Secret Agent Operator
The open source Secret Agent operator randomly generates all secrets for AM, IDM, and DS services running in the CDK and the CDM. The Secret Agent operator runs as a Kubernetes deployment that must be available before AM, IDM, and DS are deployed. In addition to generating secrets, the operator integrates with Google Cloud Secret Manager, AWS Secrets Manager, and Azure Key Vault to manage secrets, providing cloud backup and retrieval for secrets.
Secret Generation
By default, the operator examines your namespace to determine whether it contains all the secrets required for ForgeRock Identity Platform deployment. If any of the required secrets are not present, the operator generates them.
See the Secret Agent project README for information about:
Cloud Secret Management
Configuring the Secret Agent operator to integrate with a cloud secret manager, such as Google Cloud Secret Manager, AWS Secret Manager, or Azure Key Vault, changes the operator’s behavior:
-
First, the operator examines your namespace to determine whether it contains all the secrets required for ForgeRock Identity Platform deployment.
-
If any of the required secrets are not in your namespace, the operator checks to see if the missing secrets are available in the cloud secret manager:
-
If any of the secrets missing from your namespace are available in the cloud secret manager, the operator gets them from the cloud secret manager and adds them to your namespace.
-
If missing secrets are not available in the cloud secret manager, the Secret Agent operator generates them.
-
See the Secret Agent project README for information about how to integrate the Secret Agent operator with these cloud secret managers:
Before deploying the ForgeRock Identity Platform in production, you must configure the Secret Agent operator to support cloud secret management. If you do not do so, you run the risk of not being able to access your directory data. Because directory data is encrypted by secrets that have been generated by the operator, loss of your secrets will result in data loss. |
Administration Password Changes
The CDM uses six administration passwords:
-
The AM and IDM administration user,
amadmin
-
The AM CTS service account,
uid=openam_cts,ou=admins,ou=famrecords,ou=openam-session,ou=tokens
-
The shared identity repository service account,
uid=am-identity-bind-account,ou=admins,ou=identities
-
The DS root user,
uid=admin
Some organizations have a requirement to change administration passwords from time to time. Follow these steps if you need to change the CDM administration passwords:
-
Ensure that you have configured Cloud Secret Management in your deployment.
Cloud secret management is required when deploying the platform in production on Google Cloud, AWS, or Azure.
-
Change the
amadmin
user’s password:-
Run the print-secrets command from the bin directory in your
forgeops
repository clone. Note the current password for theamadmin
user. -
Delete the entry that contains the
amadmin
user’s password from the cloud secret manager:Google Cloud
List the secrets managed by the cloud secret manager, locate the URI for the secret that contains the
AM-PASSWORDS-AMADMIN-CLEAR
password, and delete it. For example:$ gcloud secrets list --uri $ gcloud secrets delete \ https://secretmanager.googleapis.com/. . ./prod-am-env-secrets-AM-PASSWORDS-AMADMIN-CLEAR
AWS
List the secrets managed by the cloud secret manager, locate the ARN for the secret that contains the
AM-PASSWORDS-AMADMIN-CLEAR
password, and delete it. For example:$ aws secretsmanager list-secrets --region=my-region $ aws secretsmanager delete-secret --region=my-region \ --force-delete-without-recovery \ --secret-id arn:aws:secretsmanager:. . .:prod-am-env-secrets-AM-PASSWORDS-AMADMIN-CLEAR-c3KfsL
Azure
Soft delete the secret that contains the
AM-PASSWORDS-AMADMIN-CLEAR
password from Azure Key Vault. For example:$ az keyvault secret delete --vault-name my-key-vault --name prod-am-env-secrets-AM-PASSWORDS-AMADMIN-CLEAR
Purge the soft deleted secret from Azure Key Vault. For example:
$ az keyvault secret purge --vault-name my-key-vault --name prod-am-env-secrets-AM-PASSWORDS-AMADMIN-CLEAR
-
Delete the Kubernetes secret that contains the
amadmin
user’s password from theprod
namespace:$ kubens prod $ kubectl patch secrets am-env-secrets --type=json \ --patch='[{"op":"remove", "path": "/data/AM_PASSWORDS_AMADMIN_CLEAR"}]'
-
Restart AM by deleting all active AM pods: list all the pods in the
prod
namespace, and then delete all the pods running AM. -
After AM comes up, run the print-secrets command again to get the current administration passwords.
Verify that the
amadmin
user’s password has changed by comparing its previous value to its current value. -
Verify that you can log in to the platform UI using the new password.
-
-
Change the CTS service account’s password:
-
Change to the bin directory in your
forgeops
repository clone. -
Run the print-secrets command. Note the current password for the identity repository service account.
