Updating AAA Passwords in Itential Platform

Like the majority of information technology systems, periodically updating passwords for Itential Platform integrations and adapters should be part of its routine maintenance. For example, the SANS Institute recommends administrators update passwords at least every 90 days. While updating adapters and integrations passwords in Itential Platform is relatively straight forward, doing so to the adapter responsible for AAA (LDAP/Radius/Azure) can lead to a downtime incident if not performed in the correct order. Itential Platform Administrators should review the following steps before conducting a password rotation procedure – especially for the adapter responsible for AAA.

Figure 1: Login Error

AAA Password Rotation Procedure

To rotate AAA Passwords in Itential Platform:

1. Login to Itential Platform at least one (1) hour (default token expiration) prior to your password rotation schedule. This is to ensure you have an active session token within Itential Platform during the password update process. If no active session is present, admins will have to fall back to direct MongoDB and Itential Platform shell access instead of using Admin Essentials views.
2. Perform password rotation procedure on the AAA system (Active Directory, Azure, Radius, etc). Starting at this point, new users will not be able to request new log-in sessions (token).
3. Depending on your system configuration, update the new password in Vault and/or Itential Platform adapter service config (via Admin Essentials view) in exact order.
4. If no adapter service config change was needed (or in cases of HA/DR environments), navigate to the active profile within Admin Essentials and issue a manual adapter restart request to load the new password from Vault. At this point, users should be able to establish new login sessions.
5. Restart the adapter instance on each Itential Platform node in the HA/DR cluster for all nodes to be in sync with the new password.
6. Verify login. While still logged into Itential Platform in the existing browser, open a second incognito browser and perform a login to the same Itential Platform instance using standard credentials (i.e., username and password).
7. Itential Platform is now using the rotated password for its AAA adapter and users are able to successfully create new login sessions.

Unable to Login to Itential Platform

1. Refer to the official MongoDB documentation to do a manual document update via mongosh command.

2. Once changes have been implemented in MongoDB, the AAA adapter will have to be bounced on each Itential Platform node in the cluster using either method below:

   • Issue the systemctl restart automation-platform command to restart the entire platform. This method is disruptive, and should be performed on each node of the cluster.

   • Or, identify the PID for the running AAA adapter and use kill to bounce the adapter process.

     Figure 2: Running AAA Adapter PID
     

     Figure 3: Kill Command
     

3. Proceed to the Itential Platform web interface, and login.

Related Reading

• MongoDB Shell
• Update Documents via MongoDB Shell
• SANS Institute