Setting the workload password

To access non-SSO interfaces, each user and machine user must set a workload password (also known as "FreeIPA password"). An administrator can set other users' workload passwords.

Required roles: All users can manage their workload passwords from the account management page. All users can manage their workload password from CDP CLI, but this action requires an API access key, which can only be generated by users with the IAMUser role. As a CDP administrator or PowerUser, you can manage the workload password for all user accounts.

Workload password requirements

Your CDP administrator may set a custom workload password policy for your organization. If your CDP administrator did not set a custom workload password policy default, CDP has the following workload password requirements:

  • A minimum password length of 8 characters

  • Must include at least 1 upper case character, lowercase character, number and special character. Supported special characters are: "#", "&", "*", "$", "%", "@", "^", ".", "_", and "!".

  • All previous passwords can be reused

  • The password can be changed at any time

  • The password never expires

Set your own workload password

As a CDP user, you can see on your profile page if you have previously set your workload password and if the password is about to expire. There are two cases when you may want to set your workload password:
  1. When you first start using CDP.
  2. When your password expires. This may or may not happen depending on your company's policies. If your password does expire, you will see a banner notification on the CDP web interface 10 days before the expiry date. You can also see on your user’s profile page the state of your workload password (if it expires soon or cannot yet be changed).

Steps

  1. Sign in to the CDP web interface.
  2. Click on your user name in the bottom left corner and then select Profile.
  3. Click Set Workload Password:
  4. In the dialog box that appears, enter the new workload password twice.
  5. In the Environments text box, All is pre-selected so that the workload password is synced to all environments by default.
  6. Click Set Workload Password. A message appears saying that the password is set successfully.
  7. Click Close.

Use the following command to set workload password:

cdp iam set-workload-password --password <value>

Set workload password for another user or machine user (admin only)

There are two cases when you may want to set workload password for a machine user:
  1. When you are first onboarding the machine user to CDP.
  2. When the machine user's password expires. This may or may not happen depending on your company's policies. A CDP administrator or PowerUser is able to navigate to the list of all users to see for which machine user passwords are about to expire. In the "Password expiring" column, any password that is about to expire in 10 days or less is flagged as "Expires in X days". Only machine users (and not human users) are flagged in this manner. A CDP administrator or PowerUser can then reset the password for each machine user whose password is about to expire.

Steps

  1. Sign in to the CDP web interface.
  2. From the CDP home page, click Management Console.
  3. On the side navigation panel, click User Management.
  4. On the Users page, enter your name in the search bar and then click on your user name:
  5. Click Set Workload Password:
  6. In the dialog box that appears, enter the new workload password twice.
  7. Click Set Workload Password. A message appears saying that the password is set successfully.
  8. Click Close.

Use the following command to set workload password for other users:

cdp iam set-workload-password  --actor-crn <value> --password <value>

The CRN can be obtained from CDP web interface from the user profile.

What to do next

Each time you reset your workload password, you must regenerate your keytab. See Retrieve keytab.