Please follow the below Document for Analytics hardening and accounts credentials update.
TABLE OF CONTENTS
- Versa Director Default Accounts and Credentials
- Versa Analytics Default Accounts and Credentials
- Versa Device Default Accounts and Credentials
Versa Director Default Accounts and Credentials
The Versa Director has several built in user accounts, default UNIX passwords that should be changed, namely:
- admin (local management administrator account/last-resort fallback account)
- versa (service account used by the Versa daemons/processes/CLI)
- aaaadmin (local account built for AAA authentication)
- aaauser (local account built for AAA authentication)
How to Change?
admin
admin@director1:~$ passwd Changing password for admin. (current) UNIX password: New password: Retype new password: passwd: password updated successfully
versa
admin@director1:~$ sudo su versa versa@director1:/home/admin$ passwd Changing password for versa. (current) UNIX password: New password: Retype new password: passwd: password updated successfully versa@director1:/home/admin$ exit
aaaadmin
admin@director1:~$ sudo su aaaadmin [aaaadmin@director1 admin] # passwd Changing password for aaaadmin. (current) UNIX password: New password: Retype new password: passwd: password updated successfully
aaauser
admin@director1:~$ sudo su aaauser [aaauser@director1 admin] # passwd Changing password for aaauser. (current) UNIX password: New password: Retype new password: passwd: password updated successfully
Administrator
admin@director1:~$ sudo su Administrator [Administrator @director1 admin] # passwd Changing password for Administrator. (current) UNIX password: New password: Retype new password: passwd: password updated successfully
Change passwords in default.conf
PG Password:
Step 01:
vsh status is good check that.
sudo -u postgres psql -d vnms
ALTER USER vnms WITH PASSWORD 'SecurityIsAwesome!';
Step 02:
Change PG_PASSWORD in /var/versa/vnms/data/conf/default.conf
Step 03:
Change password in /var/versa/vnms/data/conf/application.properties
change this one spring.datasource.password
change this one netbox.datasource.password
Step 04:
vsh restart
ZTP and Encryption Password:
For ZTP/Encryption password, change it on the file.
[Administrator@versa-director-2: ~] $ cat /var/versa/vnms/data/conf/default.conf #Tue Aug 07 03:35:40 UTC 2018 PG_USERNAME=vnms PG_PASSWORD=Versa@123 PG_DATABASE=vnms BACKUP_ENCRYPT_KEY=pviQMdsp.c12viiGsMWC@ KEYSTORE_PASSWORD=versa123 PRIVATE_KEY_PASSWORD=versa123 auth_truststore_password=versa123 ZTP_URL_PASSWORD=versa123versa123 ENCRYPTION_UTIL_KEY=versa123versa123 CONFD_API_USER=restuser CONFD_API_PASSWORD=versa123 PG_IPAM_DB=netbox NETBOX_API_TOKEN=ae5140c21feaf81cfef386ff96b24041f48f995c NETBOX_SECRET_KEY=r8OwDznj!!dciP9ghmRfdu1Ysxm0AiPeDCQhKE+N_rClfWNj [Administrator@versa-director-2: ~] $
ConfD passwd:
For confd password change it on the default.conf file and then on each VOS device run this:
[admin@sys10-vm22-cli: ~] $ vsh allow-cli
[admin@sys10-vm22-cli: ~] $cli
admin@sys10-vm22-cli>configure
admin@sys10-vm22-cli(config)% unhide debug
Password: ****** ß “secret”
[ok][2021-01-26 19:44:13]
set aaa authentication users user restuser password <>
commit
Then do a ‘synch from appliance’ from VD.
Versa Analytics Default Accounts and Credentials
Please follow document below for Analytics hardening
The Versa Analytics platform contains the following built in user accounts that will need the default passwords changed:
- versa (local shell management user)
- web UI “Administrator”
- web UI “admin”
- SSL datastore cache
You would basically just need to execute the AdminManager.sh script as below to change the default password
[versa@us-poc-analytics-1: van-security] $
[versa@us-poc-analytics-1: van-security] $ sudo /opt/versa/scripts/van-scripts/AdminManager.sh
Versa Analytics Admin Users Manager
Passwords for all local UI users need to be changed
Please enter password for user:admin
Password ?
