Managing user accounts and credentials

The credentials used in IBM® Business Automation Insights, such as password and certificates, are provided by default wherever they are needed. You can change them later after initial configuration.

About this task

The following services use credentials in the form of passwords and certificates.
  • IBM Business Automation Insights administration service
  • Apache Kafka
  • Apache Flink
  • The embedded installation of Elasticsearch and Kibana
Note: In IBM Event Streams, the Kafka user name is token and you cannot change it. The associated password is a valid API key used to communicate with IBM Event Streams.
Parent topic: Securing communications and data

Changing the administration service user name

Procedure

  1. Update the ConfigMap with the new user name.
  2. Restart the administration pods in the namespace where they are deployed.

Example

kubectl patch configmap <release-name>-bai-env -n <namespace> -p='{"data": {"admin-username": "<new username>"}}'

Changing the administration service password

Procedure

  1. Encode a new password in base64.
  2. Update the secret.
  3. Restart the administration pods in the namespace where they are deployed.

Example

echo "<new password>" | base64
kubectl patch secret <release_name>-bai-secrets -n <namespace> -p='{"data":{"admin-password": "<base64-encoded-password>"}}'

Changing the Kafka server certificate

Procedure

  1. Generate a new self-signed certificate in PEM format.
  2. Update the secret.
  3. Restart the Flink job manager and task manager pods in the namespace where they are deployed.

Example

kubectl patch secret <release_name>-bai-secrets -n <namespace> -p='{"data":{"kafka-server-cert": "<base64-encoded certificate>"}}'

Changing Elasticsearch credentials for an embedded installation

Procedure

  1. Generate a new self-signed certificate.

    If you use IBM Event Streams as your Kafka provider, you can retrieve this certificate from the web user interface.

  2. Get the base64-encoded values of the key and certificate.
  3. Update the secret.
  4. Restart the Elasticsearch and Kibana pods in the namespace where they are deployed.

Example

openssl req -newkey rsa:2048 -nodes -keyout key.pem -subj "/CN=*/O=IBM/C=FR" -x509 -days 3650 -out certificate.pem

base64 -- key.pem
base64 -- certificate.pem

kubectl patch secret <release_name>-bai-secrets -n <namespace> -p='{"data": {"elasticsearch-server-cert": "<base64-encoded certificate.pem>"}}'
kubectl patch secret <release_name>-ibm-dba-ek-elasticsearch-tls -n <namespace> -p='{"data": {"tls.key": "<base64-encoded certificate.pem>"}}' 
kubectl patch secret <release_name>-ibm-dba-ek-elasticsearch-tls -n <namespace> -p='{"data": {"tls.crt": "<base64-encoded certificate.pem>"}}'

Changing Kibana settings

About this task

At initial configuration, you can define your own secret containing a key .htpassword and a custom NGINX .htpasswd file. Your user-defined secret is the value that lists the users and associated passwords that are allowed to authenticate.

You specify your secret in the usersSecret field of the ibm-dba-ek subchart. You can change the definition of the users in the secret.
Note: If you do not define and specify a secret, a default secret is created with two user-password pairs: admin/passw0rd and demo/demo. Be aware, however, that you cannot change the default user definitions later.

Procedure

  1. Follow the steps in Managing users.
  2. Restart the Elasticsearch and Kibana pods where they are deployed.