the Database Server. Any appliance with a user interface (Database Server, All-In-One Appliance, Administration Portal) uses this user account to access the database on the Database Server. By default, this user account has the user name apuser.
  • clientdbuser. For SL1 version 11.3.0 and later, this user is the default database user for MariaDB. This user has the same password as em7admin and root, and the password is set during the initial installation. The clientdbuser does not have super privileges.
  • dbuser. For versions of SL1 before 11.3.0, this user is used by ScienceLogic platform processes to access the database instance on all appliances. By default, this user has the user name root.

To change the password for the ap_user account:

  1. Configure a new password in the Database Server by updating the /etc/silo.conf file:

    • Run the following command on the Database Server:

      visilo

    • Update the ap_pass in the [CENTRAL] section:

      [CENTRAL]

      ap_user = apuser

      ap_pass = <NEW_PASSWORD>

    • Save the change and enter y to move the changes to the /etc/siteconfig/siloconf.siteconfig file automatically.
  2. Use the Web Configuration Utility to configure the new password on every Administration Portal that you are using.

  3. Use visilo to configure the new password on every Database Server you are using.

  4. Run the following command on all of the appliances you updated in steps 1-3:

    systemctl restart nextui php-fpm nginx

To change the password for the clientdbuser or the dbuser account, you must:

  1. Configure a new password in the database instance.
  2. Configure SL1 to use the new password.

Exercise caution when manipulating MySQL user accounts. Do not use these procedures unless you are confident and know how to undo changes, should something go wrong.

Configuring a New Password on Collector Appliances

Perform the following steps to change the password for a user on a Collector:

  1. Either go to the console of the Database Server, All-In-One Appliance, Data Collector, or Message Collector or use SSH to access the server in CLI mode.

  2. Log in as em7admin with the appropriate password.

  3. Run the following command to launch the MySQL prompt:

    silo_mysql

  4. From the MySQL prompt, change the root password by running the following SQL query:

    SET PASSWORD FOR CURRENT_USER()= PASSWORD('new password');

  5. To effect the change immediately, run the following SQL query:

    MariaDB [(none)]> FLUSH PRIVILEGES;

  6. Ensure you can access the database with the new password. Exit the MySQL interface, and test by running the following command, entering the new password when prompted:

    mysql -u root -p

  7. Edit the /etc/silo.conf file and change the dbpasswd variable to the new password. See Editing Silo.Conf for assistance.

  8. From the SL1 interface, go to the Appliances page (System > Settings > Appliances) and click the wrench icon ( ) on the Collector. Then update the DB User and DB Password to the new values.

  9. Confirm in the Collector Status page (System > Monitor > Collector Status) that the Collector is available.

Editing Silo.Conf

  1. Either go to the console of the SL1 appliance or use SSH to access the SL1 appliance.

  2. Open a shell session on the server.

  3. Type the following at the command line:

    sudo visilo

  4. Edit the value assigned to clientdbuser or dbuser and to ap_user. Assign the value you defined in the section Configuring a New Password in the Database Instance.

  5. Save and close the file (:wq).

Updating the master.system_settings_licenses Table

To update the master.system_settings_licenses table after you have changed the root password on a Data Collector or Message Collector:

  1. Go to the Appliance Manager page (System > Settings > Appliances).
  2. Locate the Data Collector or Message Collector in the list of appliances. Note the value in the ID column for the Data Collector or Message Collector.
  3. Go to the Database Tool page (System > Tools > DB Tool).
  4. The Database Tool page is available only in versions of SL1 prior to 12.2.1 and displays only for users that have sufficient permissions to access the page.

  5. Enter the following in the SQL Query field, replacing <new password> with the new password and <ID value of Collector> with the value you noted in step 2:

    UPDATE master.system_settings_licenses SET db_user='root', db_pass=<new password> WHERE id=<ID value of Collector>;

    If you want to update all Data Collectors and Message Collectors with the same password, enter the following in the SQL Query field, replacing <new password> with the new password:

    UPDATE master.system_settings_licenses SET db_user='root', db_pass='<new password>' WHERE function in (5,6);

  6. Click the Go button.

Changing the MySQL Root Password on Database Appliances

To change the MySQL root password on database appliances:

  1. Either go to the console of the Database Server or use SSH to access the server in CLI mode.
  2. Log in as em7admin with the appropriate password.

    If your Database Appliances are part of an HA cluster, place your HA cluster in maintenance mode using the steps found in the section on Disaster Recovery with Two Appliances .

  3. Run the following command to launch the MySQL prompt:

    silo_mysql

  4. From the MySQL prompt, change the root password by running the following SQL query:

    MariaDB [(none)]> SET PASSWORD FOR 'root' = PASSWORD('new_password');

  5. To effect this change immediately, run the following SQL query. Enter the new password when prompted.

    MariaDB [(none)]> FLUSH PRIVILEGES;

  6. Ensure you can access the database with the new password. Exit the MySQL interface, and test by running the following command, entering the new password when prompted:

    mysql -u root -p

  7. Edit the silo.conf file, as described in Editing Silo.Conf. Change the dbpasswd variable to the new password in both the [LOCAL] and [CENTRAL] sections.

    If you have clustered database appliances, be sure to update the silo.conf file for all cluster members.