Re-enter password ?
Please enter password for user:Administrator
Password ?
Re-enter password ?
Login credentials for all users have been changed
[versa@us-poc-analytics-1: van-security] $
<Below procedure was being used in 16.1, it's deprecated>
Note 1: All director commands will be in blue and are to be executed on the primary director only
Note 2: All analytics commands will be in purple and are to be ran on all analytics nodes unless otherwise noted
Note 3: This process will require a restart of Versa services on all Analytics Nodes
- On the Versa Analytics: Change to the /opt/versa/scripts/van-security directory
[versa@analytics1: ~] $ cd /opt/versa/scripts/van-security/
- On the Versa Analytics: Modify the Versa Analytics system passwords by issuing the -s command:
[versa@analytics1: van-security] $ sudo ./analytics_securemode.sh -s
Do you want to change the shell login system password (y/N) : y
Please enter username:versa
versa exists... changing password.
New password: <new password>
Retype new password: <new password>
passwd: password updated successfully
Password is successfully changed for user: versa
- On the Versa Analytics: Modify the Versa Analytics application passwords by issuing the analytics_securemode.sh -a command:
[versa@analytics1: van-security] $ sudo ./analytics_securemode.sh -a
Do you want to change the Analytics UI local authentication administration password (y/N): y
Versa Analytics Admin Users Manager
Username ? Administrator
Password ? <new password>
Re-enter password ? <new password>
Match found
Admin credentials successfully replaced
Password is successfully changed
Do you want to change the SSL and Tomcat Certificate passwords (y/N): y
Modifying Tomcat passwords ...
Change the Tomcat Password if your certificate passwords have changed
Please re-confirm (y/N): y
Enter NEW Password: <new password>
ReEnter NEW Password: <new password>
Modifying self-signed certificate passwords ...
Modifying Analytics-Director certificate passwords ...
This password should match the password in Director's vd-van-import-cert.sh file
Do you want to change the Analytics-Director certificate password (y/N): y
Enter NEW Password: <new password>
ReEnter NEW Password: <new password>
Please regenerate the certificates for this change to take effect
Regenerate certificate file using: van-import-cert.sh script
You will need to re-import certificates to Versa Director and re-register Director in Analytics
To ensure Analytics-Director communication certificates are changed with non-default passwords
Delete the TrustStore at: /opt/versa/var/van-app/certificates/versa_director_truststore.ts
Re-import by running: /opt/versa/scripts/van-scripts/van-vd-cert-install.sh
[versa@analytics1: van-security] $
Update second web UI “admin” account credentials:
[versa@analytics1: van-security] $ sudo ./analytics_securemode.sh -a
Do you want to change the Analytics UI local authentication administration password (y/N): y
Versa Analytics Admin Users Manager
Username ? admin
Password ? <new password>
Re-enter password ? <new password>
Match found
Admin credentials successfully replaced
Password is successfully changed
Do you want to change the SSL and Tomcat Certificate passwords (y/N): n
- On the Versa Analytics: Delete the versa_analytics trust store
[versa@analytics1: van-security] $ sudo rm /opt/versa/var/van-app/certificates/versa_analytics.jks
- On the Versa Analytics: Delete the versa_director trust store
[versa@analytics1: van-security] $ sudo rm /opt/versa/var/van-app/certificates/versa_director_truststore.ts
- On the Versa Analytics: Re-import the Versa Analytics Certificate
sudo /opt/versa/scripts/van-scripts/van-import-cert.sh \
--key <path to private key file> \
--cert <path to signed certificate file> \
--keypass <certificate password> \
--cafile <path to CA certificate file>
- On the Versa Director: Copy the director certificate to the Analytics Cluster
admin@director1:/opt/versa/vnms/scripts$ cd /var/versa/vnms/data/certs
admin@director1:/var/versa/vnms/data/certs$
scp versa_director_client.cer versa@<analytics node IP>:/opt/versa/var/van-app/certificate
- On the Versa Analytics: Re-import the Versa Director Certificate
[versa@analytics1: certs] $ cd /opt/versa/var/van-app/certificates/
[versa@analytics1: certificates] $ sudo /opt/versa/scripts/van-scripts/van-vd-cert-install.sh versa_director_client.cer <Director Hostname>
- Validation:
- Check Administrator’s Analytics tab to ensure it loads with no errors.
