34 Posts
0
20387
Avamar Default passwords 7.5.1
Hi,
I am on Avamar 7.5.1 and my security team found a default password on the dtlt and I thought they had all be changed by my predecessors as this system is 5 years old.
However, they found a default password for Root. I was confused as I know that the password for Root has been changed as I came across a document stating that the default password is changeme and that is not what I use. I have since learned that there is another root account on the system and I need to get it changed, but the Admin guide makes me more confused on how to make this change that it does clearing the issue up.
What are the 2 root accounts defined as and how do I change the one and not the other account password?
After changing the password in Avamar, where else does that password need to be changed and how do I do that? (such as in DataDomain or the Proxies?)
Thank you for helping me with this "inherited" system.
-Mike
ionthegeek
2K Posts
0
July 24th, 2018 11:00
The two root passwords on an Avamar system are the OS root password (default: changeme) and what's called the DPN root password (default: 8RttoTriz) which is the application's superuser password.
To change either of these passwords, use the change-passwords utility on the utility node. You will be prompted about which passwords you wish to change.
Assuming the system has been configured according to best practice, you shouldn't need to make further changes following the password change.
PastorMike1
34 Posts
0
July 24th, 2018 12:00
Hi Ian,
I have "inherited" this system, so I start by assuming that it is NOT configured to best practice as I have found that since my company has SO many security checks and restrictions it was set up to work in this environment and not an ideal world. I have also learned that when it was set up there were tasks that were supposed to be done by my predecessors but instead of completing them they said good enough and left them to be discovered later.
With that said, what other changes should I anticipate needing to make once the password has been changed on the utility node for the DPN root account? I found an old Avamar 6 discussion that said the proxies would need to be updated, is that still true? If so, how
as I found several ways to do it, but did not know if that would still work in Avamar 7.5.1.
Thank you,
-Mike
ionthegeek
2K Posts
1
July 25th, 2018 08:00
The only thing that might break that I can think of off the top of my head would be replication. In very, very old Avamar releases (5.x and older), the root account was used for replication but this hasn't been the case for a long time.
The VMware Image proxy implementation has changed dramatically since 6.x. We no longer store credentials locally on the proxies.
PastorMike1
34 Posts
0
July 25th, 2018 13:00
One more question I hope is quick...
In the logs I see Root with Product of MCS and Root with Product of SCC, which is which? Which one is OS and which is DPN?
Thank you,
-Mike
PastorMike1
34 Posts
0
July 25th, 2018 14:00
Speaking of Replication, do I need to change the password on each system, or changing it on one does that replicate to the other system?
Thank you,
-Mike
ionthegeek
2K Posts
1
July 26th, 2018 10:00
In which logs, sorry? If the product is "MCS", that's going to be the DPN root password but I'd need more context to tell you what SCC might mean.
You will have to change the password on each system independently. Replication does not replicate password changes*.
* Except if these systems are configured for root-to-root replication which they are almost certainly not. If you can log into the GUI on the replication target, you are not doing root-to-root.
PastorMike1
34 Posts
0
July 26th, 2018 10:00
Hi Ian,
I am looking in the Audit Logs, that is where I am seeing root as the user and the product is either MCS or SCC.
The SCC product is usually in conjunction with Operation = Edit, Summary = Client was Updated and domain is /clients/proxy. I am taking a wild guess this is a VM backup where the snapshot is attached to the proxy for the backup?
Thank you!
-Mike