Secret Agent Operator

The open source Secret Agent operator randomly generates all secrets for AM, IDM, and DS services running in the CDK and the CDM. The Secret Agent operator runs as a Kubernetes deployment that must be available before AM, IDM, and DS are deployed. In addition to generating secrets, the operator integrates with Google Cloud Secret Manager, AWS Secrets Manager, and Azure Key Vault to manage secrets, providing cloud backup and retrieval for secrets.

Secret Generation

By default, the operator examines your namespace to determine whether it contains all the secrets required for ForgeRock Identity Platform deployment. If any of the required secrets are not present, the operator generates them.

See the Secret Agent project README for information about:

Cloud Secret Management

Configuring the Secret Agent operator to integrate with a cloud secret manager, such as Google Cloud Secret Manager, AWS Secret Manager, or Azure Key Vault, changes the operator’s behavior:

  • First, the operator examines your namespace to determine whether it contains all the secrets required for ForgeRock Identity Platform deployment.

  • If any of the required secrets are not in your namespace, the operator checks to see if the missing secrets are available in the cloud secret manager:

    • If any of the secrets missing from your namespace are available in the cloud secret manager, the operator gets them from the cloud secret manager and adds them to your namespace.

    • If missing secrets are not available in the cloud secret manager, the Secret Agent operator generates them.

See the Secret Agent project README for information about how to integrate the Secret Agent operator with these cloud secret managers:

Before deploying the ForgeRock Identity Platform in production, you must configure the Secret Agent operator to support cloud secret management. If you do not do so, you run the risk of not being able to access your directory data. Because directory data is encrypted by secrets that have been generated by the operator, loss of your secrets will result in data loss.

Administration Password Changes

The CDM uses six administration passwords:

  • The AM and IDM administration user, amadmin

  • The AM CTS service account, uid=openam_cts,ou=admins,ou=famrecords,ou=openam-session,ou=tokens

  • The shared identity repository service account, uid=am-identity-bind-account,ou=admins,ou=identities

  • The DS root user, uid=admin

  • RCS Agent passwords:

    • The password that RCS server instances use to connect to the RCS Agent

    • The password that IDM instances use to connect to the RCS Agent

Some organizations have a requirement to change administration passwords from time to time. Follow these steps if you need to change the CDM administration passwords:

  1. Ensure that you have configured Cloud Secret Management in your deployment.

    Cloud secret management is required when deploying the platform in production on Google Cloud, AWS, or Azure.

  2. Change the amadmin user’s password:

    1. Run the print-secrets command from the bin directory in your forgeops repository clone. Note the current password for the amadmin user.

    2. Delete the entry that contains the amadmin user’s password from the cloud secret manager:

      Google Cloud

      List the secrets managed by the cloud secret manager, locate the URI for the secret that contains the AM-PASSWORDS-AMADMIN-CLEAR password, and delete it. For example:

      $ gcloud secrets list --uri
      $ gcloud secrets delete \
       https://secretmanager.googleapis.com/. . ./prod-am-env-secrets-AM-PASSWORDS-AMADMIN-CLEAR
      AWS

      List the secrets managed by the cloud secret manager, locate the ARN for the secret that contains the AM-PASSWORDS-AMADMIN-CLEAR password, and delete it. For example:

      $ aws secretsmanager list-secrets --region=my-region
      $ aws secretsmanager delete-secret --region=my-region \
       --force-delete-without-recovery \
       --secret-id arn:aws:secretsmanager:. . .:prod-am-env-secrets-AM-PASSWORDS-AMADMIN-CLEAR-c3KfsL
      Azure

      Soft delete the secret that contains the AM-PASSWORDS-AMADMIN-CLEAR password from Azure Key Vault. For example:

      $ az keyvault secret delete --vault-name my-key-vault --name prod-am-env-secrets-AM-PASSWORDS-AMADMIN-CLEAR

      Purge the soft deleted secret from Azure Key Vault. For example:

      $ az keyvault secret purge --vault-name my-key-vault --name prod-am-env-secrets-AM-PASSWORDS-AMADMIN-CLEAR
    3. Delete the Kubernetes secret that contains the amadmin user’s password from the prod namespace:

      $ kubens prod
      $ kubectl patch secrets am-env-secrets --type=json \
       --patch='[{"op":"remove", "path": "/data/AM_PASSWORDS_AMADMIN_CLEAR"}]'
    4. Restart AM by deleting all active AM pods: list all the pods in the prod namespace, and then delete all the pods running AM.

    5. After AM comes up, run the print-secrets command again to get the current administration passwords.

      Verify that the amadmin user’s password has changed by comparing its previous value to its current value.

