Updating AAA Passwords in IAP
  • 23 Feb 2024
  • Dark
    Light
  • PDF

Updating AAA Passwords in IAP

  • Dark
    Light
  • PDF

Article summary

Like the majority of information technology systems, periodically updating passwords for IAP integrations and adapters should be part of its routine maintenance. For example, the SANS Institute recommends administrators update passwords at least every 90 days. While updating adapters and integrations passwords in IAP is relatively straight forward, doing so to the adapter responsible for AAA (LDAP/Radius/Azure) can lead to a downtime incident if not performed in the correct order. IAP Administrators should review the following steps before conducting a password rotation procedure – especially for the adapter responsible for AAA.

Figure 1: Login Error
Figure 1

AAA Password Rotation Procedure

To rotate AAA Passwords in IAP:

  1. Login to IAP at least one (1) hour (default token expiration) prior to your password rotation schedule. This is to ensure you have an active session token within IAP during the password update process. If no active session is present, admins will have to fall back to direct MongoDB and IAP shell access instead of using Admin Essentials views.
  2. Perform password rotation procedure on the AAA system (Active Directory, Azure, Radius, etc). Starting at this point, new users will not be able to request new log-in sessions (token).
  3. Depending on your system configuration, update the new password in Vault and/or IAP adapter service config (via Admin Essentials view) in exact order.
  4. If no adapter service config change was needed (or in cases of HA/DR environments), navigate to the active profile within Admin Essentials and issue a manual adapter restart request to load the new password from Vault. At this point, users should be able to establish new login sessions.
  5. Restart the adapter instance on each IAP node in the HA/DR cluster for all nodes to be in sync with the new password.
  6. Verify login. While still logged into IAP in the existing browser, open a second incognito browser and perform a login to the same IAP instance using standard credentials (i.e., username and password).
  7. IAP is now using the rotated password for its AAA adapter and users are able to successfully create new login sessions.

Unable to Login to IAP

If for any reason user is unable to login to IAP, or no longer has an active IAP session, direct MongoDB and IAP server shell access are required.

  1. Refer to the official MongoDB documentation to do a manual document update via mongosh command.

  2. Once changes have been implemented in MongoDB, the AAA adapter will have to be bounced on each IAP node in the cluster using either method below:

    • Issue the systemctl restart automation-platform command to restart the entire platform. This method is disruptive, and should be performed on each node of the cluster.

    • Or, identify the PID for the running AAA adapter and use kill to bounce the adapter process.

      Figure 2: Running AAA Adapter PID
      Figure 2

      Figure 3: Kill Command
      Figure 3

  3. Proceed to IAP web interface, and login.


Was this article helpful?

What's Next
Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.