Login
Contents x
Updating AAA Passwords in IAP
  • 15 Jan 2025
  • Dark
    Light
  • PDF
Contents

Updating AAA Passwords in IAP

  • Updated on 15 Jan 2025
  • Dark
    Light
  • PDF
Article summary

Like the majority of information technology systems, periodically updating passwords for IP integrations and adapters should be part of its routine maintenance. For example, the SANS Institute recommends administrators update passwords at least every 90 days. While updating adapters and integrations passwords in IP is relatively straight forward, doing so to the adapter responsible for AAA (LDAP/Radius/Azure) can lead to a downtime incident if not performed in the correct order. IP Administrators should review the following steps before conducting a password rotation procedure – especially for the adapter responsible for AAA.

Figure 1: Login Error
Figure 1

AAA Password Rotation Procedure

To rotate AAA Passwords in IP:

  1. Login to IP at least one (1) hour (default token expiration) prior to your password rotation schedule. This is to ensure you have an active session token within IP during the password update process. If no active session is present, admins will have to fall back to direct MongoDB and IP shell access instead of using Admin Essentials views.
  2. Perform password rotation procedure on the AAA system (Active Directory, Azure, Radius, etc). Starting at this point, new users will not be able to request new log-in sessions (token).
  3. Depending on your system configuration, update the new password in Vault and/or IP adapter service config (via Admin Essentials view) in exact order.
  4. If no adapter service config change was needed (or in cases of HA/DR environments), navigate to the active profile within Admin Essentials and issue a manual adapter restart request to load the new password from Vault. At this point, users should be able to establish new login sessions.
  5. Restart the adapter instance on each IP node in the HA/DR cluster for all nodes to be in sync with the new password.
  6. Verify login. While still logged into IP in the existing browser, open a second incognito browser and perform a login to the same IP instance using standard credentials (i.e., username and password).
  7. IP is now using the rotated password for its AAA adapter and users are able to successfully create new login sessions.

Unable to Login to IP

If for any reason user is unable to login to IP, or no longer has an active IP session, direct MongoDB and IP server shell access are required.

  1. Refer to the official MongoDB documentation to do a manual document update via mongosh command.

  2. Once changes have been implemented in MongoDB, the AAA adapter will have to be bounced on each IP node in the cluster using either method below:

    • Issue the systemctl restart automation-platform command to restart the entire platform. This method is disruptive, and should be performed on each node of the cluster.

    • Or, identify the PID for the running AAA adapter and use kill to bounce the adapter process.

      Figure 2: Running AAA Adapter PID
      Figure 2

      Figure 3: Kill Command
      Figure 3

  3. Proceed to IP web interface, and login.

Was this article helpful?
What's Next
Privacy Policy
Cookie Policy
Terms of Use
EULA
Copyright © 2024 Itential for Developers
Change password!
Changing your password will log you out immediately. Use the new password to log back in.
Change profile
Success!
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.
Logout