Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

back

CipherTrust Manager Deployment

Changing the Initial Password

search

Please Note:

Changing the Initial Password

The username of the initial CipherTrust Manager user is "admin". This user becomes the initial Application Administrator. By default, the initial password is hardcoded to "admin" in lowercase. You can also auto-generate a password using cloud init. Regardless of whether the initial password is hardcoded or auto-generated, it must be changed before using the CipherTrust Manager.

To better understand the different user groups within the CipherTrust Manager, refer to Groups.

To change the initial password

If using the GUI:

On initial log in, the Application Administrator is forced to change the password.

If using the CLI:

Enter the new password using this command:

ksctl changepw --url=https://<ip-or-host> --user admin --password <new password>

The default password policies are:

Min length: 8
Max length: 30
Min number of upper cases: 1
Min number of lower cases: 1
Min number of digits: 1
Min number of other characters: 1

Retrieving an Auto-generated Initial password

If the initial user's password is auto-generated through cloud-init, it must be retrieved by the System Administrator "ksadmin" via SSH or via the CLI.

The initial password for the initial Application Administrator can be auto-generated using a cloud-init configuration file containing the following setting:

1
2
3
4
  #cloud-config
    keysecure:
      initial-user:
        generate-password: true

Full details of cloud-init deployment are available in Cloud Init Deployment.

To retrieve the initial password for the Application Administrator using SSH.

The initial password is written out to the file /var/keysecure/password/out. Retrieve it using SSH:

ssh ksadmin@{addr} cat /var/keysecure/password/out

If the ssh key used to launch the instance is not loaded in your ssh-agent, add the key file argument:

ssh -i {key file} ksadmin@{addr} cat /var/keysecure/password/out

After retrieving the initial password for the Application Administrator , the Application Administrator must log in and change it immediately. Failure to do so could allow an attacker to compromise the system.

To retrieve the initial password for the Application Administrator using the CLI:

On Linux-like systems that have the ssh command line tool available, ksctl can be used to execute the ssh command to retrieve the initial password.

If you installed the CLI, you can use it to acquire the initial password as well:

ksctl init getpw --url https://<ipaddr> --identityFile <private key> --user admin

After retrieving the initial password for the Application Administrator, the Application Administrator must log in and change it immediately. Failure to do so could allow an attacker to compromise the system.