    6. Verify that you can log in to the platform UI using the new password.

  3. Change the CTS service account’s password:

    1. Change to the bin directory in your forgeops repository clone.

    2. Run the print-secrets command. Note the current password for the identity repository service account.

    3. Delete the entry that contains this account’s password from the cloud secret manager:

      Google Cloud

      List the secrets managed by the cloud secret manager, locate the URI for the secret that contains the AM_STORES_CTS_PASSWORD password, and delete it. For example:

      $ gcloud secrets list --uri
      $ gcloud secrets delete \
       https://secretmanager.googleapis.com/. . ./prod-ds-env-secrets-AM_STORES_CTS_PASSWORD
      AWS

      List the secrets managed by the cloud secret manager, locate the ARN for the secret that contains the AM_STORES_CTS_PASSWORD password, and delete it. For example:

      $ aws secretsmanager list-secrets --region=my-region
      $ aws secretsmanager delete-secret --region=my-region \
       --force-delete-without-recovery \
       --secret-id arn:aws:secretsmanager:. . .:prod-ds-env-secrets-AM_STORES_CTS_PASSWORD-1d4432
      Azure

      Soft delete the secret that contains the AM_STORES_CTS_PASSWORD password from Azure Key Vault. For example:

      $ az keyvault secret delete --vault-name my-key-vault --name prod-ds-env-secrets-AM_STORES_CTS_PASSWORD

      Purge the deleted secret from Azure Key Vault. For example:

      $ az keyvault secret purge --vault-name my-key-vault --name prod-ds-env-secrets-AM_STORES_CTS_PASSWORD
    4. Delete the Kubernetes secret that contains the service account’s password from the prod namespace:

      $ kubens prod
      $ kubectl patch secrets ds-env-secrets --type=json \
       --patch='[{"op":"remove", "path": "/data/AM_STORES_CTS_PASSWORD"}]'
    5. Redeploy the platform:

      $ cd /path/to/forgeops
      $ skaffold delete --profile small; skaffold run --profile small
    6. After the platform comes up, run the print-secrets command again to get the current administration passwords.

      Verify that the CTS service account’s password has changed by comparing its previous value to its current value.

  4. Change the identity repository service account’s password:

    1. Change to the bin directory in your forgeops repository clone.

    2. Run the print-secrets command. Note the current password for the the identity repository service account.

    3. Delete the entry that contains this account’s password from the cloud secret manager:

      Google Cloud

      List the secrets managed by the cloud secret manager, locate the URI for the secret that contains the AM_STORES_USER_PASSWORD password, and delete it. For example:

      $ gcloud secrets list --uri
      $ gcloud secrets delete \
       https://secretmanager.googleapis.com/. . ./prod-ds-env-secrets-AM_STORES_USER_PASSWORD
      AWS

      List the secrets managed by the cloud secret manager, locate the ARN for the secret that contains the AM_STORES_USER_PASSWORD password, and delete it. For example:

      $ aws secretsmanager list-secrets --region=my-region
      $ aws secretsmanager delete-secret --region=my-region \
       --force-delete-without-recovery \
       --secret-id arn:aws:secretsmanager:. . .:prod-ds-env-secrets-AM_STORES_USER_PASSWORD-1d4432
      Azure

      Soft delete the secret that contains the AM_STORES_USER_PASSWORD password from Azure Key Vault. For example:

      $ az keyvault secret delete --vault-name my-key-vault --name prod-ds-env-secrets-AM_STORES_USER_PASSWORD

      Purge the deleted secret from Azure Key Vault. For example:

      $ az keyvault secret purge --vault-name my-key-vault --name prod-ds-env-secrets-AM_STORES_USER_PASSWORD
    4. Delete the Kubernetes secret that contains the service account’s password from the prod namespace:

      $ kubens prod
      $ kubectl patch secrets ds-env-secrets --type=json \
       --patch='[{"op":"remove", "path": "/data/AM_STORES_USER_PASSWORD"}]'
    5. Redeploy the platform:

      $ cd /path/to/forgeops
      $ skaffold delete --profile small; skaffold run --profile small
    6. After the platform comes up, run the print-secrets command again to get the current administration passwords.

      Verify that the identity repository service account’s password has changed by comparing its previous value to its current value.

  5. Change the DS root user’s password:

    1. Change to the bin directory in your forgeops repository clone.

    2. Run the print-secrets command. Note the current password for the uid=admin account.

    3. Delete the entry that contains this account’s password from the cloud secret manager:

      Google Cloud

      List the secrets managed by the cloud secret manager, locate the URI for the secret that contains the dirmanager-pw password, and delete it. For example:

      $ gcloud secrets list --uri
      $ gcloud secrets delete \
       https://secretmanager.googleapis.com/. . ./prod-ds-passwords-dirmanager-pw
      AWS

      List the secrets managed by the cloud secret manager, locate the ARN for the secret that contains the dirmanager-pw password, and delete it. For example:

      $ aws secretsmanager list-secrets --region=my-region
      $ aws secretsmanager delete-secret --region=my-region \
       --force-delete-without-recovery \
       --secret-id arn:aws:secretsmanager:. . .:prod-ds-passwords-dirmanager-pw-2eeaa0
      Azure

      Soft delete the secret that contains the dirmanager-pw password from Azure Key Vault. For example:

      $ az keyvault secret delete --vault-name my-key-vault --name prod-ds-passwords-dirmanager-pw

      Purge the deleted secret from Azure Key Vault. For example:

      $ az keyvault secret purge --vault-name my-key-vault --name prod-ds-passwords-dirmanager-pw
    4. Delete the Kubernetes secret that contains the service account’s password from the prod namespace:

      $ kubens prod
      $ kubectl patch secrets ds-passwords --type=json \
       --patch='[{"op":"remove", "path": "/data/dirmanager.pw"}]'
    5. Redeploy the platform:

      $ cd /path/to/forgeops
      $ skaffold delete --profile small; skaffold run --profile small
    6. After the platform comes up, run the print-secrets command again to get the current administration passwords.

