Kaspersky SD-WAN
2.2
English

Contents

Managing passwords

Passwords help ensure the security of deployed Kaspersky SD-WAN components. You can manually generate the passwords. If you do not manually generate the passwords, they are generated automatically when you deploy the solution.

Passwords are contained in the following files:

  • keystore.yml contains passwords of Kaspersky SD-WAN components and their SSL certificates.
  • vault_password.txt contains the master password.

We recommend storing password files in a protected directory because they can be used to gain access to the deployed solution.

After deployment, the generated passwords are automatically placed in the Docker containers of Kaspersky SD-WAN components. Solution components exchange passwords when interacting with each other.

In this section

Manually generating passwords

Changing passwords
Page top
[Topic 273591]

Manually generating passwords

To manually generate the passwords:

  1. Create the /passwords directory on the administrator device. Specify the path to the created directory in the external section of the configuration file using the vault_password_dirname setting.
  2. Create a keystore.yml file and in that file, specify the passwords using the following settings:
    • ZABBIX_DB_SECRET is the root password of the Zabbix monitoring system database.
    • MONGO_ADMIN_SECRET is the administrator password of the MongoDB database.
    • MONGO_USER_SECRET is the user password of the MongoDB database. This password is used by the orchestrator.
    • CTL_CERT_SECRET is the password of the controller SSL certificate.
    • ORC_CERT_SECRET is the password of the orchestrator SSL certificate.
    • ORC_ENC_SECRET is the password for encrypting confidential data in the MongoDB database. Minimum length: 32 characters.
    • VNFM_CERT_SECRET is the password of the VNFM SSL certificate.

    For all passwords except ORC_ENC_SECRET, we recommend specifying at least 16 characters.

  3. Create the vault_password.txt file and in that file, specify the master password.
  4. Encrypt the keystore.yml file:
    • If you want to encrypt the keystore.yml file in attended mode:

      ansible-vault encrypt --ask-vault-pass keystore.yml

    • If you want to encrypt the keystore.yml file in unattended mode:

      ansible-vault encrypt --vault-password-file vault_password.txt keystore.yml

The passwords are generated and encrypted.

See also

About the attended, unattended, and partially attended action modes
Page top
[Topic 273556]

Changing passwords

To change the passwords:

  1. Decrypt the keystore.yml file:
    • If you want to decrypt the keystore.yml file in attended mode:

      ansible-vault decrypt --vault-password-file vault_password.txt keystore.yml

    • If you want to decrypt the keystore.yml file in unattended mode:

      ansible-vault encrypt --ask-vault-pass keystore.yml

  2. Change the following passwords in the keystore.yml file:
    • ZABBIX_DB_SECRET is the root password of the Zabbix monitoring system database.
    • MONGO_ADMIN_SECRET is the administrator password of the MongoDB database.
    • MONGO_USER_SECRET is the user password of the MongoDB database. This password is used by the orchestrator.
    • CTL_CERT_SECRET is the password of the controller SSL certificate.
    • ORC_CERT_SECRET is the password of the orchestrator SSL certificate.
    • ORC_ENC_SECRET is the password for encrypting confidential data in the MongoDB database. Minimum length: 32 characters.
    • VNFM_CERT_SECRET is the password of the VNFM SSL certificate.

    For all passwords except ORC_ENC_SECRET, we recommend specifying at least 16 characters.

  3. Encrypt the keystore.yml file:
    • If you want to encrypt the keystore.yml file in attended mode:

      ansible-vault encrypt --ask-vault-pass keystore.yml

    • If you want to encrypt the keystore.yml file in unattended mode:

      ansible-vault encrypt --vault-password-file vault_password.txt keystore.yml

The passwords are changed and encrypted.

Page top
[Topic 273592]