News, tips, partners, and perspectives for the Oracle Solaris operating system

Integrating ZFS Storage Appliance with External Password Managers

Darren Moffat
Senior Software Architect

I've had a number of requests recently for information on how to integrate the Oracle ZFS Storage Appliance with external password vault/management solutions, usually this is for the root account but the solution I'll outline below works for any local (ie non directory) user account on the ZFSSA. While the underlying core operating system of the ZFS Storage Appliance is Solaris we can not use the normal Solaris passwd(1) command, instead this needs to be done using the ZFSSA interactive shell over SSH or via REST.

It is highly recommended that the 'root' account is not used for administration of the ZFSSA on a regular basis. We also shouldn't encourage login as root over SSH or REST. So lets first create a new account that will only have the authorisation to change passwords and nothing else.  We can then use that account over SSH or REST to issue password changes for other accounts, such as root.

zfssa:> configuration users
zfssa:configuration users> local pwvault
zfssa:configuration users pwvault (uncommitted)> set initial_password="replace with some suitably long password"
              initial_password = (set) (uncommitted)
zfssa:configuration users pwvault (uncommitted)> show
                       logname = pwvault
                          type = local
                           uid = (unset)
                      fullname = (unset)
              initial_password = (set) (uncommitted)
            require_annotation = false

zfssa:configuration users pwvault (uncommitted)> set fullname="Password Vault Manager"
                      fullname = Password Vault Manager (uncommitted)
zfssa:configuration users pwvault (uncommitted)> commit
zfssa:configuration users> select pwvault 
zfssa:configuration users pwvault> exceptions 
zfssa:configuration users pwvault exceptions> create
zfssa:configuration users pwvault auth (uncommitted)> set scope=user 
                         scope = user
zfssa:configuration users pwvault auth (uncommitted)> set allow_changePassword=true
          allow_changePassword = true (uncommitted)
zfssa:configuration users pwvault auth (uncommitted)> commit
zfssa:configuration users pwvault exceptions> top

With our new user can can now update our password vault software to use REST calls, authenticating as the new 'pwvault' account to change the passwords for other accounts.  Using the ZFSSA REST documentation we see that the REST call we need to make is a simple PUT on the object '/api/user/v1/users/root' with the JSON content of:


PUT /api/user/v1/users/joe HTTP/1.1
Host: zfssa.example.com:215
Authorization: Basic abcefgMWE=
Accept: application/json
Content-Type: application/json

{"initial_password": "replace with new value of root password"}


The downside of this method using REST is that we have to use HTTP Basic Authentication and login using the password of the pwvault account. An alternative would be to configure SSH public key access for the pwvault account do do the change over SSH as follows:

zfssa:> configuration users select pwvault preferences keys
zfssa:configuration users pwvault preferences keys> create
zfssa:configuration users pwvault preferences key (uncommitted)> set key="AAAAB3NzaC1yc2EAAAABIwAAAIEA10lzgR3FgXzCLFgEv9jFbw+UUAuQ8AtSoRmjmIEwaN3EAT7lC3FlpadaMR642yaGs8TTNBuh0sLF+Oder2uC5ZOYRuixUY4qbiVigYsN75WU7C3lXjoIVN1WrOojfa+VD8D7P2SCcmMKOntYOAI7r2sP1Mbd5KDAKr9QYEGLas0="
                           key = AAAAB3NzaC1yc2EAAAABIwAAAIEA10lzgR3FgXzCLFgEv9jFbw+UUAuQ8AtSoRmjmIEwaN3EAT7lC3FlpadaMR642yaGs8TTNBuh0sLF+Oder2uC5ZOYRuixUY4qbiVigYsN75WU7C3lXjoIVN1WrOojfa+VD8D7P2SCcmMKOntYOAI7r2sP1Mbd5KDAKr9QYEGLas0= (uncommitted)
zfssa:configuration users pwvault preferences key (uncommitted)> set type=RSA 
                          type = RSA (uncommitted)
zfssa:configuration users pwvault preferences key (uncommitted)> set comment="pwvaultuser"
                       comment = pwvaultuser (uncommitted)
zfssa:configuration users pwvault preferences key (uncommitted)> commit
zfssa:configuration users pwvault preferences keys> list
NAME     MODIFIED              TYPE   COMMENT                                  
key-000  2017-6-12 14:10:54    RSA    pwvaultuser                             
zfssa:configuration users pwvault preferences keys> top


Now that we have an SSH public key loaded for the "pwvault" user we can do the password change for root over SSH like this:


$ ssh -t pwvault@ardoch-kz-1 <<_SCRIPT_
configuration users select root set initial_password="new value of root password"
Last login: Mon Jun 12 14:17:39 2017 from
              initial_password = (set)


Hopefully the above gives some insight in how to go about connecting external password vault/management software to the Oracle ZFS Storage Appliance.

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.