Managing user accounts and credentials
The credentials used in IBM® Business Automation Insights, such as password and certificates, are provided by default wherever they are needed. You can change them later after initial configuration.
About this task
The following services use credentials in the form of passwords and certificates.
- IBM Business Automation Insights administration service
- Apache Kafka
- Apache Flink
- The embedded installation of Elasticsearch and Kibana
Note: In IBM Event Streams, the Kafka
user name is token and you cannot change it. The associated password is a valid
API key used to communicate with IBM Event Streams.
Changing the administration service user name
Procedure
- Update the ConfigMap with the new user name.
- Restart the administration pods in the namespace where they are deployed.
Example
kubectl patch configmap <release-name>-bai-env -n <namespace> -p='{"data": {"admin-username": "<new username>"}}'
Changing the administration service password
Procedure
- Encode a new password in base64.
- Update the secret.
- Restart the administration pods in the namespace where they are deployed.
Example
echo "<new password>" | base64
kubectl patch secret <release_name>-bai-secrets -n <namespace> -p='{"data":{"admin-password": "<base64-encoded-password>"}}'
Changing the Kafka server certificate
Procedure
- Generate a new self-signed certificate in PEM format.
- Update the secret.
- Restart the Flink job manager and task manager pods in the namespace where they are deployed.
Example
kubectl patch secret <release_name>-bai-secrets -n <namespace> -p='{"data":{"kafka-server-cert": "<base64-encoded certificate>"}}'
Changing Elasticsearch credentials for an embedded installation
Procedure
Example
openssl req -newkey rsa:2048 -nodes -keyout key.pem -subj "/CN=*/O=IBM/C=FR" -x509 -days 3650 -out certificate.pem
base64 -- key.pem
base64 -- certificate.pem
kubectl patch secret <release_name>-bai-secrets -n <namespace> -p='{"data": {"elasticsearch-server-cert": "<base64-encoded certificate.pem>"}}'
kubectl patch secret <release_name>-ibm-dba-ek-elasticsearch-tls -n <namespace> -p='{"data": {"tls.key": "<base64-encoded certificate.pem>"}}'
kubectl patch secret <release_name>-ibm-dba-ek-elasticsearch-tls -n <namespace> -p='{"data": {"tls.crt": "<base64-encoded certificate.pem>"}}'
Changing Kibana settings
About this task
At initial configuration, you can define your own secret containing a key .htpassword and a custom NGINX .htpasswd file. Your user-defined secret is the value that lists the users and associated passwords that are allowed to authenticate.
You specify your secret in the usersSecret field of the ibm-dba-ek subchart.
You can change the definition of the users in the secret.
Note: If you do not define and specify a
secret, a default secret is created with two user-password pairs: admin/passw0rd and
demo/demo. Be aware, however, that you cannot change the default user definitions
later.
Procedure
- Follow the steps in Managing users.
- Restart the Elasticsearch and Kibana pods where they are deployed.