Is there any way to change the storage password for an existing Rundeck installation? This is the password referred to in rundeck-config.properties as rundeck.storage.converter.1.config.password and rundeck.config.storage.converter.1.config.password.
I presume it would be a case of going through each stored item, decrypting with the old password, encrypting with the new password, and finally updating the config file, but I'm hoping there's already a tool/script to do this.
thanks!
You must follow these steps for your projects:
Export projects (this script looks useful for do that massively on ZIP file).
Delete all projects. (if you like, via RD CLI or API).
Stop the Rundeck service.
Change the encrypt passwords in the rundeck-config.properties file.
Start the Rundeck service.
And later import projects (if you like, via RD CLI or API).
Now your projects are encrypted with your new password. About the keys, you need to recreate it again.
Advice: test before in some non-prod environment.
Related
My current workflow includes typing the password. Log into a server, pull (or sometimes clone, checkout or even push), type in the creds and leave. I do not want to store my credentials on that machine and I do not always have the chance to access my own password manager on the same machine.
How are we supposed to do this after a password can no longer be used with GitHub on the command line? Should I actually carry a paper slip with an access token? Or am I obliged to configure SSH deploy key for every project on every server? It seems to require logging into github website and it's not like I have a GUI on those machines.
Is there any sane way? How would you do it, if you sit down in front of a linux bash and have to deploy a project on that machine, using that machine?
How you should handle this depends on what your needs are.
If you want to automate a deployment process for a machine, then using a deploy key for that machine is a good idea, since that's the exact purpose for which they're designed. Ideally your deployment processes are automated, and deploy keys are a good way to do that.
If your goal is to log into several machines via SSH and perform Git operations with a remote, you can use an SSH key. If you're logging in via SSH, then add your SSH key to your agent and forward your agent to the remote system with the -A option, which will let you perform the access as if you had that key on the remote system. This is the easiest and simplest solution if you can do so, and is even more convenient than typing your username and password.
If you need to log in to machines at the console, then generate an SSH key, add it to GitHub, and store it on a flash drive, at which point you can mount the flash drive and use the keys with Git by setting the environment variable GIT_SSH_COMMAND to ssh -oIdentitiesOnly=yes -i /mnt/path-to-key (substituting the path to the key).
I have a credential store temp.jceks in code repository with default application passwords for developers.
When a production build is generated, the store is added in windows installer.
While installation, I need to change the store password to something else?
I know the java keystore password can be changed using keytool, so inn similar line, I was hoping the wildfly credential store password can also be changed but I do not see any option to do so with these information below.
https://wildscribe.github.io/WildFly/11.0/subsystem/elytron/credential-store/index.html
https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.1/html/how_to_configure_server_security/securely_storing_credentials#credential_store
Any other option to secure the credential store password will be helpful.
Thank you!
No, it does not allow. So I had to read old values, delete the keystore used for development, create a new one with a random password and store back the values. I had to use the same name since its the one configured in standalone.xml and did want to construct standalone.xml dynamically.
I have a case where the RunDeck scripts do need some credentials in order to run. Obviously we do not want to store these in the job definitions because these are visible and also stored in SCM.
While I was able to use the Key Storage vault to put these secrets in, I was not able to find a way to access them from the job itself.
Rundeck 2.6.2 (released 2015-12-02) allows you to specify key storage secrets as default values for secure job options. See Secure Options using Key Storage
I'm trying to run Powershell scripts in my Team City build steps.
The scripts use WebClient to connect to Team City's REST API; currently, I have to login to Team City and hardcode a username and password as arguments in my Powershell build step.
I'm wondering if anyone knows a way to pass the credentials I am currently using to authenticate to Team City in my Powershell scripts without hardcoding any passwords
If you only need read access in the REST api (ie you don't want to do POST/PUT/DELETE, only GET) then use the teamcity generated user name and password.
This username/password pair is generated per each build and valid only during the build run. This is how you can access them in your powershell script:
read the $env:TEAMCITY_BUILD_PROPERTIES_FILE environment variable which holds the full path to the build properties file that are generated/valid for this build
this file is a simple key=value java prop file. You need to parse out the values for teamcity.auth.userId and teamcity.auth.password properties. Or better yet, parse all the props always in your script init phase and put them into a hash table in your powershell script.
If you need write access to the REST api, you can't use this uid/pwd pair. For this I am using a keychain on osx and a keepass db on windows. Keepass has a nice .net api that you can access from powershell. Create an new keepass db, make it unlockable with a key, not with a password, make sure your user running the build agent has access to this key and no one else, then use keepass api to unlock the db, read out your teamcity admin account and password who can do POST/PUT/DELETE in the rest api.
Thanks for the answer but we wound up providing the username and password as build parameters.
TeamCity's built in password protection helped us out here.
In this way, we're using one account to run our powershell scripts but we can still see who kicked off the build from the credentials they used to login to the web UI.
So we maintained traceable responsibility and stopped the constant entering of username and passwords.
More info: confluence.jetbrains.com/display/TCD7/Typed+Parameters
We are creating reports and try to deliver them using a shared folder adding a subscription for that, but when we created it as for user credentials and we can add them for test proposes but the environment on prod, for security reasons we cannot put the credentials on it because IT uses all with windows authentication for security reasons.
Is it any way to set a windows user to deliver the file on the shared folder without add it when is configured?
The parameters for the database and the database server can be set in the data source as an expression, however you eiteher need to define a "ReportAdmin" user to always publish the reports with. The publisher should know the credentials prior to deployment. Other than that the data source will balk and inform that it needs credentials to run the operations :(