ishenwei/nexus
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
fc0dde291fa7c19f90564e88e6a04ed4c26b5ba6
nexus/knowledgebase/csd-wiki/ICSD/UCMDB-Server-Master-key-rotation_688996428.md
weishen 3f2e1765d8 Auto-sync: 2026-04-18 17:09
2026-04-18 17:09:43 +08:00

117 lines
4.5 KiB
Markdown
Raw Blame History

# UCMDB-Server-Master-key-rotation_688996428
UD/UCMDB stores the master key for app-level encryption in the vault. This master key should be rotated as other keys used for storage encryption.
This section enables you to rotate the master key, by creating a script that changes the UCMDB master key with a newly generated one. The new master key can be either defined by you, or randomly generated by the script.
To rotate the master key, follow these steps:
1. On your local machine, create the **rotate\_masterkey. sh** file with the following content:
```
#!/bin/bash
usage() {
echo "Usage: $0 -r <release> -n <namespace>"
exit 1
}
while getopts ":r:n:" opt; do
case $opt in
r) RELEASE=$OPTARG ;;
n) NAMESPACE=$OPTARG ;;
*) usage ;;
esac
done
if [ -z "$RELEASE" ] || [ -z "$NAMESPACE" ]; then
usage
fi
validate_password() {
local password="$1"
if [[ ! "$password" =~ [0-9] ]]; then
echo "Error: The new master key must contain at least one number."
return 1
fi
if [[ ! "$password" =~ [[:punct:]] ]]; then
echo "Error: The new master key must contain at least one punctuation character: +-./:[]_ "
return 1
fi
if [ ${#password} -ne 32 ]; then
echo "Error: The new master key must be exactly 32 characters long."
return 1
fi
return 0
}
while true; do
read -p "Enter the new master key (32 characters) or leave empty to generate one: " NEW_KEY
if [ -z "$NEW_KEY" ]; then
PUNCT_CHAR=$(</dev/urandom tr -dc '+-./:[]_' | tr -d ',[:alnum:]' | head -c 1)
ALPHA_NUM=$(< /dev/urandom tr -dc 'A-Za-z0-9' | head -c 31)
NEW_KEY=$(echo "$PUNCT_CHAR$ALPHA_NUM" | fold -w1 | shuf | tr -d '\n')
echo "No key provided. Generated a random 32-character key."
break
else
if validate_password "$NEW_KEY"; then
break
else
echo "Please try again."
fi
fi
done
ENCODED_KEY=$(echo -n "$NEW_KEY" | base64)
echo "New Key: $NEW_KEY"
HELM_VALUES=$(helm get values "$RELEASE" -n "$NAMESPACE" -o json)
if [ $? -eq 0 ]; then
echo "$HELM_VALUES" > /tmp/values.tmp
echo "The Helm values file has been successfully saved"
else
echo "Failed to get the Helm values."
exit 1
fi
jq '.acceptEula = true' /tmp/values.tmp > /tmp/values.old
rm /tmp/values.tmp
if jq . /tmp/values.old >/dev/null 2>&1; then
echo "The JSON in /tmp/values.old is valid."
else
echo "The JSON in /tmp/values.old is invalid. Please check the Helm values output."
exit 1
fi
TEMP_FILE=$(mktemp)
jq --arg new_key "$ENCODED_KEY" '.secrets["ucmdb_master_key"] = $new_key' /tmp/values.old > "$TEMP_FILE"
if [ $? -eq 0 ]; then
echo "The ucmdb_master_key has been successfully replaced with the new encoded value."
else
echo "Failed to update the ucmdb_master_key."
exit 1
fi
mv "$TEMP_FILE" /tmp/values.new
echo "The updated Helm values file has been saved to /tmp/values.new"
```
2. Run the following command to get the release name for the helm deployment, and the information about the UCMDB chart used in the deployment:
```
helm list -n <NAMESPACE>
```
3. Run the following command to rotate the master key:
```
./rotate_masterkey.sh -r <RELEASE_NAME> -n <NAMESPACE>
```
4. Enter the new master key, or press **Enter** if you want the script to generate a random one.
The master key must contain exactly 32 characters and include at least one of each of the following four types of characters:
- Uppercase alphabetic characters
- Lowercase alphabetic characters
- Numeric characters
- Special characters: `:/._+-[]`
The script returns two files:
- **\\tmp\\values.old** - contains the information from the deployment with the old master key
- **\\tmp\\values.new** - contains the information from the deployment with the new master key
5. Write down the value of the new master key, if you chose the key generated by the script.
6. Access JMX Console, and locate the **changeMasterKeyForCluster** method. Enter and confirm the new master key, and then select **Invoke**.
7. Run the following command to upgrade the helm deployment with the new master key value:
```
helm upgrade <RELEASE_NAME> <chart_file_location> --namespace <NAMESPACE> -f /tmp/values.new
```
8. Run the following commands to restart the itom-ucmdb pods:
```
kubectl scale -n <NAMESPACE> --replicas=0 statefulset/itom-ucmdb
```
Wait for the itom-ucmdb pods to stop, and then run the following command:
```
kubectl scale -n <NAMESPACE> --replicas=2 statefulset/itom-ucmdb
```
Reference in New Issue View Git Blame Copy Permalink