No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

FusionStorage V100R006C20 Object Storage Service Security Maintenance 03

Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Account Details

Account Details

This section describes information about all accounts used in the Object Storage Service.

Operating System Account root

Default password: Root@storage

Description: Log in to the operating system as user root for system maintenance.

Password change method:

  • Log in to DeviceManager as super administrator, choose Settings > Cluster Settings > Cluster Node Settings, select the nodes whose passwords you want to change, and click Change Password of User Root.
  • CLI command method:
    1. Use SSH to log in remotely to the management storage node (marked with Storage Cluster management IP address) as user omuser.
    2. Run cli_start -u admin to log in to the CLI.
    3. Run change system root_password, set the password as prompted.

Password rule:

A password must be 8 to 16 characters in length and contains special characters and at least two types of lowercase letters, uppercase letters, and digits. It cannot be the same as the user name or the user name typed backwards.

NOTE:
Modify the file /etc/pam.d/common-password may lead to disable the password complexity policy. This operation has security risks, so you are advised not to perform this operation.

How to delete/deactivate:

This account is an administrator account and cannot be deleted.

Lock account policy:

The account will be locked if entering the wrong password three times. After being locked for five minutes, the account will be unlocked automatically.

Manually unlock the account as follows:

  1. Locally log in to the node as root.se the KVM to log in to the storage node
  2. Run pam_tally2 --user root --reset

Operating System Account omuser

Default password: Omuser@storage

Description: Use SSH to remotely log in to the system as user omuser for routine maintenance.

Password change method:

  • Log in to DeviceManager as user admin.
    1. Choose Settings > Permission Settings > User Management, select omuser, and click Modify.
    2. Click Initialize password, input the super administrator password, new password, and confirm password.
  • Log in to DeviceManager as user omuser.
    1. Choose Settings > Permission Settings > User Management, select omuser, and click Modify.
    2. Input the old password and set the new password.
  • Log in to CLI with admin:
    1. Use SSH to log in remotely to the management storage node (marked with Storage Cluster management IP address) as user omuser.
    2. Run cli_start -u admin to log in to the CLI.
    3. Run show system user general to query the ID of user omuser.
    4. Run change system user initial_password id. Enter the password of the super administrator and a new password, and enter the new password again.

      id is the ID of user omuser.

  • Log in to CLI with omuser:
    1. Use SSH to log in remotely to the management storage node (marked with Storage Cluster management IP address) as user omuser.
    2. Run cli_start -u omuser to log in to the CLI.
    3. Run change system user password to enter the old password and new password as prompted.
NOTE:

If the Toolkit is used, every time after you change the password, you must log in to Toolkit to update the password of added device.

Changing the password of operating system account omuser, the DeviceManager and CLI account omuser's password will change automatically.
  • When the password of operating system account omuser is expired, multiple methods can be used to change it. You are advised to change the password using DeviceManager or CLI rather than using SSH. Otherwise, the changed password will not be synchronized to account omuser of DeviceManager and CLI.
  • If you have changed the password using SSH, change the password again by using DeviceManager or CLI, enabling the changed password to be synchronized to other accounts.

The validity period of the password of omuser is 90 days. Change the password periodically.

Password rule:

By default, a password must be 8 to 32 characters in length and contains special characters and at least two types of lowercase letters, uppercase letters, and digits. It cannot be the same as the user name or the user name typed backwards, and cannot be the same as the passwords used last five times. Each character must not occur more than three times consecutively in a password.
NOTE:
To set the minimum length, maximum length, character type, the maximum number of times that a character can occur consecutively in a password, and the number of historical passwords, choose Settings > Permission Settings > Security Policies.

How to delete/deactivate:

NOTE:
If the account is deleted, you cannot log in to the system using SSH or inspect the system correctly. Do not perform this operation.

You can log in to the Linux operating system and run the userdel command to delete the account.

Lock account policy:

The account will be locked if entering the wrong password three times. After being locked for five minutes, the account will be unlocked automatically.

