Rotating FreeIPA secrets

To strengthen the security of your deployments, you can rotate sensitive secrets, such as database passwords or admin credentials for the FreeIPA cluster. These secrets are managed and created by either Cloudera or users.

Secret rotation can be performed using the Cloudera Management Console or CLI commands. By rotating secrets, you reduce the risk of unauthorized access and enhance the overall security of your environment. A single secret rotation typically takes no longer than five minutes, minimizing downtime and disruption.

The following table summarizes the list of secrets that can be rotated for FreeIPA:
Secret name Secret description Downtime
Cloudbreak user root SSH public key

(USER_KEYPAIR)

Public SSH key specified during the environment creation.

Before rotating the SSH public key, you need to change keys on the Environment summary page, then rotate the secret for FreeIPA.

No
Databus access key

(DBUS_UMS_ACCESS_KEY)

Machine user service credential, used for communicating with Cloudera Control Plane through the DBUS interface by services such as the metering agent, diagnostic bundle collection and telemetry publisher. Minimal due to TelemetryAgent restart.
FreeIPA admin password

(FREEIPA_ADMIN_PASSWORD)

Used for managing various FreeIPA services on the FreeIPA nodes, a root credential for managing all FreeIPA services. No
FreeIPA user sync related user's password

(FREEIPA_USERSYNC_USER_PASSWORD)

FreeIPA uses this password to synchronize the context of user mapping from the Cloudera Control Plane to the FreeIPA LDAP Minimal, usersync might fail during rotation
Cluster Connectivity Manager Agent access key

(CCMV2_JUMPGATE_AGENT_ACCESS_KEY)

Jumpgate agent uses this key to build a safe channel between the cluster and Cloudera Control Plane for communication with the cluster. The key is only stored on the FreeIPA node. No
Salt boot secrets

(SALT_BOOT_SECRETS)

Used for bootstrapping new Virtual Machine to the cluster during cluster creation, upscale operation, OS upgrade and repair. No
Salt sign key pair

(SALT_SIGN_KEY_PAIR)

Used to sign and verify files or data distributed to Salt minions. Ensures integrity and authenticity of data managed by the Salt system. No
Salt master key pair

(SALT_MASTER_KEY_PAIR)

Used to establish secure communication between the Salt master and minions. The public key is shared with the minions to verify the identity of the master. No
Salt password

(SALT_PASSWORD)

Salt user's password used to communicate with the Salt cluster. No
Nginx server side private key

(NGINX_CLUSTER_SSL_CERT_PRIVATE_KEY)

Private key of server side NGINX SSL certificate used for communication with internal services like salt-bootstrap. Minimal, NGINX restart can cause small downtime, which is covered by retries
Compute monitoring credentials

(COMPUTE_MONITORING_CREDENTIALS)

Credentials used for compute monitoring components (prometheus, request-signer, etc.). Minimal
The secrets vary based on the deployment, you can use the following CLI command to list all of the available secrets for rotation:
cdp environments list-freeipa-secret-types --environment {envCrn}

You can use the following steps in Cloudera Management Console or CLI commands to rotate the FreeIPA secrets:

  1. Navigate to your environment in Cloudera Management Console.
  2. Click FreeIPA on the environment details page.
  3. Select the Security tab on the FreeIPA details page.
    Under Secret Management, the list of secrets that can be rotated will be displayed:
  4. Select the secrets that you want to rotate.
  5. Click Rotate Secrets.
Use the following command to rotate the specific secret types:
cdp environments rotate-freeipa-secrets --environment {environmentCrn} --secret-types {SECRETENUM1,SECRETENUM2}