Reset the System Platform (cdom) Password


This is a great bit of work from a good friend and colleague of mine on how to reset the System Platform (cdom admin password) there is an issue with it in releases prior to 6.0.3.3.3 but the fix didn’t work on this occasion so we reset the password manually.
[root@company-dom0-2 ~]# grep ^rootdn /etc/openldap/slapd.conf
rootdn          “cn=Manager,dc=vsp”
 

[root@company-dom0-2 ~]# ldapsearch -D “cn=Manager, dc=vsp” -w root01 -b “uid=admin,ou=People,dc=vsp”
# extended LDIF
#
# LDAPv3
# base <uid=admin,ou=People,dc=vsp> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# admin, People, vsp
dn: uid=admin,ou=People,dc=vsp
uid: admin
cn: admin
objectClass: account
objectClass: posixAccount
objectClass: top
loginShell: /bin/bash
uidNumber: 501
gidNumber: 555
homeDirectory: /home/admin
userPassword:: e1NTSEF9YXIxRit4QnBaaGRYWmVRU1NOM0xmYTRobUdKS1xxx2c=
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
[root@company-dom0-22 ~]# ldappasswd -D “cn=Manager, dc=vsp” -w root01 -S “uid=admin,ou=People,dc=vsp”
New password:
Re-enter new password:
[root@company-dom0-2 ~]# ldapsearch -D “cn=Manager, dc=vsp” -w root01 -b “uid=admin,ou=People,dc=vsp”
# extended LDIF
#
# LDAPv3
# base <uid=admin,ou=People,dc=vsp> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# admin, People, vsp
dn: uid=admin,ou=People,dc=vsp
uid: admin
cn: admin
objectClass: account
objectClass: posixAccount
objectClass: top
loginShell: /bin/bash
uidNumber: 501
gidNumber: 555
homeDirectory: /home/admin
userPassword:: e1NTSEF9bUFjUk8wUTBEWjZvL1JGbDd2cU1UdkY2SENTxxxtQWc=
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
[root@company-dom0-2 ~]# ssh
admin@cdom.vsp
Password:
Last login: Mon Dec  2 10:52:46 GMT 2013 from 127.0.0.1 on ssh
Last failed login: Thu Feb 27 16:38:36 GMT 2014 from 192.1.1.1 on ssh:notty
There were 23 failed login attempts since the last successful login.
[admin@company-dom0-2 ~]$ exit
logout

System & Session Manager 6.1 Certificates


If your 6.1 System Manager has been running for nearly 2 years and you can no longer log into System Manager and you get a strange message which looks something like this after you login pages/Welcome.xhtml  @70/67 value=”” ……  or possibly all your SIP endpoints/trunks have died then your certificates may have run out they have to be renewed every two years or are automatically done we you upgrade.

See Avaya PSN’s for full details but a summary of events are below;

SYSTEM MANAGER

In affect you have to download CertificateRenewalUtility.bin from the Avaya support site and upload it to the system manager either using winscp of via sftp to the /tmp directory on System Manager then cd /tmp and run sh CertificateRenewalUtility.bin you should now find you can login to System Manager correctly although I found I had to restart JBOSS on System Manager “service jboss restart”.

SESSION MANAGER

Now for Session Manager so log on via the command line, you need root access.

  •  From the Session Manager command line su – sroot and provide the root password
  • Change directory to the following path: cd /opt/Avaya/SIPAS/current/ServiceDirector/tm/external/keystores
  •  Type ls -ltr and hit enter, this will show two entries:

-rw—- 1 root root 1984 Feb 16 13:53 system_manager_external_keystore.jks

-rw—- 1 root root 1984 Feb 16 13:53 sd1_external_keystore.jks

  • Run the following command and hit enter : echo | keytool -list -v -keystore sd1_external_keystore.jks 2>&1 | grep -m 1 Valid
  • Check the validity of the certificate to make sure it has not expired. Take note of all the expiration dates for reference:

(Valid from: Thu Feb 16 13:43:17 MST 2012 until: Sat Feb 15 13:43:17 MST 2014)

  • Run the following command to check the second keystore and hit enter:
  • echo | keytool -list -v -keystore system_manager_external_keystore.jks 2>&1 | grep -m 1 Valid
  • Now run the following command to check the Jboss certificate and hit enter:
  • echo |keytool -list -keystore /opt/jboss/server/*/conf/tm/keystore/container_keystore.jks -v 2>&1|grep -m 1 Valid
  • If all the certificates expiration dates are in the future, no immediate action is required
  •  If any of the certificates are about to expire (but not yet expired) and Session Manager is release 6.0.x or 6.1.x, perform the following steps to renew these certificates:

The following procedure is service affecting and needs to be schedule and executed within the change control guidelines specific to every customer. Approximate outage time required is between 10-30 minutes.

  • From the System Manager Webpage under
  • Home/Elements/Session Manager, select the Session Manager and change the service state to “Deny New Service” ;wait until the active call count is close to zero
  • TMClientInv.xml file: rm -f /opt/Avaya/jboss-4.2.3.GA/server/s*/conf/tm/TMClientInv.xml
  • Run #initTM from the Session Manager command line, providing the enrollment password obtained from System Manager webpage under : Home/Services/Security/Certificates/Enrollment Password
  • Place the Session Manger back in “Accept New Service” from the System Manager Webpage

The process will then continue without further intervention and once completed, all the certificates will now be valid for a minimum of two years

System Manager Resetting The Password


Log in via putty to system manager using admin/admin (default)

[admin@SMGR-01 account]# su – root

enter the root password (default root/root01)

[root@SMGR-01 ~]# groupadd -g 600 securityadmin

[root@SMGR-01 ~]# groups admin

admin : admin

[root@SMGR-01 ~]# usermod -aG securityadmin admin

[root@SMGR-01 ~]# groups admin

admin : admin securityadmin

[root@SMGR-01 ~]#

In your web browser enter the system manager address 10.x.x.x/smgr

Log with your admin password (default admin / admin) you will get a security message ignore it and change the web address to https://10.x.x.x/passwordReset/

Change your password to something simple like admin01 as you will need to change it again.

Now close your browser and open it againg and goto your system manager web address 10.x.x.x/smgr

** SMGR 6.3 : It appears in System Manager 6.3 you may need to http://10.x.x.x/local-login instead of the procedure above**

Click the reset password link in the bottom right and change the password making note of the password rules.

Login to 1system manager with you new password 10.x.x.x/smgr and you should now be able to access.

Finally go back to the shell and clean up

[root@SMGR-01 ~]# groupdel securityadmin

[root@SMGR-01 ~]# groups admin

admin : admin

All finished you can now exit.