Manually unlock the account as follows:

  1. Locally log in to the node as root.se the KVM to log in to the storage node
  2. Run pam_tally2 --user omuser --reset

Operating System Account obsbilling

Default password: OBSCharging8800!

Description: Billing account of the object storage service, used to communicate with the billing center.

Password change method:
NOTE:

The password can be modified through the DeviceManager only when object storage service (Amazon S3 interface compatible) is deployed, but it can be modified through the CLI when the distributed file system service, object storage service (Amazon S3 interface compatible) and object storage service (compatible with openstack swift interface) is deployed.

  • Log in to DeviceManager as user admin.
    1. Choose Settings > Storage Settings > Object Storage Service > Billing Service Settings.
    2. Click Initialize Password to enter the new password and confirm password.
  • Log in to DeviceManager as an administrator or resource administrator.
    1. Choose Settings > Storage Settings > Object Storage Service > Billing Service Settings.
    2. Click Modify to enter the old password, new password and confirm password.
  • CLI method:
    1. Use SSH to log in remotely to the management storage node (marked with Storage Cluster management IP address) as user omuser, administrator or resource administrator.
    2. Run cli_start -u admin to log in to the CLI.
    3. Run command to change the password.
      • Run change object_storage_compatible_s3_billing initial_password, and enter the super administrator's password, new password and confirm password.
      • Run change object_storage_compatible_s3_billing password, and enter the old password, new password and confirm password.
NOTE:
  • The validity period of the password of obsbilling is 30 days. Change the password periodically.
  • If you forget the password of obsbilling account, you can reset it by using the DeviceManager super administrator account.

Password rule:

By default, a password must be 8 to 32 characters in length and contains special characters and at least two types of lowercase letters, uppercase letters, and digits. It cannot be the same as the user name or the user name typed backwards, and cannot be the same as the passwords used last five times. Each character must not occur more than three times consecutively in a password.
NOTE:
To set the minimum length, maximum length, character type, the maximum number of times that a character can occur consecutively in a password, and the number of historical passwords, choose Settings > Permission Settings > Security Policies.

How to delete/deactivate:

NOTE:
If the account is deleted, you cannot connect to the account server. Do not perform this operation.

You can log in to the Linux operating system and run the userdel command to delete the account.

Lock account policy:

The account will be locked if entering the wrong password more than three times. After being locked for five minutes, the account will be unlocked automatically.

Manually unlock the account as follows:

  1. Locally log in to the node as root.se the KVM to log in to the storage node
  2. Run pam_tally2 --user obsbilling --reset

SFTP Account omsftp

Default password: Omsftp@Storage

Description: SFTP is used to:
  • Export event and quota information from the DeviceManager.
  • Import license file using CLI command.

Password change method:

  1. Use SSH to log in remotely to the management storage node (marked with Storage Cluster management IP address) as user omuser.
  2. Run cli_start -u admin to log in to the CLI.
  3. Run change sftpuser information ro omsftp to enter a password as prompted.
NOTE:
The validity period of the password of omsftp is 365 days. Change the password periodically.

Password rule:

A password must be 8 to 32 characters in length and contains special characters and at least two types of lowercase letters, uppercase letters, and digits. It cannot be the same as the user name or the user name typed backwards.

NOTE:
The minimum length of the password can be configured after logging in to DeviceManager and choose Settings > Permission Settings > Security Policies.

How to delete/deactivate:

NOTE:
If the account is deleted, SFTP-related functions work incorrectly. Do not perform this operation.

You can log in to the Linux operating system and run the userdel command to delete the account.

Lock account policy:

The account will be locked if entering the wrong password three times. After being locked for five minutes, the account will be unlocked automatically.

Manually unlock the account as follows:

  1. Locally log in to the node as root.se the KVM to log in to the storage node
  2. Run pam_tally2 --user omsftp --reset

Operation & Maintenance Tool Account admin

Default password: Admin@storage

Description: Use the default account to log in to the system and implement deployment. After the deployment is complete, log in to the system as the super administrator to expand and upgrade the system.

