Managing the Gateway appliance privileged (root) account

Document ID : KB000042867
Last Modified Date : 18/10/2018
Show Technical Document Details
Introduction:

Introduction:

The root user account for the CA API Gateway is used to provide complete administrative access to the host operating system (OS) of the CA API Gateway appliance. As such, access to this account should be limited and regulated, and the password maintained securely outside of the CA API Gateway appliance. 

Environment:

This article is targeted for the most current version of the CA API Gateway. The process may differ from older revisions of the CA API Gateway appliance.

Instructions:

Changing the root user password if the password is known

If the root password is known but needs to be changed for administrative purposes then the following process can be executed:

  1. Connect to the CA API Gateway via a serial cable or direct console access
  2. Log in as root at the login prompt
  3. Change the password: passwd
  4. Provide the password to the prompt
  5. Confirm the password to the prompt

The password will have been changed to the confirmed credentials.

Resetting the root user password if the password is unknown

If the password is unknown then it will need to be reset in an emergency maintenance mode that bypasses the standard boot process. This requires direct console access. The process to reset the password is as follows:

  1. Connect to the CA API Gateway via a serial cable or direct console access
  2. Restart the CA API Gateway appliance
  3. Access the GRUB menu by pressing space-bar when the following prompt is visible:
    Press any key to enter the menu. Booting Layer 7 SSG
  4. Press P to provide a GRUB password. The default is 7layer.
  5. Press E to edit the boot parameters and select the kernel line
  6. Press E to edit the kernel parameters.
  7. Depending on what you see on the screen, replace:
    LANG=en_US.UTF-8 audit=1
    with:
    LANG=en_US.UTF-8 audit=1 init=/bin/bash

    --OR--

    Replace:
    LANG=en_US.UTF-8 rhgb quiet console=tty0 console=ttyS0,9600n8 audit=1
    with:
    LANG=en_US.UTF-8 audit=1 init=/bin/bash
     
  8. Press Enter to save the changes
  9. Press B to boot the system with the specified parameters
  10. Mount the root file system with the following command: mount -o remount,rw /
  11. Change the root user password with the following command and follow the prompts: passwd
  12. Re-mount the root file system with the following command: mount -o remount,ro /
  13. Save the changes and restart the appliance: sync; reboot -f

The password for the root account will now be set to the value specified in step 12 above. Subsequent authentication attempts will require this new password after the system is restarted.

Unlocking the account

If the root password is unknown and the account is locked due to too many failed authentication attempts then the following error message may appear: Account locked due to 5 failed logins. If this error occurs then the root account will need to be unlocked. By default, the root account will unlock after 20 minutes of inactivity. The simplest method of unlocking the root account is to not attempt to access it for a period of 20 minutes.

If it is necessary to immediately unlock the root account then the following procedure can be executed:

  1. Connect to the CA API Gateway via a serial cable or direct console access
  2. Restart the CA API Gateway appliance
  3. Access the GRUB menu by pressing space-bar when the following prompt is visible:
    Press any key to enter the menu. Booting Layer 7 SSG
  4. Press P to provide a GRUB password. The default is 7layer.
  5. Press E to edit the boot parameters and select the kernel line
  6. Press E to edit the kernel parameters.
  7. Depending on what you see on the screen, replace:
    LANG=en_US.UTF-8 audit=1
    with:
    LANG=en_US.UTF-8 audit=1 single

    --OR--

    Replace:
    LANG=en_US.UTF-8 rhgb quiet console=tty0 console=ttyS0,9600n8 audit=1
    with:
    LANG=en_US.UTF-8 audit=1 single
     
  8. Press Enter to save the changes
  9. Press B to boot the system with the specified parameters
  10. Reset the root user tally counters: /sbin/pam_tally2 --reset --user root
  11. Restart the appliance: reboot

The root user will be immediately available as long as a valid root user password is provided.

Additional Information:

The CA API Gateway product documentation has additional troubleshooting steps for other default user accounts such as ssgconfig and the MySQL root user account (which is different from the OS-level root user account).

Instructions:
Please Update This Required Field