• Categories
  • Search
Monday, June 12, 2017

Integrating ZFS Storage Appliance with External Password Managers

By: Darren Moffat | Senior Principal Engineer

I've had a number of requests recently for information on how to integrate the Oracle ZFS Storage Appliance with external password vault/management solutions, usually this is for the root account but the solution I'll outline below works for any local (ie non directory) user account on the ZFSSA. While the underlying core operating system of the ZFS Storage Appliance is Solaris we can not use the normal Solaris passwd(1) command, instead this needs to be done using the ZFSSA interactive shell over SSH or via REST.

It is highly recommended that the 'root' account is not used for administration of the ZFSSA on a regular basis. We also shouldn't encourage login as root over SSH or REST. So lets first create a new account that will only have the authorisation to change passwords and nothing else.  We can then use that account over SSH or REST to issue password changes for other accounts, such as root.

zfssa:> configuration users
zfssa:configuration users> local pwvault
zfssa:configuration users pwvault (uncommitted)> set initial_password="replace with some suitably long password"
              initial_password = (set) (uncommitted)
zfssa:configuration users pwvault (uncommitted)> show
Properties:
                       logname = pwvault
                          type = local
                           uid = (unset)
                      fullname = (unset)
              initial_password = (set) (uncommitted)
            require_annotation = false

zfssa:configuration users pwvault (uncommitted)> set fullname="Password Vault Manager"
                      fullname = Password Vault Manager (uncommitted)
zfssa:configuration users pwvault (uncommitted)> commit
zfssa:configuration users> select pwvault 
zfssa:configuration users pwvault> exceptions 
zfssa:configuration users pwvault exceptions> create
zfssa:configuration users pwvault auth (uncommitted)> set scope=user 
                         scope = user
zfssa:configuration users pwvault auth (uncommitted)> set allow_changePassword=true
          allow_changePassword = true (uncommitted)
zfssa:configuration users pwvault auth (uncommitted)> commit
zfssa:configuration users pwvault exceptions> top

With our new user can can now update our password vault software to use REST calls, authenticating as the new 'pwvault' account to change the passwords for other accounts.  Using the ZFSSA REST documentation we see that the REST call we need to make is a simple PUT on the object '/api/user/v1/users/root' with the JSON content of:

 


PUT /api/user/v1/users/joe HTTP/1.1
Host: zfssa.example.com:215
Authorization: Basic abcefgMWE=
Accept: application/json
Content-Type: application/json

{"initial_password": "replace with new value of root password"}

 

The downside of this method using REST is that we have to use HTTP Basic Authentication and login using the password of the pwvault account. An alternative would be to configure SSH public key access for the pwvault account do do the change over SSH as follows:


zfssa:> configuration users select pwvault preferences keys
zfssa:configuration users pwvault preferences keys> create
zfssa:configuration users pwvault preferences key (uncommitted)> set key="AAAAB3NzaC1yc2EAAAABIwAAAIEA10lzgR3FgXzCLFgEv9jFbw+UUAuQ8AtSoRmjmIEwaN3EAT7lC3FlpadaMR642yaGs8TTNBuh0sLF+Oder2uC5ZOYRuixUY4qbiVigYsN75WU7C3lXjoIVN1WrOojfa+VD8D7P2SCcmMKOntYOAI7r2sP1Mbd5KDAKr9QYEGLas0="
                           key = AAAAB3NzaC1yc2EAAAABIwAAAIEA10lzgR3FgXzCLFgEv9jFbw+UUAuQ8AtSoRmjmIEwaN3EAT7lC3FlpadaMR642yaGs8TTNBuh0sLF+Oder2uC5ZOYRuixUY4qbiVigYsN75WU7C3lXjoIVN1WrOojfa+VD8D7P2SCcmMKOntYOAI7r2sP1Mbd5KDAKr9QYEGLas0= (uncommitted)
zfssa:configuration users pwvault preferences key (uncommitted)> set type=RSA 
                          type = RSA (uncommitted)
zfssa:configuration users pwvault preferences key (uncommitted)> set comment="pwvaultuser"
                       comment = pwvaultuser (uncommitted)
zfssa:configuration users pwvault preferences key (uncommitted)> commit
zfssa:configuration users pwvault preferences keys> list
NAME     MODIFIED              TYPE   COMMENT                                  
key-000  2017-6-12 14:10:54    RSA    pwvaultuser                             
zfssa:configuration users pwvault preferences keys> top
zfssa:> 

 

Now that we have an SSH public key loaded for the "pwvault" user we can do the password change for root over SSH like this:

 


$ ssh -t pwvault@ardoch-kz-1 <<_SCRIPT_
configuration users select root set initial_password="new value of root password"
_SCRIPT_
Last login: Mon Jun 12 14:17:39 2017 from 10.163.198.80
              initial_password = (set)

 

Hopefully the above gives some insight in how to go about connecting external password vault/management software to the Oracle ZFS Storage Appliance.

Join the discussion

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.Captcha
 

Visit the Oracle Blog

 

Contact Us

Oracle

Integrated Cloud Applications & Platform Services