Many system services require login credentials to gain access to them. The information below is a comprehensive list of system passwords and how to change them.
Contact HPE Cray service in order to obtain the default usernames and passwords for any of these components or services.
Default Keycloak admin user login credentials:
Username: admin
The password can be obtained with the following command:
ncn-mw# kubectl get secret -n services keycloak-master-admin-auth --template={{.data.password}} | base64 --decode
To update the default password for the admin account, refer to Change the Keycloak Admin Password.
To create new accounts, refer to Create Internal User Accounts in the Keycloak Shasta Realm.
The default Gitea/VCS administrative user name is crayvcs.
The password is randomly generated at install time and can be found in the vcs-user-credentials secret.
ncn-mw# kubectl get secret -n services vcs-user-credentials --template={{.data.vcs_password}} | base64 --decode
For more information on Gitea/VCS, including how to change the password, see Version Control Service (VCS).
The default username is admin.
NOTE: Contact HPE Cray service in order to obtain the default password for Grafana and Kiali.
Each rack type includes a different set of passwords. During different stages of installation, these passwords are subject to change.
NOTE: Contact HPE Cray service in order to obtain the default passwords.
The tables below include the default login credentials for each rack type. These passwords can be changed by going into the console on a given switch and changing it. However, if the user gets locked out attempting to change the password or the configuration gets corrupted for an individual switch, it can wipe out the entire network configuration for the system.
| Name | Role | Switch | IP Address | Login |
|---|---|---|---|---|
sw-smn01 |
Leaf/Mgmt |
Dell S3048-ON |
10.254.0.2 |
admin |
sw-smn02 |
Spine-001 |
Mellanox SN2100 |
10.254.0.1 |
admin |
sw-smn03 |
Spine-002 |
Mellanox SN2100 |
10.254.0.3 |
admin |
| Name | Role | Switch | IP Address | Login |
|---|---|---|---|---|
mtnsw01 |
Leaf/Mgmt |
Dell S3048-ON |
10.254.0.2 | admin |
| Name | Role | Switch | IP Address | Login |
|---|---|---|---|---|
cdu-s1 |
CDU | Dell S4048T-ON |
10.254.0.2 | admin |
| Name | Role | Switch | IP Address | Login |
|---|---|---|---|---|
| Arista | DCS-7060CX-32S |
172.16.249.10 | admin |
|
| Sonexion | Entry point to Arista | CS-L300 |
172.30.49.178 | admin |
| E1000 | CS-E1000 |
admin |
Redfish accounts are only valid with the Redfish API. They do not allow system logins using ssh or serial console.
Three accounts are created by default:
| Username | Authority | Role |
|---|---|---|
root |
Root |
Administrative account |
operator |
Operator |
Power components on/off, read values, and configure accounts |
guest |
ReadOnly |
Log in, configure self, and read values |
NOTE: Contact HPE Cray service in order to obtain the default passwords.
The System Configuration Service (SCSD) is used to set the credentials for Redfish BMCs. Refer to Set BMC Credentials for more information.
The account database is automatically saved to the non-volatile settings partition
(/nvram/redfish/redfish-accounts) any time an account or account policy is modified.
The file is stored as a Redis command dump and is replayed (if it exists) any time the core Redfish
schema is loaded by the init script. If default accounts must be restored,
then delete the Redis command dump and reboot the controller.
Use the following API path to list all accounts: GET /redfish/v1/AccountService/Accounts
{
"@odata.context": "/redfish/v1/$metadata#ManagerAccountCollection.ManagerAccountCollection",
"@odata.etag": "W/\"1559675674\"",
"@odata.id": "/redfish/v1/AccountService/Accounts",
"@odata.type": "#ManagerAccountCollection.ManagerAccountCollection",
"Description": "Collection for Manager Accounts",
"Members": [
{
"@odata.id": "/redfish/v1/AccountService/Accounts/1"
},
{
"@odata.id": "/redfish/v1/AccountService/Accounts/2"
}
],
"Members@odata.count": 2,
"Name": "Accounts Collection"
}
Use the following API path to list a single account: GET /redfish/v1/AccountService/Accounts/1
{
"@odata.context": "/redfish/v1/$metadata#ManagerAccount.ManagerAccount(*)",
"@odata.etag": "W/"1559675272"",
"@odata.id": "/redfish/v1/AccountService/Accounts/1",
"@odata.type": "#ManagerAccount.v1_1_1.ManagerAccount",
"Description": "Default Account",
"Enabled": true,
"Id": "1",
"Links": {
"Role": {
"@odata.id": "/redfish/v1/AccountService/Roles/Administrator"
}
},
"Locked": false,
"Name": "Default Account",
"RoleId": "Administrator",
"UserName": "root"
}
If an account is successfully created, then the account information data structure will be returned. The most important bit returned is the Id because it is part of the URL used for any further manipulation of the account.