-
Delete the entry that contains this account’s password from the cloud secret manager:
Google Cloud
List the secrets managed by the cloud secret manager, locate the URI for the secret that contains the
AM_STORES_CTS_PASSWORD
password, and delete it. For example:$ gcloud secrets list --uri $ gcloud secrets delete \ https://secretmanager.googleapis.com/. . ./prod-ds-env-secrets-AM_STORES_CTS_PASSWORD
AWS
List the secrets managed by the cloud secret manager, locate the ARN for the secret that contains the
AM_STORES_CTS_PASSWORD
password, and delete it. For example:$ aws secretsmanager list-secrets --region=my-region $ aws secretsmanager delete-secret --region=my-region \ --force-delete-without-recovery \ --secret-id arn:aws:secretsmanager:. . .:prod-ds-env-secrets-AM_STORES_CTS_PASSWORD-1d4432
Azure
Soft delete the secret that contains the
AM_STORES_CTS_PASSWORD
password from Azure Key Vault. For example:$ az keyvault secret delete --vault-name my-key-vault --name prod-ds-env-secrets-AM_STORES_CTS_PASSWORD
Purge the deleted secret from Azure Key Vault. For example:
$ az keyvault secret purge --vault-name my-key-vault --name prod-ds-env-secrets-AM_STORES_CTS_PASSWORD
-
Delete the Kubernetes secret that contains the service account’s password from the
prod
namespace:$ kubens prod $ kubectl patch secrets ds-env-secrets --type=json \ --patch='[{"op":"remove", "path": "/data/AM_STORES_CTS_PASSWORD"}]'
-
Redeploy the platform:
$ cd /path/to/forgeops $ skaffold delete --profile small; skaffold run --profile small
-
After the platform comes up, run the print-secrets command again to get the current administration passwords.
Verify that the CTS service account’s password has changed by comparing its previous value to its current value.
-
-
Change the identity repository service account’s password:
-
Change to the bin directory in your
forgeops
repository clone. -
Run the print-secrets command. Note the current password for the the identity repository service account.
-
Delete the entry that contains this account’s password from the cloud secret manager:
Google Cloud
List the secrets managed by the cloud secret manager, locate the URI for the secret that contains the
AM_STORES_USER_PASSWORD
password, and delete it. For example:$ gcloud secrets list --uri $ gcloud secrets delete \ https://secretmanager.googleapis.com/. . ./prod-ds-env-secrets-AM_STORES_USER_PASSWORD
AWS
List the secrets managed by the cloud secret manager, locate the ARN for the secret that contains the
AM_STORES_USER_PASSWORD
password, and delete it. For example:$ aws secretsmanager list-secrets --region=my-region $ aws secretsmanager delete-secret --region=my-region \ --force-delete-without-recovery \ --secret-id arn:aws:secretsmanager:. . .:prod-ds-env-secrets-AM_STORES_USER_PASSWORD-1d4432
Azure
Soft delete the secret that contains the
AM_STORES_USER_PASSWORD
password from Azure Key Vault. For example:$ az keyvault secret delete --vault-name my-key-vault --name prod-ds-env-secrets-AM_STORES_USER_PASSWORD
Purge the deleted secret from Azure Key Vault. For example:
$ az keyvault secret purge --vault-name my-key-vault --name prod-ds-env-secrets-AM_STORES_USER_PASSWORD
-
Delete the Kubernetes secret that contains the service account’s password from the
prod
namespace:$ kubens prod $ kubectl patch secrets ds-env-secrets --type=json \ --patch='[{"op":"remove", "path": "/data/AM_STORES_USER_PASSWORD"}]'
-
Redeploy the platform:
$ cd /path/to/forgeops $ skaffold delete --profile small; skaffold run --profile small
-
After the platform comes up, run the print-secrets command again to get the current administration passwords.
Verify that the identity repository service account’s password has changed by comparing its previous value to its current value.
-
-
Change the DS root user’s password:
-
Change to the bin directory in your
forgeops
repository clone. -
Run the print-secrets command. Note the current password for the
uid=admin
account. -
Delete the entry that contains this account’s password from the cloud secret manager:
Google Cloud
List the secrets managed by the cloud secret manager, locate the URI for the secret that contains the
dirmanager-pw
password, and delete it. For example:$ gcloud secrets list --uri $ gcloud secrets delete \ https://secretmanager.googleapis.com/. . ./prod-ds-passwords-dirmanager-pw
AWS
List the secrets managed by the cloud secret manager, locate the ARN for the secret that contains the
dirmanager-pw
password, and delete it. For example:$ aws secretsmanager list-secrets --region=my-region $ aws secretsmanager delete-secret --region=my-region \ --force-delete-without-recovery \ --secret-id arn:aws:secretsmanager:. . .:prod-ds-passwords-dirmanager-pw-2eeaa0
Azure
Soft delete the secret that contains the
dirmanager-pw
password from Azure Key Vault. For example:$ az keyvault secret delete --vault-name my-key-vault --name prod-ds-passwords-dirmanager-pw
Purge the deleted secret from Azure Key Vault. For example:
$ az keyvault secret purge --vault-name my-key-vault --name prod-ds-passwords-dirmanager-pw
-
Delete the Kubernetes secret that contains the service account’s password from the
prod
namespace:$ kubens prod $ kubectl patch secrets ds-passwords --type=json \ --patch='[{"op":"remove", "path": "/data/dirmanager.pw"}]'
-
Redeploy the platform:
$ cd /path/to/forgeops $ skaffold delete --profile small; skaffold run --profile small
-
After the platform comes up, run the print-secrets command again to get the current administration passwords.
Verify that the password for the
uid=admin
account has changed by comparing its previous value to its current value.
-