RSA enVision^® Discussions

Thanks for the reply... Is that something that I can find on SCO? We will be doing at least every 90 days possibly less, as the SIEM should be meeting or exceeding the precedent that everyone else has been mandated to follow...

Ok, so I got approval from the PS person who created the script.  Keep in mind that there is no support for this script.

 

Requirements (not documented):

1. This script must be run as an account that is configured as an administrator (and Domain Admin) on all systems, including the NAS.  This normally means the Administrator account (which is pre-created on the NAS).  Contact support to obtain the password for this account on the NAS if you do not know it.  This is the only administrator on the NAS by default I believe.  I have manually created an administrator account on all servers and given it admin rights and the same password (like the other accounts require)
2. This script requires Powershell to be installed on an enVision server.  I run this from the D-srv normally.  Not sure if that is a requirement or not.
3. The winSSHD functionality does not work by default with this script.  You are welcome to tweak the code as you need.

 

I will post my customized version next.

 

Scott

 

 

I appreciate the information. I am curious now that I have had literally no replies other than you with something that is a known/used process, but is not supported or documented if this is something that is just not done on a regular basis? I have had experience with attempting things that are not supported before, and unfortunately they have not gone well, so I will probably pass even though your script and coding is most likely perfectly fine. I am not a server admin type and the team that I would have to ask to implement this would not do it most likely just because of the possibility of "murphy's law" & no support. I am now interested what response I will get by putting in a support ticket since I have gone this route, searched on SCO, and and asked a couple of other support specialists about this process and received no reply. Thank you!

I understand your concern. If this is your environment to manage, then I would not fear this script. There are worse things that can happen. Trust me.

enVision is just a set of Windows servers. If you use the script, it should work just fine. That said - you should already have all the passwords known (documented somewhere) so you can undo any issues.

It's not going to fail catastrophically to a point where only a system restore will fix it - you just have to correct the passwords and restart the services.

But if your server admins are scared of server changes, then I probably can't help you.

This looks like a good option to use as there seems to be no "official" process to do this. We have some RSA consulting time coming up within a week, so I will look to get this implemented. I appreciate your candor. Due to staffing, we are sharing a lot of the admin functions between patching/backup/archive/AV ect with a few different teams... I am responsible for the appliances overall and delegating responsibilites by setting up domain admin access and permissions. Looks like this needs to be kicked up the chain as a "feature request/enhancement" unless I am one of the few out there that includes enVision in a password change policy... Thanks again!

I've asked this same question before, but the response was usually that I should leave the passwords alone. Because I work in a compliance context, I cannot do this. I have an LS and I use the Powershell script that PS developed. It makes things quicker, but you'll still have to open WinSSHD and set the NIC_sshd and NIC_sftp passwords manually. It doesn't reset the envision passwords either. And, it won't work for the NAS. You'll have to reset the CIFS and Celerra passwords manually. I've done this so many times that I can do it almost without thinking about it.

You can follow the steps in RSA enVision Hardware Setup and Maintenance Guide (page 69).

You need change in all appliance (D-Srv, A-Srv, LCn, RCn) and update the nic_sftp and nic_sshd cache password in the WindSSHD control panel

Regards