NOTE:

After the deployment is complete, this account is the same as DeviceManager and CLI account admin. After changing the password, you need to log in to Operation & Maintenance Tool, DeviceManager, and CLI with the new password.

After the deployment is complete, the Operation & Maintenance Tool service is closed.

Password change method:

After logging in to the system, click Change Password in the upper right corner of the main window.

NOTE:

This method is applicable to the deployment phase only. After the deployment is complete, the method of changing the password is the same as that on the DeviceManager and CLI.

The password changed by this method takes effect only during deployment phase. After the deployment is complete, the password will be reset to Admin@storage.

Password rule:

  • Before the deployment is complete: A password must be 8 to 32 characters in length and contains special characters and at least two types of lowercase letters, uppercase letters, and digits. It cannot be the same as the user name or the user name typed backwards. It cannot be the same as the current password.
  • After the deployment is complete: A password must be 8 to 32 characters in length and contains special characters and at least two types of lowercase letters, uppercase letters, and digits. It cannot be the same as the user name or the user name typed backwards, and cannot be the same as the passwords used last five times. Each character must not occur more than three times consecutively in a password.
    NOTE:
    To set the minimum length, maximum length, character type, the maximum number of times that a character can occur consecutively in a password, and the number of historical passwords, choose Settings > Permission Settings > Security Policies.

How to delete/deactivate:

This account is a default account and cannot be deleted.

Lock account policy:

  • Before the deployment is complete: the account will be locked if entering the wrong password three times. After being locked for 30 minutes, the account will be unlocked automatically. Manually unlocking the account is not available.
  • After the deployment is complete: by default, the account will be locked if entering the wrong password more than three times. After being locked for 15 minutes, the account will be unlocked automatically. Manually unlocking the account is not available.

    The wrong password times and auto unlock time can be configured through logging in to DeviceManager and choose Settings > Permission Settings > Security Policies.

DeviceManager and CLI Account admin

Default password: Admin@storage

Description: Log in to DeviceManager or CLI using the admin account to manage Storage Cluster.

NOTE:
Account admin of DeviceManager and CLI is the same. After changing the password, you need to log in to DeviceManager and CLI with the new password.

Password change method:

  • After logging in to DeviceManager, choose Settings > Permission Settings > User Management, select admin, and click Modify.
  • CLI command method:
    1. Use SSH to log in remotely to the management storage node (marked with Storage Cluster management IP address) as user omuser.
    2. Run cli_start -u admin to log in to the CLI.
    3. Run change system user password to enter the old password and new password as prompted.

Password rule:

By default, a password must be 8 to 32 characters in length and contains special characters and at least two types of lowercase letters, uppercase letters, and digits. It cannot be the same as the user name or the user name typed backwards, and cannot be the same as the passwords used last five times. Each character must not occur more than three times consecutively in a password.
NOTE:
To set the minimum length, maximum length, character type, the maximum number of times that a character can occur consecutively in a password, and the number of historical passwords, choose Settings > Permission Settings > Security Policies.

How to delete/deactivate:

This account is an administrator account and cannot be deleted.

Lock account policy:

By default, the account will be locked if entering the wrong password more than three times. After being locked for 15 minutes, the account will be unlocked automatically. Manually unlocking the account is not available.

The wrong password times and auto unlock time can be configured through logging in to DeviceManager and choose Settings > Permission Settings > Security Policies.

DeviceManager and CLI Account omuser

Default password: Omuser@storage

Description: Log in to DeviceManager or CLI using the omuser account to manage Storage Cluster.

NOTE:

Account omuser of DeviceManager and CLI is the same. Changing the password of omuser through DeviceManager or CLI method will change the operating system account omuser's password automatically.

