Changing the Initial Password
The username of the initial CipherTrust Manager user is "admin". This user becomes the initial Application Administrator. By default, the initial password is hardcoded to "admin" in lowercase. You can also auto-generate a password using cloud init. Regardless of whether the initial password is hardcoded or auto-generated, it must be changed before using the CipherTrust Manager.
Note
To better understand the different user groups within the CipherTrust Manager, refer to Groups.
To change the initial password
If using the GUI:
On initial log in, the Application Administrator is forced to change the password.
If using the CLI:
Enter the new password using this command:
ksctl changepw --url=https://<ip-or-host> --user admin --password <new password>
The default password policies are:
Min length: 8
Max length: 30
Min number of upper cases: 1
Min number of lower cases: 1
Min number of digits: 1
Min number of other characters: 1
Retrieving an Auto-generated Initial password
If the initial user's password is auto-generated through cloud-init, it must be retrieved by the System Administrator "ksadmin" via SSH or via the CLI.
The initial password for the initial Application Administrator can be auto-generated using a cloud-init configuration file containing the following setting:
#cloud-config
keysecure:
initial-user:
generate-password: true
Full details of cloud-init deployment are available in Cloud Init Deployment.
To retrieve the initial password for the Application Administrator using SSH.
The initial password is written out to the file /var/keysecure/password/out. Retrieve it using SSH:
ssh ksadmin@{addr} cat /var/keysecure/password/out
If the ssh key used to launch the instance is not loaded in your ssh-agent, add the key file argument:
ssh -i {key file} ksadmin@{addr} cat /var/keysecure/password/out
Caution
After retrieving the initial password for the Application Administrator , the Application Administrator must log in and change it immediately. Failure to do so could allow an attacker to compromise the system.
To retrieve the initial password for the Application Administrator using the CLI:
On Linux-like systems that have the ssh
command line tool available, ksctl can be used to execute the ssh
command to retrieve the initial password.
If you installed the CLI, you can use it to acquire the initial password as well:
ksctl init getpw --url https://<ipaddr> --identityFile <private key> --user admin
Caution
After retrieving the initial password for the Application Administrator, the Application Administrator must log in and change it immediately. Failure to do so could allow an attacker to compromise the system.