Use the following API path to add accounts: POST /redfish/v1/AccountService/Accounts
Include a request body like the following:
{
"Name": "Test Account",
"RoleId": "Administrator",
"UserName": "test",
"Password": "test123",
"Locked": false,
"Enabled": true
}
Example response:
{
"@odata.context": "/redfish/v1/$metadataAccountService/Members/Accounts",
"@odata.etag": "W/"1559679136"",
"@odata.id": "/redfish/v1/AccountService/Accounts",
"@odata.type": "#ManagerAccount.v1_1_1.ManagerAccount",
"Description": "Collection of Account Details",
"Id": "5", **<<-- Note this value**
"Links": {
"Role": {
"@odata.id": "/redfish/v1/AccountService/Roles/Administrator"
}
},
"Enabled": true,
"Locked": false,
"Name": "Test",
"RoleId": "Administrator",
"UserName": "test"
}
Be sure to note the Id value in the response (5 in the above example).
Use the following API path to delete an account: DELETE /redfish/v1/AccountService/Accounts/ACCOUNT_ID
For example:
curl -u root:xxx -X DELETE https://x0c0s0b0/redfish/v1/AccountService/Accounts/5
Use the following API path to update the password for an account: PATCH /redfish/v1/AccountService/Accounts/ACCOUNT_ID
WARNING: Changing Redfish credentials outside of Cray System Management (CSM) services may cause the Redfish device to be no longer manageable under CSM. If the credentials for other devices need to be changed, refer to the following device-specific credential changing procedures:
- To change liquid-cooled BMC credentials, refer to Change Cray EX Liquid-Cooled Cabinet Global Default Password.
- To change air-cooled node BMC credentials, refer to Change Air-Cooled Node BMC Credentials.
- To change Slingshot switch BMC credentials, refer to “Change Rosetta Login and Redfish API Credentials” in the Slingshot Operations Guide (> 1.6.0).
For example:
curl -u root:xxx -X PATCH -H 'Content-Type: application/json' \
-d '{"Name": "Test"}' \
https://x0c0s0b0/redfish/v1/AccountService/Accounts/5
For SSH access, the system controllers have the following default credentials:
| Controller | Username |
|---|---|
| Node controller (nC) | root |
| Chassis controller (cC) | root |
| Switch controller (sC) | root |
| sC minimal recovery firmware image (rec) | root |
NOTE: Contact HPE Cray service in order to obtain the default passwords.
Passwords for nC, cC, and sC controllers are all managed with the following process.
The cfgsh tool is a configuration shell that can be used interactively or scripted. Interactively, it may be used as follows after logging in as root using SSH:
x0c1# config
x0c1(conf)# CURRENT_PASSWORD root NEW_PASSWORD
x0c1(conf)# exit
x0c1# copy running-config startup-config
x0c1# exit
It may be used non-interactively as well. This is useful for separating out several of the commands used for the initial setup. The shell utility returns non-zero on error.
# cfgsh --config CURRENT_PASSWORD root NEW_PASSWORD
# cfgsh copy running-config startup-config
In both cases, a running-config must be saved out to non-volatile storage in a startup configuration file.
If it is not, then the password will revert to default on the next boot. This is the same behavior as standard managed Ethernet switches.
To adjust the SNMP credentials, perform the following tasks:
Update the default credentials specified in the customizations.yaml file.
Update the credentials actively being used for existing leaf switches.
Change the global default credential on HPE Cray EX liquid-cooled cabinet embedded controllers (BMCs).
The chassis management module (CMM) controller (cC), node controller (nC), and Slingshot switch controller (sC) are generically referred to as “BMCs” in these procedures.
See Change Cray EX Liquid-Cooled Cabinet Global Default Password
Provision a glibc compatible SHA-512 administrative password hash to a cabinet environmental controller (CEC).
This password becomes the Redfish default global credential to access the CMM controllers and node controllers (BMCs).
See Provisioning a Liquid-Cooled EX Cabinet CEC with Default Credentials
Change the credential for HPE Cray EX liquid-cooled cabinet chassis controllers and node controller (BMCs) used by CSM services after the CECs have been set to a new global default credential.
See Updating the Liquid-Cooled EX Cabinet CEC with Default Credentials after a CEC Password Change
The default username is admin.
NOTE: Contact HPE Cray service in order to obtain the default password for Gigabyte.
To update the root password for compute nodes, refer to “Set Root Password for Compute Nodes” in the Cray Operating System (COS) product stream documentation for more information.
To update the root password on UANs, refer to “Create UAN Boot Images” in the UAN product stream documentation for the steps required.
The uan_shadow header in the “UAN Ansible Roles” section includes more context on setting the root password on UANS.