Password change method:

  • Log in to DeviceManager as user admin.
    1. Choose Settings > Permission Settings > User Management, select omuser, and click Modify.
    2. Click Initialize password, input the super administrator password, new password, and confirm password.
  • Log in to DeviceManager as user omuser.
    1. Choose Settings > Permission Settings > User Management, select omuser, and click Modify.
    2. Input the old password and set the new password.
  • Log in to CLI with admin:
    1. Use SSH to log in remotely to the management storage node (marked with Storage Cluster management IP address) as user omuser.
    2. Run cli_start -u admin to log in to the CLI.
    3. Run show system user general to query the ID of user omuser.
    4. Run change system user initial_password id. Enter the password of the super administrator and a new password, and enter the new password again.

      id is the ID of user omuser.

  • Log in to CLI with omuser:
    1. Use SSH to log in remotely to the management storage node (marked with Storage Cluster management IP address) as user omuser.
    2. Run cli_start -u omuser to log in to the CLI.
    3. Run change system user password to enter the old password and new password as prompted.
NOTE:

Every time after you change the password, you must log in to Toolkit to update the password of added device.

Password rule:

By default, a password must be 8 to 32 characters in length and contains special characters and at least two types of lowercase letters, uppercase letters, and digits. It cannot be the same as the user name or the user name typed backwards, and cannot be the same as the passwords used last five times. Each character must not occur more than three times consecutively in a password.
NOTE:
To set the minimum length, maximum length, character type, the maximum number of times that a character can occur consecutively in a password, and the number of historical passwords, choose Settings > Permission Settings > Security Policies.

How to delete/deactivate:

This account is a default account and cannot be deleted.

Lock account policy:

By default, the account will be locked if entering the wrong password more than three times. After being locked for 15 minutes, the account will be unlocked automatically.

The wrong password times and auto unlock time can be configured through logging in to DeviceManager and choose Settings > Permission Settings > Security Policies.

To manually unlock the account, log in to DeviceManager or CLI as user admin to unlock the account.

DeviceManager and CLI Account securityAdmin

NOTE:
This account exists only when data encryption is enabled during system deployment.

Default password: securityAdmin@storage

Description: Data encryption administrator that can manage key files, including regenerating, backing up, and recovering key files.

Password change method:

  • Log in to DeviceManager with securityAdmin, choose Settings > Permission Settings > User Management, select securityAdmin, and click Modify.
  • CLI command method:
    1. Use SSH to log in remotely to the management storage node (marked with Storage Cluster management IP address) as user omuser.
    2. Run cli_start -u securityAdmin to log in to the CLI.
    3. Run change system user password to enter a password as prompted.

Password rule:

By default, a password must be 8 to 32 characters in length and contains special characters and at least two types of lowercase letters, uppercase letters, and digits. It cannot be the same as the user name or the user name typed backwards, and cannot be the same as the passwords used last five times. Each character must not occur more than three times consecutively in a password.
NOTE:
To set the minimum length, maximum length, character type, the maximum number of times that a character can occur consecutively in a password, and the number of historical passwords, choose Settings > Permission Settings > Security Policies.

How to delete/deactivate:

This account is a default account and cannot be deleted.

Lock account policy:

The account will be locked if entering the wrong password more than three times. After being locked for 15 minutes, the account will be unlocked automatically. Manually unlocking the account is not available.

The wrong password times can be configured through logging in to DeviceManager and choose Settings > Permission Settings > Security Policies.

iBMC Account root

Default password: Huawei12#$

Description: Manage and maintain the node device.

Password change method:

  • On the CLI, use the specific command to change the password of the iBMC user for all nodes.
    1. Use SSH to log in remotely to the management storage node (marked with Storage Cluster management IP address) as user omuser.
    2. Run cli_start -u admin to log in to the CLI.
    3. Run change system ipmi_password root to set the password as prompted.
    NOTE:

    When using the CLI command to set the password of the iBMC user, the "-" symbol can not be used as the first character of the new password.

  • Enter the BIOS and change the password of the iBMC user for a single node.
    1. Press Delete to go to the BIOS interface when the system is starting up.
    2. Enter the BIOS password as prompted.
    3. On the Advanced screen, choose IPMI iBMC Configuration > iBMC Configuration > Reset iBMC User Password.

