Search

US-12621288-B2 - Agentless password rotation for baremetal servers

US12621288B2US 12621288 B2US12621288 B2US 12621288B2US-12621288-B2

Abstract

An orchestrator manages password rotation bare metal servers that lack an agent for performing password rotation. A user configures parameters for performing password rotation such as the frequency (e.g., cron command) and password rules for a bare metal server. Parameters may be associated with a theme that can be applied to one or multiple bare metal servers. When indicated by the frequency, the orchestrator runs a workflow with respect to one or more bare metal servers in order to change the passwords and update a vault store recording the passwords.

Inventors

  • Pragash Vijayaragavan
  • Sree Nandan Atur

Assignees

  • RAKUTEN SYMPHONY, INC.

Dates

Publication Date
20260505
Application Date
20221117

Claims (20)

  1. 1 . A method comprising: selecting, by a first computer system, one or more parameters defining performing password rotation with respect to a remote server connected to the first computer system by a network, the first computer system selecting the one or more parameters according to both of (a) a location of the server in a telecommunication system and (b) a frequency of unsuccessful login attempts detected for the server, the one or more parameters including a frequency of password changes and password requirements; detecting, by the first computer system, that password rotation is due for the server according to the one or more parameters; and executing, by the first computer system, a workflow to perform password rotation on the server over the network, the workflow including making application programming interface (API) calls, by the workflow, to an API of an operating system executing on the server to perform the password rotation.
  2. 2 . The method of claim 1 , wherein the one or more parameters include one or more rules for generating passwords for the server.
  3. 3 . The method of claim 1 , wherein the one or more parameters include a cron command.
  4. 4 . The method of claim 1 , wherein the one or more parameters are associated with a theme to which the server is assigned.
  5. 5 . The method of claim 4 , wherein the theme corresponds to the location of the server in the telecommunication network.
  6. 6 . The method of claim 1 , wherein invoking execution of the workflow comprises selecting a worker from a worker pool and instructing the worker to execute the workflow.
  7. 7 . The method of claim 1 , wherein execution of the workflow includes storing passwords in a password vault store.
  8. 8 . The method of claim 1 , wherein execution of the workflow includes establishing a secure command line interface to the server and transmitting instructions through the secure command line interface.
  9. 9 . The method of claim 8 , wherein the secure command line interface includes a secure shell (SSH) connection to the server.
  10. 10 . The method of claim 1 , further comprising modifying the one or more parameters to increase a frequency of performance of password rotation in response to unsuccessful login attempts on the server.
  11. 11 . A system comprising: a computing device including one or more processing devices and one or more memory devices operably coupled to the one or more processing devices, the one or more memory devices storing executable code that, when executed by the one or more processing devices, causes the one or more processing devices to: select one or more parameters defining performing password rotation with respect to a remote bare metal server connected to the computing device by a network, the one or more parameters selected according to both of (a) a location of the bare metal server in a telecommunication system and (b) a frequency of unsuccessful login attempts detected for the bare metal server, the one or more parameters including a frequency of password changes and password requirements; detect that password rotation is due for the bare metal server according to the one or more parameters; and executing a workflow to perform password rotation on the bare metal server over the network, the workflow including making application programming interface (API) calls, by the workflow, to an API of an operating system executing on the bare metal server to perform the password rotation.
  12. 12 . The system of claim 11 , wherein the one or more parameters include one or more rules for generating passwords for the bare metal server.
  13. 13 . The system of claim 11 , wherein the one or more parameters include a cron command.
  14. 14 . The system of claim 11 , wherein the one or more parameters are associated with a theme to which the bare metal server is assigned.
  15. 15 . The system of claim 11 , wherein the executable code, when executed by the one or more processing devices, further causes the one or more processing devices to invoke execution of the workflow by selecting a worker from a worker pool and instructing the worker to execute the workflow.
  16. 16 . The system of claim 15 , wherein the executable code, when executed by the one or more processing devices, further causes the one or more processing devices to invoke execution of the workflow by retrieving the workflow from a repository.
  17. 17 . The system of claim 11 , wherein execution of the workflow includes storing passwords from a password vault store.
  18. 18 . The system of claim 11 , further comprising the bare metal server, the bare metal server being an edge server coupled to an antenna of a telecommunication network.
  19. 19 . A non-transitory computer-readable medium storing executable code that, when executed by one or more processing devices, causes the one or more processing devices to: select one or more parameters defining performing password rotation with respect to a remote bare metal server connected to a computing device by a network according to both of (a) a location of the bare metal server in a telecommunication system and (b) a frequency of unsuccessful login attempts detected for the bare metal server, the one or more parameters including a frequency of password changes and password requirements; detect that password rotation is due for the bare metal server according to the one or more parameters; and invoke execution of a workflow to perform password rotation on the bare metal server over the network, the workflow being executed by the computing device and including making calls, by the workflow, to application programming interface (API) of an operating system executing on the bare metal server.
  20. 20 . The non-transitory computer-readable medium of claim 19 , wherein the one or more parameters include one or more rules for generating passwords for the bare metal server and a cron command.

