4.5 KiB
4.5 KiB
UCMDB-Server-Master-key-rotation_688996428
UD/UCMDB stores the master key for app-level encryption in the vault. This master key should be rotated as other keys used for storage encryption.
This section enables you to rotate the master key, by creating a script that changes the UCMDB master key with a newly generated one. The new master key can be either defined by you, or randomly generated by the script.
To rotate the master key, follow these steps:
- On your local machine, create the rotate_masterkey. sh file with the following content:
#!/bin/bash usage() { echo "Usage: $0 -r <release> -n <namespace>" exit 1 } while getopts ":r:n:" opt; do case $opt in r) RELEASE=$OPTARG ;; n) NAMESPACE=$OPTARG ;; *) usage ;; esac done if [ -z "$RELEASE" ] || [ -z "$NAMESPACE" ]; then usage fi validate_password() { local password="$1" if [[ ! "$password" =~ [0-9] ]]; then echo "Error: The new master key must contain at least one number." return 1 fi if [[ ! "$password" =~ [[:punct:]] ]]; then echo "Error: The new master key must contain at least one punctuation character: +-./:[]_ " return 1 fi if [ ${#password} -ne 32 ]; then echo "Error: The new master key must be exactly 32 characters long." return 1 fi return 0 } while true; do read -p "Enter the new master key (32 characters) or leave empty to generate one: " NEW_KEY if [ -z "$NEW_KEY" ]; then PUNCT_CHAR=$(</dev/urandom tr -dc '+-./:[]_' | tr -d ',[:alnum:]' | head -c 1) ALPHA_NUM=$(< /dev/urandom tr -dc 'A-Za-z0-9' | head -c 31) NEW_KEY=$(echo "$PUNCT_CHAR$ALPHA_NUM" | fold -w1 | shuf | tr -d '\n') echo "No key provided. Generated a random 32-character key." break else if validate_password "$NEW_KEY"; then break else echo "Please try again." fi fi done ENCODED_KEY=$(echo -n "$NEW_KEY" | base64) echo "New Key: $NEW_KEY" HELM_VALUES=$(helm get values "$RELEASE" -n "$NAMESPACE" -o json) if [ $? -eq 0 ]; then echo "$HELM_VALUES" > /tmp/values.tmp echo "The Helm values file has been successfully saved" else echo "Failed to get the Helm values." exit 1 fi jq '.acceptEula = true' /tmp/values.tmp > /tmp/values.old rm /tmp/values.tmp if jq . /tmp/values.old >/dev/null 2>&1; then echo "The JSON in /tmp/values.old is valid." else echo "The JSON in /tmp/values.old is invalid. Please check the Helm values output." exit 1 fi TEMP_FILE=$(mktemp) jq --arg new_key "$ENCODED_KEY" '.secrets["ucmdb_master_key"] = $new_key' /tmp/values.old > "$TEMP_FILE" if [ $? -eq 0 ]; then echo "The ucmdb_master_key has been successfully replaced with the new encoded value." else echo "Failed to update the ucmdb_master_key." exit 1 fi mv "$TEMP_FILE" /tmp/values.new echo "The updated Helm values file has been saved to /tmp/values.new" - Run the following command to get the release name for the helm deployment, and the information about the UCMDB chart used in the deployment:
helm list -n <NAMESPACE> - Run the following command to rotate the master key:
./rotate_masterkey.sh -r <RELEASE_NAME> -n <NAMESPACE> - Enter the new master key, or press Enter if you want the script to generate a random one.
The master key must contain exactly 32 characters and include at least one of each of the following four types of characters:
- Uppercase alphabetic characters
- Lowercase alphabetic characters
- Numeric characters
- Special characters:
:/._+-[]The script returns two files:
- \tmp\values.old - contains the information from the deployment with the old master key
- \tmp\values.new - contains the information from the deployment with the new master key
- Uppercase alphabetic characters
- Write down the value of the new master key, if you chose the key generated by the script.
- Access JMX Console, and locate the changeMasterKeyForCluster method. Enter and confirm the new master key, and then select Invoke.
- Run the following command to upgrade the helm deployment with the new master key value:
helm upgrade <RELEASE_NAME> <chart_file_location> --namespace <NAMESPACE> -f /tmp/values.new - Run the following commands to restart the itom-ucmdb pods:
Wait for the itom-ucmdb pods to stop, and then run the following command:
kubectl scale -n <NAMESPACE> --replicas=0 statefulset/itom-ucmdbkubectl scale -n <NAMESPACE> --replicas=2 statefulset/itom-ucmdb