Password rule:

  • Must contain 8 to 20 characters.
  • Must contain at least one space or one of the following special characters:

    `~!@#$%^&*()-_=+\|[{}];:'",<.>/?

  • Must contain at least two types of the following characters:
    • Letters: a to z
    • Letters: A to Z
    • Digits: 0 to 9
  • Must not be the user name or the user name in reverse order.

How to delete/deactivate:

You can log in to the Linux operating system and run the ipmitool user set name 2 '' command to delete the account.

Lock account policy:

The account will be locked if entering the wrong password more than five times. After being locked for five minutes, the account will be unlocked automatically. Manually unlocking the account is not available.

The wrong password times can be configured through logging in to iBMC webUI and choose Config > Security Enhance.

BIOS Account

Default password:Huawei12#$

Description: Basic input/output system on the node device that provides hardware setting and control functions.

Password change method:

  • do not use F9 to restore the BIOS default settings.
  • do not enable the NUMA function in the BIOS.
  1. Press ESC to go to the BIOS interface when the system is starting up.
  2. Choose SCU and enter the current password.
  3. On the Security screen, choose Set Supervisor password.

Password rule:

A password must be 8 to 16 characters in length and contains special characters and at least two types of lowercase letters, uppercase letters, and digits.

How to delete/deactivate:

Cannot be deleted.

Lock account policy:

The BIOS will be locked if entering the wrong password three times. You can restart the system for reset.

GRUB Account

Default password: Huawei@123#

Description: A manager for starting multiple operating systems.

Password change method:

  1. Use SSH to log in remotely to the management storage node (marked with Storage Cluster management IP address) as user omuser.
  2. Run su - root and enter the password of user root to switch to user root.
  3. Run grub-crypt and enter a new password and then the new password again.

    After the new password is set, a check value of the password is generated.

  4. Record the check value.
  5. Run vi /boot/grub/menu.lst.
  6. Press I to go to the editing mode.
  7. Locate the password --encrypted option and replace the check value of the original password with the recorded one.
  8. Press Esc and enter :wq!.
NOTE:
The new password will take effect at next startup.

Password rule:

The system does not do password complexity verification, but for security purposes, you are advised to set a complex password by following the rule: a password should be at least 8 in length and contains special characters and at least two types of lowercase letters, uppercase letters, and digits.

How to delete/deactivate:

Cannot be deleted.

Lock account policy:

Cannot be locked.

Cloud_upf Database Account gaussdba

Default password: gauss@1234

Description: man-machine account of the database. A database is used to store information about accounts and users of the object storage service.

Password change method:

  1. Use SSH to log in remotely to the management storage node (marked with Storage Cluster management IP address) as user omuser.
  2. Run cli_start -u admin to log in to the CLI.
  3. Run change system gaussdb_password poe_gaussdba to enter a password as prompted.

Password rule:

A password must be 8 to 16 characters in length and contains special characters and at least two types of lowercase letters, uppercase letters, and digits. It cannot be the same as the user name or the user name typed backwards, and cannot be the same as the used password during the last 60 days.

How to delete/deactivate:

This account is a default account and cannot be deleted.

Lock account policy:

Locking the account is not available.

Cloud_mdc Database Account gaussdba

Default password: gauss@1234

Description: man-machine account of the database. A database is used to store information about accounts and users of the object storage service.

Password change method:

  1. Use SSH to log in remotely to the management storage node (marked with Storage Cluster management IP address) as user omuser.
  2. Run cli_start -u admin to log in to the CLI.
  3. Run change system gaussdb_password mdc_gaussdba to enter a password as prompted.

Password rule:

A password must be 8 to 16 characters in length and contains special characters and at least two types of lowercase letters, uppercase letters, and digits. It cannot be the same as the user name or the user name typed backwards, and cannot be the same as the used password during the last 60 days.

How to delete/deactivate:

This account is a default account and cannot be deleted.

Lock account policy:

Locking the account is not available.

Translation
Download
Updated: 2019-02-01

Document ID: EDOC1100016657

Views: 5179

Downloads: 5

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next