  8. If you have admin portals, update the dbpasswd variable in silo.conf on all admin portals.
  9. If the Data Collector's MySQL root user password is now different from the MySQL root user password on the Database Server, and the db_pass column in master.system_settings_licenses is "NULL", then the Database Server will attempt to use its own password to connect.
  10. Change the db_pass column for the collectors to their root MySQL user password using the instructions in Updating the master.system_settings_licenses Table.
  11. If you placed an HA cluster into maintenance mode to perform these steps, remember to return it to ready mode by setting coro_config to option 1. For more information, see the section on Disaster Recovery with Two Appliances .

Recovering the Root MySQL Password

To reset the root MySQL password if you become locked out:

  1. Either go to the console of the Database Server or use SSH to access the server in CLI mode.
  2. Log in as em7admin with the appropriate password.
  3. Stop the em7 and mariadb services:

    systemctl stop em7 mariadb

  4. Start the mariadb service with the "--skip-grant-tables' option:

    systemctl set-environment MYSQLD_OPTS="--skip-grant-tables" systemctl start mariadb

  5. Access the MySQL database:

    mysql -u root mysql

  6. Reset the root password from the MySQL prompt:

    UPDATE user SET password=PASSWORD('{new password}') WHERE User='root';

  7. Stop the mariadb service again, unset the environment variable, and restart the service, using the following sequence of commands:

    systemctl stop mariadb

    systemctl unset-environment MYSQLD_OPTS

    systemctl start mariadb

  8. Ensure that you can access the MySQL database with the new password:

    mysql -u root -p

  9. Restart the em7 service:

    systemctl start em7

  10. Ensure that the password you set is also updated in the /etc/silo.conf dbpasswd variable. For more information, see Changing the MySQL Root Password on Database Appliances

Recovering the MySQL SNMP User Account on Data Collector

If you have removed the SNMP user account from the Data Collector's MySQL database in an attempt to harden your system, you must recover the account so that SL1 can insert incoming SNMP traps into the database for processing.

To restore the SNMP user account:

  1. Either go to the console of the Database Server or use SSH to access the server in CLI mode.
  2. Log in as em7admin with the appropriate password.
  3. Run the following command to restore the SNMP user account:

    /opt/em7/share/scripts/em7_firstboot.d/30_trap_listener-db_init.sh

Changing the MariaDB Password on SL1 Appliances

The following sections describe how to change the MariaDB password on SL1 appliances. This procedure differs based on the version of SL1 that you are using.

This procedure should only be used when you do not know the current password and the SL1 application cannot login to the database.

Changing the MariaDB Password in SL1 11.3.0 and Above

On SL1 systems that were deployed from an 11.3.0 ISO or upgraded to 11.3.1 or above, use the following instructions to change the MariaDB password in Database Servers, Data Collectors, Message Collectors, and All-In-One Appliances:

  1. Either go to the console of the Database Server or use SSH to access the server in CLI mode.

  2. Log in as em7admin with the appropriate password.

  3. Determine the username that SL1 uses for MariaDB access:

    sl1-config silo LOCAL dbuser

  4. Stop all SL1 services:

    sudo siloctl stop

  5. Access the MariaDB database with the super privileged account:

    sudo /bin/mysql -u root mysql

  6. Reset the password for the username that you identified in step 3 from the MariaDB prompt:

    SET PASSWORD FOR '{username from step 3}'@'%' = PASSWORD('{new password}');

  7. Exit the MariaDB database prompt:

    \q

  8. Edit the silo.conf file, as described in Editing Silo.Conf. Change the dbpasswd variable to the new password in both the [LOCAL] and [CENTRAL] sections.

    If you have clustered database appliances, be sure to update the silo.conf file for all cluster members.

    Upon saving, visilo will validate that the password works. If the password fails, ensure that you are typing it correctly, or that you set the password for the correct account in step 3.

  9. Restart all SL1 services:

    siloctl start

Changing the MariaDB Password in SL1 Versions Prior to 11.3.0

On SL1 systems that were deployed from an 11.2.x or older ISO and not patched to version 11.3.1 or above, use the following instructions to change the MariaDB password in Database Servers, Data Collectors, Message Collectors, and All-In-One Appliances:

  1. Either go to the console of the Database Server or use SSH to access the server in CLI mode.
  2. Log in as em7admin with the appropriate password.

    If your Database Appliances are part of an HA cluster, place your HA cluster in maintenance mode using the steps found in the section on Disaster Recovery with Two Appliances.

  3. Stop all SL1 services:

    sudo siloctl stop

  4. Stop the MariaDB service:

    systemctl stop mariadb

  5. Start the MariaDB service with the "--skip-grant-tables" option:

    systemctl set-environment MYSQLD_OPTS="--skip-grant-tables"; systemctl start mariadb

  6. Access the MariaDB database:

    silo_mysql -u root mysql

  7. Reset the password from the MariaDB prompt:

    SET PASSWORD FOR 'root'@'%' = PASSWORD('{new password}');

  8. Exit the MariaDB database prompt:

    \q

  9. Stop the MariaDB service again, unset the environment variable, and restart the service:

    systemctl stop mariadb

    systemctl unset-environment MYSQLD_OPTS

    systemctl start mariadb

  10. Edit the silo.conf file, as described in Editing Silo.Conf. Change the dbpasswd variable to the new password in both the [LOCAL] and [CENTRAL] sections.

    If you have clustered database appliances, be sure to update the silo.conf file for all cluster members.

  11. Verify that the password works:

    silo_mysql

  12. Restart all SL1 services:

    sudo siloctl start

  13. If you placed an HA cluster into maintenance mode to perform these steps, remember to return it to ready mode by setting coro_config to option 1. For more information, see the section on Disaster Recovery with Two Appliances.