Description

FIELD OF THE INVENTION This invention relates to implementing password rotation on servers without the use of an agent executing on the servers. BACKGROUND OF THE INVENTION The modern data center or other computing facility is enormously complex and may be distributed over a wide geographic area. Performing administrative tasks manually is simply not practical. One such task is providing passwords used by servers when accessing services in the same facility or a third-party provider. The HashiCorp Vault is one tool that is used to provide automated management of passwords. This tool uses a vault agent executing on each server that interacts with a management server. Although the use of a vault agent is suitable for some applications, it requires prior installation and consumes computing resources that may be scarce in some applications. It would be an advancement in the art to perform the automated management of passwords in complex computing facilities. BRIEF DESCRIPTION OF THE DRAWINGS In order that the advantages of the invention will be readily understood, a more particular description of the invention briefly described above will be rendered by reference to specific embodiments illustrated in the appended drawings. Understanding that these drawings depict only typical embodiments of the invention and are not therefore to be considered limiting of its scope, the invention will be described and explained with additional specificity and detail through use of the accompanying drawings, in which: FIG. 1 is a schematic block diagram of a network environment in which agentless password rotation may be implemented in accordance with an embodiment of the present invention; FIG. 2 is a process flow diagram of a method for setting up agentless password rotation in accordance with an embodiment of the present invention; FIG. 3 is a process flow diagram of a method for performing password rotation in accordance with an embodiment of the present invention; FIG. 4 is a process flow diagram of a method for performing password rotation using a command line interface on an operating system of a server in accordance with an embodiment of the present invention; FIG. 5 is a schematic block diagram of a network environment in which agentless user session management may be implemented in accordance with an embodiment of the present invention; FIG. 6 is a process flow diagram of a method for extracting user session information in accordance with an embodiment of the present invention; FIG. 7 is a process flow diagram of a method for extracting a new login from session information in accordance with an embodiment of the present invention; FIG. 8 is a process flow diagram of a method for extracting a logout from session information in accordance with an embodiment of the present invention; FIG. 9 is a process flow diagram of a method for recording session data in the event of a server restart in accordance with an embodiment of the present invention; FIG. 10 is a process flow diagram of a method for performing user session management in accordance with an embodiment of the present invention; FIG. 11 is a process flow diagram of a method for implementing a session management action in accordance with an embodiment of the present invention; and FIG. 12 is a schematic block diagram of an example computing device suitable for implementing methods in accordance with embodiments of the invention. DETAILED DESCRIPTION FIG. 1 illustrates an example network environment 100 in which the systems and methods disclosed herein may be used. The components of the network environment 100 may be connected to one another by a network such as a local area network (LAN), wide area network (WAN), the Internet, a backplane of a chassis, or other type of network. The components of the network environment 100 may be connected by wired or wireless network connections. The network environment 100 includes a plurality of bare metal servers 102. Each of the bare metal servers 102 may include one or more computing devices, such as a computing device having some or all of the attributes of the computing device 1200 of FIG. 12. As used herein “bare metal” refers to a server computer in an uninitiated state, e.g., having no operating system, kernel, or other software installed thereon other than firmware stored in non-volatile RAM on the device. A bare metal server 102 therefore lacks any agent for coordinating the performance of management tasks. The system and methods described herein enable password rotation to be performed with respect to a bare metal server 102. However, other servers of any type may also benefit from the systems and methods disclosed herein. Likewise, a cluster of servers, such as a cluster of servers coupled to a common control plane, may be processed in the same manner as a single server as described herein. As used herein “password rotation” refers to the scheduled changing of passwords to enhance security. As used herein, “passwords”