      Verify that the password for the uid=admin account has changed by comparing its previous value to its current value.

  6. Change the RCS Agent password:

    1. Change to the bin directory in your forgeops repository clone.

    2. Run the print-secrets command. Note the current password that’s listed as the rcs-agent RCS secret.

    3. Delete the entry that contains this password from the cloud secret manager:

      Google Cloud

      List the secrets managed by the cloud secret manager, locate the URI for the secret that contains the AGENT_RCS_SECRET password, and delete it. For example:

      $ gcloud secrets list --uri
      $ gcloud secrets delete \
       https://secretmanager.googleapis.com/. . ./prod-rcs-agent-env-secrets-AGENT_RCS_SECRET
      AWS

      List the secrets managed by the cloud secret manager, locate the ARN for the secret that contains the AGENT_RCS_SECRET password, and delete it. For example:

      $ aws secretsmanager list-secrets --region=my-region
      $ aws secretsmanager delete-secret --region=my-region \
       --force-delete-without-recovery \
       --secret-id arn:aws:secretsmanager:. . .:prod-rcs-agent-env-secrets-AGENT_RCS_SECRET-440800
      Azure

      Soft delete the secret that contains the AGENT_RCS_SECRET password from Azure Key Vault. For example:

      $ az keyvault secret delete --vault-name my-key-vault --name prod-rcs-agent-env-secrets-AGENT_RCS_SECRET

      Purge the deleted secret from Azure Key Vault. For example:

      $ az keyvault secret purge --vault-name my-key-vault --name prod-rcs-agent-env-secrets-AGENT_RCS_SECRET
    4. Delete the Kubernetes secret that contains the service account’s password from the prod namespace:

      $ kubens prod
      $ kubectl patch secrets rcs-agent-env-secrets --type=json \
       --patch='[{"op":"remove", "path": "/data/AGENT_RCS_SECRET"}]'
    5. Restart the RCS Agent by deleting the RCS Agent pod.

    6. After the RCS Agent comes up, run the print-secrets command again to get the current administration passwords.

      Verify that the RCS Agent’s password has changed by comparing its previous value to its current value.

    7. Configure all of your connectors that communicate to IDM through the agent to use the new password.

  7. Change the password that the RCS Agent uses to connect to IDM:

    1. Change to the bin directory in your forgeops repository clone.

    2. Run the print-secrets command. Note the current password that’s listed as the rcs-agent IDM secret.

    3. Delete the entry that contains this password from the cloud secret manager:

      Google Cloud

      List the secrets managed by the cloud secret manager, locate the URI for the secret that contains the AGENT_IDM_SECRET password, and delete it. For example:

      $ gcloud secrets list --uri
      $ gcloud secrets delete \
       https://secretmanager.googleapis.com/. . ./prod-rcs-agent-env-secrets-AGENT_IDM_SECRET
      AWS

      List the secrets managed by the cloud secret manager, locate the ARN for the secret that contains the AGENT_IDM_SECRET password, and delete it. For example:

      $ aws secretsmanager list-secrets --region=my-region
      $ aws secretsmanager delete-secret --region=my-region \
       --force-delete-without-recovery \
       --secret-id arn:aws:secretsmanager:. . .:prod-rcs-agent-env-secrets-AGENT_IDM_SECRET-a501c0
      Azure

      Soft delete the secret that contains the AGENT_IDM_SECRET password from Azure Key Vault. For example:

      $ az keyvault secret delete --vault-name my-key-vault --name prod-rcs-agent-env-secrets-AGENT_IDM_SECRET

      Purge the deleted secret from Azure Key Vault. For example:

      $ az keyvault secret purge --vault-name my-key-vault --name prod-rcs-agent-env-secrets-AGENT_IDM_SECRET
    4. Delete the Kubernetes secret that contains the service account’s password from the prod namespace:

      $ kubens prod
      $ kubectl patch secrets rcs-agent-env-secrets --type=json \
       --patch='[{"op":"remove", "path": "/data/AGENT_IDM_SECRET"}]'
    5. Restart IDM by deleting all active IDM pods: list all the pods in the prod namespace, and then delete all the pods running IDM.

    6. Restart the RCS Agent by deleting the RCS Agent pod.

    7. After IDM and the RCS Agent come up, run the print-secrets command again to get the current administration passwords.

      Verify that the password that IDM uses to connect to the RCS Agent has changed by comparing its previous value to its current value.