- Test web UI credentials by logging into https://ANALYTICS:8443 with both accounts.
- Run the following entering new password when prompted, should run with no errors:
[versa@analytics1: van-security] $ sudo /usr/lib/jvm/jre1.8.0_241/bin/keytool -list -keystore /opt/versa/var/van-app/certificates/versa_analytics.jks -v
[versa@analytics1: van-security] $ sudo /usr/lib/jvm/jre1.8.0_241/bin/keytool -list -keystore /opt/versa/var/van-app/certificates/versa_director_truststore.ts -v
- Repeat Steps 7-9 for every analytics node in the cluster
For Release 21.2.3
Change Solr and Cassandra passwords
On each search node
[versa@analytics1: van-security] $ sudo ./analytics_securemode.sh -b
On Analytics node, change the Cassandra password on application properties file (/opt/versa/var/van-app/properties/application.properties).
The password is db.search.password on this file.
For Cassandra do following on one Analytics node as root:
cqlsh -u cassandra -p cassandra --ssl
ALTER USER cassandra WITH PASSWORD ‘NEWPASSWORD’;
quit
change db.analytics.password on all nodes on file:
/opt/versa/var/van-app/properties/application.properties
Finally, ‘vsh restart’
For Release 22.1.4
Use director van_cluster_installer.py script to update the password.
Please refer the document: https://docs.versa-networks.com/Solutions/System_Hardening/Perform_Manual_Hardening_for_Versa_Analytics#Modify_Database_and_Service_Passwords
Change Tomcat password
vi /opt/versa/scripts/van-install/tomcat/server.xml
cp /opt/versa/var/van-app/certificates/versa_analytics.jks /opt/versa_van/apps/apache-tomcat/conf/versa_analytics.jks
(Initial prompt password would be ‘versa123’)
/usr/lib/jvm/jre1.8.0_271/bin/keytool -storepasswd -alias vanserver -keystore /opt/versa_van/apps/apache-tomcat-9.0.39/conf/versa_analytics.jks
/usr/lib/jvm/jre1.8.0_271/bin/keytool -keypasswd -alias vanserver -keystore /opt/versa_van/apps/apache-tomcat-9.0.39/conf/versa_analytics.jks
Finally ‘vsh restart’.
Versa Device Default Accounts and Credentials
The Versa Device has several built in user accounts that the default UNIX passwords should be change, namely:
- admin (local management administrator account/last-resort fallback account)
- versa (service account used by the Versa daemons/processes/CLI)
- aaaadmin (local account built for AAA authentication)
- aaauser (local account built for AAA authentication)
- deploy (You can delete this account)
- webuser (You can delete this account)
How to Change?
admin@controller1:~$ passwd
Changing password for admin.
(current) UNIX password:
New password:
Retype new password:
passwd: password updated successfully
admin@ controller1:~$ sudo su versa
versa@ controller1:/home/admin$ passwd
Changing password for versa.
(current) UNIX password:
New password:
Retype new password:
passwd: password updated successfully
versa@ controller1:/home/admin$ exit
admin@ controller1:~$ sudo su aaaadmin
[aaaadmin@ controller1admin] # passwd
Changing password for aaaadmin.
(current) UNIX password:
New password:
Retype new password:
passwd: password updated successfully
admin@ controller1:~$ sudo su aaauser
[aaauser@ controller1admin] # passwd
Changing password for aaauser.
(current) UNIX password:
New password:
Retype new password:
passwd: password updated successfully