What happens if your administrator secrets are automatically rotated (or somehow lost) and you are no longer able to access /appliance or /login with admin credentials?
Just to be clear, I am not currently in this situation.
Solved
Lost Admin Credentials
Best answer by PhillC
mjhall wrote:
Got it. So potentially not the end of the world since support can get things reset.
I do not have anything set for autorotation, but computers are computers and people are people so I’m just preparing for the worst-case scenario if for some reason the software storing our account does rotate it (either via “automation” or a security admin’s unintentionally doing it).
Under /appliance > Security > Appliance Administration there is a “Reset Admin Account” button. Does this reset the default /login account? Or do we need to contact support whether we lose admin access to either /login or /appliance?
Hello Mjhall - the /appliance reset is to allow you to reset the local /login ‘admin’ account. At the very least, we would strongly suggest you to keep the /appliance admin account out of any password rotating systems.
Please note, if you are Azure hosting your appliance, the loss of both interface passwords will require an appliance rebuild as the Support password reset system requires the use of the Appliance CLI, on the appliance itself. Azure does not currently allow for interactive use of this interface.
That is one of those not to do situations. I don’t think even BT can help in that situation, it kind of defeats the purpose of it.
I would suggest employing “break the glass” local administrator accounts for your systems. Their username can be whatever, but their password should be a long randomly generated string of acceptable characters. Put those credential in an actual safe, or in a password management tool (e.g. bitwarden), and only shared in documented cases.
The admin accounts are stored in a separate vault that only specific individuals have access to and are long randomly generated passwords. The concern is that this vault automatically rotates the password, and I am SOL.
We do state to contact us if you manage to completely lock yourself out of the appliance, however the note about auto-rotated btadmin for /appliance falls under the “no, nonono, please no” category of account management. Having it in a physical safe with restricted access is a disaster recovery solutoin.
https://beyondtrustcorp.service-now.com/csm?id=kb_article_view&sysparm_article=KB0021131
Got it. So potentially not the end of the world since support can get things reset.
I do not have anything set for autorotation, but computers are computers and people are people so I’m just preparing for the worst-case scenario if for some reason the software storing our account does rotate it (either via “automation” or a security admin’s unintentionally doing it).
Under /appliance > Security > Appliance Administration there is a “Reset Admin Account” button. Does this reset the default /login account? Or do we need to contact support whether we lose admin access to either /login or /appliance?
mjhall wrote:
Got it. So potentially not the end of the world since support can get things reset.
I do not have anything set for autorotation, but computers are computers and people are people so I’m just preparing for the worst-case scenario if for some reason the software storing our account does rotate it (either via “automation” or a security admin’s unintentionally doing it).
Under /appliance > Security > Appliance Administration there is a “Reset Admin Account” button. Does this reset the default /login account? Or do we need to contact support whether we lose admin access to either /login or /appliance?
Hello Mjhall - the /appliance reset is to allow you to reset the local /login ‘admin’ account. At the very least, we would strongly suggest you to keep the /appliance admin account out of any password rotating systems.
Please note, if you are Azure hosting your appliance, the loss of both interface passwords will require an appliance rebuild as the Support password reset system requires the use of the Appliance CLI, on the appliance itself. Azure does not currently allow for interactive use of this interface.
mjhall wrote:
Got it. So potentially not the end of the world since support can get things reset.
I do not have anything set for autorotation, but computers are computers and people are people so I’m just preparing for the worst-case scenario if for some reason the software storing our account does rotate it (either via “automation” or a security admin’s unintentionally doing it).
Under /appliance > Security > Appliance Administration there is a “Reset Admin Account” button. Does this reset the default /login account? Or do we need to contact support whether we lose admin access to either /login or /appliance?
As PhillC mentioned, there’s some options, but you won’t be having a good day if those creds are lost. Contacting us is about us helping you find a plan to get back up and running that’s unique to the environment.
Reply
Most helpful members this week
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.