Changing the password seed

As an administrator, you can change the password seed that is used when you install the server software to provide enhanced security to Rational® Test Automation Server.

Before you begin

You must have completed the following tasks:

Installed Rational® Test Automation Server. See Installation of the server software.
Installed the JSON command-line tool, jq, and ensured that the jq is in your environment PATH. For information about jq, refer to jq documentation.
Installed the Curl command line tool. For more information refer to curl documentation.

About this task

When you install Rational® Test Automation Server, you supply a password seed when you run the helm install command. This password seed is used to generate several Kubernetes secrets. Kubernetes Secrets can contain the following information:

The authentication credentials for micro-services.
An encryption key for the user-created secrets collection or other secrets.

When you change the password seed for Rational® Test Automation Server, you must consider the following scenarios:

Rational® Test Automation Server cannot communicate until you reconcile the passwords which are in Kubernetes Secrets by using the old and a new password seed.
Users cannot read secret collections or other secrets that they have created in Rational® Test Automation Server until you re-encrypt them using a new password seed.

Important: You must provide an offline token and old password seed that you used during the installation of server software to re-encrypt user secrets.

Procedure

Run the following command to change the password seed for Rational® Test Automation Server:
```
helm upgrade {my-rtas} ./ibm-rtas-prod -n test-system \
--reuse-values \
--set global.ibmRtasPasswordAutoGenSeed={my-new-super-secret}
```
Notes: You must substitute the value of the following variables with the actual value in the command:
- {my-rtas} with the release name that you used during the installation of the server software.
- {my-new-super-secret} with a new value of your choice as the password seed.
- You must run the following helm upgrade command from the same directory where the helm install command was run during the installation of the server software. Because the upgrade is dependent on the helm charts and .yaml file values used during the run time of the helm install command.
Run the following script to generate new server secrets from the updated password seed and to save them to the persistent storage:
```
./ibm-rtas-prod/files/reconcile-secrets.sh -n test-system {my-rtas}
```

Run the following command to restart all the pods:

kubectl delete pods -n test-system \
  -lapp.kubernetes.io/instance={my-rtas} \
  -lapp.kubernetes.io/managed-by=Helm

Run the following commands to re-encrypt the user-created secrets collection or other secrets by providing the old password seed:
```
export ACCESS_TOKEN=$(curl -k -X POST {SERVER_URL}/rest/tokens/ \
-H "Content-Type: application/x-www-form-urlencoded" \
-H "accept: application/json" \
-d "refresh_token={OFFLINE_TOKEN}" | jq -r '.access_token')

curl -k -X POST {SERVER_URL}/rest/secrets/re-encrypt/ \
     -H "Authorization: Bearer $ACCESS_TOKEN" \
     -H "Content-Type: application/json" \
     -d "{\"type\":\"helm\",\"password_auto_gen_seed\":\"{OLD_SEED}\"}"
```
Note: You must substitute the value of the following variables with the actual value in the following commands:
- {SERVER_URL} with the URL of your Rational® Test Automation Server UI.
- {OFFLINE_TOKEN} with the offline token that belongs to a user with the administrator role.
- {OLD_SEED} with the previous password seed that you used during the installation of the server software.
Run the following command to display the log file of the gateway pod:
```
kubectl logs {my-rtas}-gateway-abcdefghij-abcde -n test-system
```
Note: You must substitute the value of the following variables with the actual value in the command:
- {my-rtas} with the release name that you used during the installation of the server software.
- abcdefghij-abcde with an identifier that is assigned to the name of the gateway pod.
  
  You can run the kubectl get pods -n test-system command to obtain the identifier that is assigned to the gateway pod.
The following message is displayed when re-encryption is completed:
reEncrypt complete. StringyReEncryptor [total=100, fixed=100, broken=0, noop=0]

Results

You have successfully changed the password seed for Rational® Test Automation Server.