Introduction
Exadata database machine is having different components (database servers, storage servers, infinband switches, cisco switches, PDU's, KVM). All these componetns are configured with default passwords and it is very important to change these passwords as a recommended security best practice. This article describes procedure to change default passwords for each components.
Database Server
Each database server has operating system as well as ilom interface, it is very important to change passwords of both.
Change operating system user passwords
Each Database server has root, oracle & grid user's with defaults passwords.We can changepasswords individually or using dcli in one shot. dcli method is described below.
Confiugre dbs_group file containing all hostnames:
# cd /opt/oracle.SupportTools/onecommand
# cat dbs_group (Example) (Make sure the file has all database server hostname)
abc02dbadm05
abc02dbadm06
abc02dbadm07
abc02dbadm08
# cat dbs_group (Example) (Make sure the file has all database server hostname)
abc02dbadm05
abc02dbadm06
abc02dbadm07
abc02dbadm08
Set New passwords in environmental variables
Set new passwords in environmental variables so that it can be used in dcli commands.
# ORAPASS=<oraclpassword>
# ROOTPASS=<rootpassword>
# GRIDPASS=<gridpassword>
# ROOTPASS=<rootpassword>
# GRIDPASS=<gridpassword>
Execute dcli commands in order to change the passwords:
# dcli -l root -g dbs_group “echo ${ROOTPASS} | passwd --stdin root”
# dcli -l root -g dbs_group “echo ${ORAPASS} | passwd --stdin oracle”
# dcli -l root -g dbs_group “echo ${GRIDPASS} | passwd --stdin grid”
# dcli -l root -g dbs_group “echo ${ORAPASS} | passwd --stdin oracle”
# dcli -l root -g dbs_group “echo ${GRIDPASS} | passwd --stdin grid”
Change ilom root user password
Login to each server ILOM Operating system as root user and change password, example provided below.
# ssh root@abc02dbadm05-ilom
-> set /SP/users/root password
-> Enter new password: ********
-> Enter new password again: ********
-> set /SP/users/root password
-> Enter new password: ********
-> Enter new password again: ********
Storage Server
Each storage servers has root, celladmin & cellmonitor user's with default password and it is important to change these passwords.
Configure cell_group file
Make sure cell_group having all storage server hostnames. The file will be in home directory of root user.
# cd /root
# cat cell_group (Example)
abc02celladm08
abc02celladm09
abc02celladm10
abc02celladm11
# cat cell_group (Example)
abc02celladm08
abc02celladm09
abc02celladm10
abc02celladm11
Set New passwords in environmental variables
Set new passwords in environmental variables so that it can be used in dcli commands.
# ROOTPASS=<Root Password>
# CELLADMPASS=<celladmin password>
# CELLMONPASS=<cellmonitor password>
# CELLADMPASS=<celladmin password>
# CELLMONPASS=<cellmonitor password>
Execute dcli command in order to change passwords
# dcli -l root -g /root/cell_group "echo ${CELLADMPASS} | passwd --stdin celladmin"
# dcli -l root -g /root/cell_group "echo ${CELLMONPASS} | passwd --stdin cellmonitor"
# dcli -l root -g /root/cell_group "echo ${ROOTPASS} | passwd --stdin root"
# dcli -l root -g /root/cell_group "echo ${CELLMONPASS} | passwd --stdin cellmonitor"
# dcli -l root -g /root/cell_group "echo ${ROOTPASS} | passwd --stdin root"
Change CELLDIAG user password
It is important to change CELLDIAG user password
# dcli -g /root/cell_group -l root "cellcli -e ALTER USER CELLDIAG password=\"NEW_PASSWORD\""
# Valid password should be
- 12-40 Alpha numeric characters
- one number, one lowercase, one uppercase. We cannot reuse exisiting passwords.
# Valid password should be
- 12-40 Alpha numeric characters
- one number, one lowercase, one uppercase. We cannot reuse exisiting passwords.
ILOM Root user
Login to each server ILOM Operating system as root user and change password
# ssh root@abc02celladm08-ilom
-> set /SP/users/root password
-> Enter new password: ********
-> Enter new password again: ********
# ssh root@abc02celladm08-ilom
-> set /SP/users/root password
-> Enter new password: ********
-> Enter new password again: ********
InfiniBand Switches
A Full Rack Exadata has three InfiniBand switches (Two leaf & one Spine)
Get hostnames of all infinband switches
Details of infiniband switches can be found in exadata deployement summary.
abc02sw6-ibs01
abc02sw6-iba01
abc02sw6-ibb01
abc02sw6-ibs01
abc02sw6-iba01
abc02sw6-ibb01
Change passwords
Login to each infini band switch Operating system as root user and change the password.
# ssh root@abc02sw6-ibs01
# cd /conf
# cp -p shadow shadow.backup
# cd /etc
# cp -p shadow /conf/shadow
# Passwd nm2user
# passwd ilom-admin
# passwd root
# passwd ilom-operator
# ssh root@abc02sw6-ibs01
# cd /conf
# cp -p shadow shadow.backup
# cd /etc
# cp -p shadow /conf/shadow
# Passwd nm2user
# passwd ilom-admin
# passwd root
# passwd ilom-operator
Cisco Switch
Cisco switch details as well can be found in exadata deployment summary. Password can be changed using below method.
Connect to cisco switch
Connect to cisco switch by using ssh and admin user.
ssh admin@abc02sw6-admin01
abc02sw6-admin01# enable
Password:
abc02sw6-admin01# enable
Password:
Change password
# ssh admin@abc02sw6-admin01
abc02sw6-admin01# enable
Password:
abc02sw6-admin01#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
abc02sw6-admin01# enable password <new password>
abc02sw6-admin01# enable secret <new password>
The enable secret you have chosen is the same as your enable password.
This is not recommended. Re-enter the enable secret.
abc02sw6-admin01# end
abc02sw6-admin01# write memory
abc02sw6-admin01# exit
abc02sw6-admin01# enable
Password:
abc02sw6-admin01#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
abc02sw6-admin01# enable password <new password>
abc02sw6-admin01# enable secret <new password>
The enable secret you have chosen is the same as your enable password.
This is not recommended. Re-enter the enable secret.
abc02sw6-admin01# end
abc02sw6-admin01# write memory
abc02sw6-admin01# exit
