How To
Summary
By default, the Cognos Analytics service on IBM Cloud Pak for Data stores the credentials for the content store as a Tiller secret. This instance of Tiller is shared with other applications in the cluster namespace which poses a security risk: any application with access to Tiller can access the credentials. However, an administrator can use an OpenShift secret to mitigate this risk.
Objective
Steps
Prerequisites:
To successfully complete this task, ensure that the following statements are true:
- You installed and provisioned the Cognos Analytics service on IBM Cloud Pak for Data.
- You have access to a Mac OS or Linux machine that:
- Can connect to the cluster
- Has the oc command-line interface installed
-
You can log in to the OpenShift cluster as a cluster administrator.
-
You know the name of the OpenShift project where the Cognos Analytics service is installed.
In addition, you must decide what you want the new content store password to be.
Procedure:
- From your local client, login to OpenShift as a cluster administrator.
Tip: You can use the Copy Login Command option in the OpenShift Web Console to get the correct oc login command.
- Convert the new content store password to base64.
For example, if your new content store password is Cognos456! run the following command to convert the password:
echo 'Cognos456!' | base64
The command returns output similar to:
Q29nbm9zNDU2IQo=
- Identify the secret object that is used for the content store.
Run the following command to get the secrets in the OpenShift project where Cognos Analytics is deployed:
oc get secrets -n OpenShift_Project | grep cs-creds
Replace OpenShift_Project with the project where Cognos Analytics is deployed.
Look for a secret similar to:
ca1592234996446-cs-creds Opaque 2 25h
- Edit the secret that you identified in the previous step.
- Run the following command:
oc edit secret ca-cs-creds_Secret -n OpenShift_Project
Replace ca-cs-creds_Secret with the ID of the secret from the previous step.
Replace OpenShift_Project with the project where Cognos Analytics is deployed.
- In the secret object definition YAML file, update the content_store_password entry.
Paste the base64 encoded password that you generated in a preceding step. For example:
content_store_password: Q29nbm9zNDU2IQo=
- Run the following command:
- Run the following command to get the list of Cognos Analytics pods that need to be restarted:
oc get po -n OpenShift_Project | grep "ca.*cm\|ca.*cs\|ca.*biapp"
Replace OpenShift_Project with the project where Cognos Analytics is deployed.
The command returns a list of pods, similar to:
ca1592234996446-biapp-6c46787bc6-vhb9t 2/2 Running 0 24h
ca1592234996446-cm-0-6cfcf94b5c-vj9hh 2/2 Running 0 24h
ca1592234996446-cs-8c7879fcf-nmxtx 1/1 Running 0 24h
- Restart the pods by running the following command:
oc delete po biapp_Pod cm_Pod cs_Pod -n OpenShift_Project
Replace biapp_Pod, cm_Pod, cs_Pod with the ID of the pods from the previous step.
Replace OpenShift_Project with the project where Cognos Analytics is deployed.
- Wait until all of the containers are Running and the pods are in the Ready state.
Document Location
Worldwide
Product Synonym
CA;
Was this topic helpful?
Document Information
Modified date:
22 October 2020
UID
ibm16239512