Managing the Gateway appliance privileged (root) account
search cancel

Managing the Gateway appliance privileged (root) account

book

Article ID: 42867

calendar_today

Updated On:

Products

CA API Gateway

Issue/Introduction

The root user (ssgconfig) account for the CA API Gateway is used to provide complete administrative access to the host operating system (OS) of the CA API Gateway appliance. As such, access to this account should be limited and regulated, and the password maintained securely outside of the CA API Gateway appliance. This article is targeted for the most current version of the CA API Gateway. The process may differ from older revisions of the CA API Gateway appliance.

Environment

API Gateway versions 9.x, 10.x, 11.x

Cause

This is a Knowledge article describing how to change as well to reset the root account password.

Resolution

Changing the root user password if the password is known

If the root password is known but needs to be changed for administrative purposes then the following process can be executed:

  1. Connect to the CA API Gateway via a serial cable or direct console access
  2. Log in as root at the login prompt
  3. Change the password: passwd
  4. Provide the password to the prompt
  5. Confirm the password to the prompt

The password will have been changed to the confirmed credentials.

Resetting the root user password if the password is unknown 9.x

If the password is unknown then it will need to be reset in an emergency maintenance mode that bypasses the standard boot process. This requires direct console access. The process to reset the password is as follows:

  1. Connect to the CA API Gateway via a serial cable or direct console access
  2. Restart the CA API Gateway appliance
  3. Access the GRUB menu by pressing space-bar when the following prompt is visible:   (NOTE make sure the control is in the terminal screen before hitting space (click in screen)) 
    Press any key to enter the menu. Booting Layer 7 SSG
  4. Press P to provide a GRUB password. The default is 7layer.
  5. Press E to edit the boot parameters and select the kernel line
  6. Press E to edit the kernel parameters.
  7. Press left row key to display the specific parameter to look for 
  8. Depending on what you see on the screen, replace:
    LANG=en_US.UTF-8 audit=1
    with:
    LANG=en_US.UTF-8 audit=1 init=/bin/bash

    --OR--

    Replace:
    LANG=en_US.UTF-8 rhgb quiet console=tty0 console=ttyS0,9600n8 audit=1
    with:
    LANG=en_US.UTF-8 audit=1 init=/bin/bash
     
  9. Press Enter to save the changes
  10. Press B to boot the system with the specified parameters
  11. Mount the root file system with the following command: mount -o remount,rw /
  12. Change the root user password with the following command and follow the prompts: passwd
  13. Re-mount the root file system with the following command: mount -o remount,ro /
  14. Save the changes and restart the appliance: sync; reboot -f

The password for the root account will now be set to the value specified in step 12 above. Subsequent authentication attempts will require this new password after the system is restarted.

Resetting the root user password if the password is unknown 10.x 

1. Connect to the CA API Gateway via a serial cable or direct console access

2. Restart the CA API Gateway appliance

3. Access the GRUB  by pressing 'e'  when the following screen is visible:

CentOS Linux (3.10.0-1062.12.1.el7.x86_64) 7 (Core)

Use the  up and down arrow keys to change the selection.

Press ‘e’ to edit the selected item, or ‘c’ for a command prompt

4. Position the cursor at the Kernel Line

The line which starts with :  linux16 /vmlinuz-3.10.. 

with the right arrow key move until the end of this line to replace the following : LANG=en_US.UTF-8

5. Depending on what you see on the screen, replace:
LANG=en_US.UTF-8 audit=1
with:
LANG=en_US.UTF-8 audit=1 init=/bin/bash

--OR--

Replace:
LANG=en_US.UTF-8 rhgb quiet console=tty0 console=ttyS0,9600n8 audit=1
with:
LANG=en_US.UTF-8 audit=1 init=/bin/bash

6. Press Ctrl-x to Start and save the changes , it will be showed a “bash-4.2#” prompt to continue the procedure

7. Mount the root file system with the following command: mount -o remount,rw /

8. Change the root user password with the following command and follow the prompts: passwd

9. Re-mount the root file system with the following command: mount -o remount,ro /

10. Save the changes and restart the appliance: sync;

11. type exit and the server will start to reboot in 10 seconds

The password for the root account will now be set to the value specified in step 8 above. Subsequent authentication attempts will require this new password after the system is restarted.

Resetting the root user password if the password is unknown 11.x 

1. Connect to the CA API Gateway via a serial cable or direct console access

2. Restart the CA API Gateway appliance

3. Access the GRUB  by pressing 'e'  when the following screen is visible:

Debian GNU/Linux with linux 5.10.0-20-amd64

Use the  up and down arrow keys to change the selection.

Press ‘e’ to edit the selected item, or ‘c’ for a command prompt

4. Position the cursor at the Kernel Line

The line which starts with :  linux /vmlinuz-5.10.. 

with the right arrow key move until the end of this line:

5. Depending on what you see on the screen, replace:
/vmlinuz-5.10.0-20-amd64 root=dev/mapper/vg01-lvroot ro quiet
with:
/vmlinuz-5.10.0-20-amd64 root=dev/mapper/vg01-lvroot ro quiet init=/bin/bash

6. Press Ctrl-x to Start and save the changes , it will be showed a “bash-4.2#” prompt to continue the procedure

7. Mount the root file system with the following command: mount -o remount,rw /

8. Change the root user password with the following command and follow the prompts: passwd

9. Re-mount the root file system with the following command: mount -o remount,ro /

10. Save the changes and restart the appliance: reboot -f

The password for the root account will now be set to the value specified in step 8 above. Subsequent authentication attempts will require this new password after the system is restarted.

 

Unlocking the account

If the root password is unknown and the account is locked due to too many failed authentication attempts then the following error message may appear: Account locked due to 5 failed logins. If this error occurs then the root account will need to be unlocked. By default, the root account will unlock after 20 minutes of inactivity. The simplest method of unlocking the root account is to not attempt to access it for a period of 20 minutes.

If it is necessary to immediately unlock the root account then the following procedure can be executed:

  1. Connect to the CA API Gateway via a serial cable or direct console access
  2. Restart the CA API Gateway appliance
  3. Access the GRUB menu by pressing space-bar when the following prompt is visible:
    Press any key to enter the menu. Booting Layer 7 SSG
  4. Press P to provide a GRUB password. The default is 7layer.
  5. Press E to edit the boot parameters and select the kernel line
  6. Press E to edit the kernel parameters.
  7. Depending on what you see on the screen, replace:
    LANG=en_US.UTF-8 audit=1
    with:
    LANG=en_US.UTF-8 audit=1 single

    --OR--

    Replace:
    LANG=en_US.UTF-8 rhgb quiet console=tty0 console=ttyS0,9600n8 audit=1
    with:
    LANG=en_US.UTF-8 audit=1 single
     
  8. Press Enter to save the changes
  9. Press B to boot the system with the specified parameters  ( Make sure to logon with the root account password during the boot,  do not use ctrl-d to skip this otherwise the unlock does not work )
  10. Reset the root user tally counters: /sbin/pam_tally2 --reset --user root
  11. If above command does not work as expected , to flush or clear the unsuccessful login attempts, can be used the command :  faillock --user root --reset
  12. Restart the appliance: reboot

The root user will be immediately available as long as a valid root user password is provided.

Additional Information

The CA API Gateway product documentation has additional troubleshooting steps for other default user accounts such as ssgconfig and the MySQL root user account (which is different from the OS-level root user account).