Change Service Account Passwords
Change Service Account Passwords
The process for changing the passwords for the service accounts used by the Keyfactor Universal Orchestrator The Keyfactor Universal Orchestrator, one of Keyfactor's suite of orchestrators, is used to interact with Windows servers (a.k.a. IIS certificate stores) and FTP capable devices for certificate management, run SSL discovery and management tasks, and manage synchronization of certificate authorities in remote forests. With the addition of custom extensions, it can run custom jobs to provide certificate management capabilities on a variety of platforms and devices (e.g. F5 devices, NetScaler devices, Amazon Web Services (AWS) resources) and execute tasks outside the standard list of certificate management functions. It runs on either Windows or Linux. varies for the two different service accounts (see Create Service Accounts for the Universal Orchestrator) and based on the type of authentication used for the service account used to connect to Keyfactor Command.
The password for the service account that's used to run the Universal Orchestrator service on the orchestrator server can be changed through standard operating system methods.
On a Linux server, this would be, for example, the command line passwd command executed for the service account running the orchestrator service (by default keyfactor-orchestrator). So, this command on a Linux server might be:
On a Windows server, if you've opted to run the Universal Orchestrator service as a custom service account rather than Network Service, the password would need to be changed in Active Directory and in the Services MMC.
Figure 536: Change Service Account Password in Services MMC
For both Windows and Linux servers, the password change for the service account that's used to make the connection to Keyfactor Command follows this process:
- Change the password for the service account in Active Directory.
-
On the Windows or Linux server, open a command window. For Windows, this should be a PowerShell window open using the "Run as Administrator" option. Change to the directory in which the orchestrator is installed and locate the change_secrets script. By default, this is:
Windows: C:\Program Files\Keyfactor\Keyfactor Orchestrator\change_secrets.ps1
Linux: /opt/keyfactor/orchestrator/change_secrets.sh -
For Linux only, use the chmod command to make the change_secrets.sh script file executable. The file ships in a non-executable state to avoid accidental execution. For example:
sudo chmod +x change_secrets.sh -
For Windows only, in the PowerShell window, run the following command to populate a variable with the password for the service account:
$credKeyfactor = Get-CredentialEnter the appropriate username and password when prompted (the service account that the orchestrator uses to connect to Keyfactor Command). Usernames should be given in DOMAIN\username format.
Or, to avoid being prompted for credentials:
$keyfactorUser = "DOMAIN\mykeyfactorconnectusername"
$keyfactorPassword = "MySecurePassword"
$secKeyfactorPassword = ConvertTo-SecureString $keyfactorPassword -AsPlainText -Force
$credKeyfactor = New-Object System.Management.Automation.PSCredential ($keyfactorUser, $secKeyfactorPassword) - Run the password change script on the Universal Orchestrator server using the following parameters:
-WebCredential (Windows)
This is the credential object of the service account that the orchestrator uses to communicate with Keyfactor Command that you created as per Create Service Accounts for the Universal Orchestrator. It is provided as a PSCredential object.
For password change operations, this parameter A parameter or argument is a value that is passed into a function in an application. is required.
--username (Linux)The service account that the orchestrator uses to communicate with Keyfactor Command created as per Create Service Accounts for the Universal Orchestrator. It may be entered either as username@domain (e.g. svc_kyforch@keyexample.com) or DOMAIN\\username (e.g. KEYEXAMPLE\\svc_kyforch).
For password change operations, this parameter is required.
--password (Linux)The password for the service account that the orchestrator uses to communicate with Keyfactor Command specified with the username parameter.
Warning: The password for the service account the orchestrator uses to communicate with Keyfactor Command is stored in clear text in the orchestratorsecrets.json file in the configuration directory under the installation directory for the orchestrator. By default, this file is granted read/write permissions for the orchestrator service account running the service on the Linux machine (keyfactor-orchestrator by default) and no permissions for any other users. Access to this file should be strictly controlled.This parameter is required if the username parameter is specified.
Tip: If you prefer to avoid providing the password at the command line (and storing it in command history), use an input file instead as follows:- Create a file that contains just your password. For example:vi my_password_file
- When using the password parameter, reference the file. For example:--password $(cat my_password_file)
- Delete the password file after the install is complete. For example:rm my_password_file
-SecretsPath (Windows) or --secrets-path (Linux)The full path and file name of the or the orchestratorsecrets.json file that stores the secret information. This file is found in the configuration directory under the installation directory for the Universal Orchestrator, which is by default:
Windows: C:\Program Files\Keyfactor\Keyfactor Orchestrator\configuration\orchestratorsecrets.json
Linux: /opt/keyfactor/orchestrator/configuration/orchestratorsecrets.jsonThe location and file name for this file cannot be changed from the default. The parameter is provided to allow for installations in non-standard locations or multiple locations on the same server.
This parameter is required.
- Create a file that contains just your password. For example:
Windows example using basic authentication:
$keyfactorUser = "KEYXAMPLE\svc_kyforch" $keyfactorPassword = "MySecurePassword123!" $secKeyfactorPassword = ConvertTo-SecureString $keyfactorPassword -AsPlainText -Force $credKeyfactor = New-Object System.Management.Automation.PSCredential ($keyfactorUser, $secKeyfactorPassword)
.\change_secrets.ps1 -WebCredential $credKeyfactor -SecretsPath "C:\Program Files\Keyfactor\Keyfactor Orchestrator\configuration\orchestratorsecrets.json"
Saved secrets to 'C:\Program Files\Keyfactor\Keyfactor Orchestrator\configuration\orchestratorsecrets.json' Restarting service KeyfactorOrchestrator-Default
Linux example using basic authentication:
vi password_file_new
sudo ./change_secrets.sh --username svc_kyforch@keyexample.com --password $(cat password_file_new) --secrets-path /opt/keyfactor/orchestrator/configuration/orchestratorsecrets.json
Saving secrets to '/opt/keyfactor/orchestrator/configuration/orchestratorsecrets.json' Restarting service keyfactor-orchestrator-default