Working with the Master Password

Services Director v2.3 and later uses a master password to encrypt the passwords for Traffic Manager instances.

Storing the Master Password

It is essential that the master password (whether it is the default, chosen yourself or generated automatically) is recorded and can be retrieved. Ivanti recommends that this password is recorded in a secure location that is separate from the Services Director.

However, you can also choose to store this password internally:

•If you choose to store the master password internally, the password will be automatically used whenever the Services Director’s Virtual Machine restarts. However, you must enter the master password manually when you recover a Services Director from a backup file.

• If you choose to not store the password internally, you must enter the master password manually whenever the Services Director’s Virtual Machine restarts, and whenever you recover a Services Director from a backup file.

You can change your decision as follows:

• If your software is configured to store the master password, and you wish to change this, delete the file $SSCHOME/etc/master.

• If your software is configured NOT to store the master password, and you wish to change this, run one of the following commands:

•Ubuntu: Run $SSCHOME/bin/configure_ssc --liveconfigonly

•RHEL/CentOS: Run $SSCHOME/bin/configure_ssc

In both cases, you are asked whether you wish to store the master password.

Changing the Master Password

If you want to reset the master password (that is, you do not know what the current master password is), see Resetting the Master Password.

You can change the master password in the following ways:

•In the Services Director VA for the Active Services Director, from the Security Settings page. After you complete this task, you must re-enter the new master password on the Standby Services Director VA. See the Pulse Secure Services Director Getting Started Guide.

•In the Command-Line Interface (CLI) on the Active Services Director VA, using the ssc settings master-password update command. See the Pulse Secure Services Director Command Reference.

You must do this on both Services Director nodes in an HA pair, starting with the Active node.

•For a software-only installation, you must issue a PUT request to the Services Director. The body of the PUT request to the REST API has the following format:

{
"current_password": "<current password>",
"new_password": "<new password>"
}

 

Where you have additional Services Directors, run the following command on all other Services Directors:

•Ubuntu: $SSCHOME/bin/configure_ssc -liveconfigonly

•RHEL/CentOS: $SSCHOME/bin/configure_ssc

In both cases, enter the new master password and confirm it when prompted.

You do not need to stop and restart Services Directors when modifying the master password on multiple Services Directors.

Resetting the Master Password

If you wish to change the master password (that is, you know what the current master password is), see Changing the Master Password.

In the event that a master password is lost, as a final resort there are two ways to reset the master password:

•From the Command-Line Interface (CLI) on each Services Director in an HA pair. See Resetting the Master Password from the Services Director VA CLI.

•From a software-only installation on Ubuntu or RHEL/CentOS for each Services Director. See Resetting the Master Password on Ubuntu or RHEL/CentOS.

In both cases, the encrypted administration password for each Traffic Manager is lost. These administration passwords must be set manually after the master password is reset.

Resetting the Master Password from the Services Director VA CLI

From the Services Director VA CLI, you must use the ssc settings master-password reset password command on the Active Services Director in the HA pair (or standalone Services Director).

This procedure should only be used as a final resort to re-establish a master password. The encrypted administration password for each Traffic Manager known to the Services Director is lost. These individual administration passwords must be set manually after the master password is reset.

1.Start a terminal session on your Active Services Director (or standalone Services Director) using its Service Endpoint Address, and login as the admin user.

2.In the Services Director terminal session, start a CLI session:

amnesiac > enable
amnesiac # configure terminal
amnesiac (config) #

3.Reset the master password for this Services Director:

gold-01 (config) # ssc settings master-password reset password New_pass_22
force true
Successfully reset master password
You must manually update all passwords for registered instances

If you do not include force true the reset will fail, as the password cannot be reset on a Services Director with one or more registered/deployed Traffic Managers.

4.Repeats steps 1-3 for your Standby Services Director.

5.On your Active Services Director, reset the administration password for your first Traffic Manager instance. For example, for a Traffic Manager instance called Cobalt-01:

gold-01 (config) # ssc instance update instance-name cobalt-01
admin-password Admin_PW_01

The output of this command will show the full status of the Traffic Manager instance (not shown).

You can also perform this step by updating the details for the Traffic Manager from the Services Director VA. See the Pulse Secure Services Director Getting Started Guide.

6.Repeat step 5 for each of the Traffic Managers on the Active Services Director.

The process is complete.

You do not need to repeat the password reset process on the Standby Services Director.

Resetting the Master Password on Ubuntu or RHEL/CentOS

On a software form-factor installation on Ubuntu or RHEL/CentOS, you must use the reset_master_password command on the Services Director.

This procedure should only be used as a final resort to re-establish a master password. The encrypted administration password for each Traffic Manager known to the Services Director is lost. These individual administration passwords must be set manually after the master password is reset.

1.Log into your Services Director.

2.Shutdown the Services Director. For example:

$ sudo stop ssc

3.Reset the password on the Services Director:

$SSCHOME/bin/reset_master_password --force <new password>

4.Restart the Services Director. For example:

$ sudo start ssc

5. Set each vTM password via a PUT request to its instance resource via the REST API.

For Traffic Managers that were deployed by the Services Director, you must include a URL parameter of deploy=false to ensure a database-only update. This is not required for externally-deployed Traffic Managers.

6.Log out of the Services Director.

The process is complete.

If you have a more than one Services Directors configured, perform this procedure for each Service Director. However, do not restart any Services Directors until the master password has been reset on all Services Directors.