Subscribe

Scripted password change

We have 20+ cmode clusters spread across the Enterprise.  Has anyone came up with a way to change admin passwords using some form of scripting.  On 7mode we used to used DFM to coordiate the password change across the globe.  However with Cmode we have not come up with a way to change the passwords easily without connecting to each machine.  

 

Our requirements are:

 

Must be auditable, we must provide proof of password change success (We use command log)

we are talking the cluster admin, not vserver admin

We do the change every 30 days.

We run it on 20+ clusters.

 

The entire environment is Cmode Ontap 8.3.

 

Throwing this out here so I dont have to recreate the wheel.

Re: Scripted password change

Since we don't have that many clusters, we still do ours by hand, so, in that sense, I have nothing to help you with here (You're welcome!) other than to say I'd probably write something in `expect` to do it.

 

Though, for the paranoia level of 'every 30 days' demonstrates, there's probably a lot of changes you'd want to do.

* change admin's password

* audit the allowed keys against an external key repo

* change diag's password

* change DFM/oncommand's password

* change VSC's password (if applicable)

* change the cluster switch passwords

Re: Scripted password change

Via powershell or WFA ...

 

every 30 days is kind of crazy...I assume you only mean the admin account