> Commvault SaaS > User Administration and Security > Rotating Passwords

Steps By Account Type for Rotating Password

This section explains how to rotate passwords for different account types, including cloud, databases, Linux, NDMP, storage arrays, and Windows. The instructions are grouped by account type. For most workloads, the password update process is similar, so the steps are written in a generic format. For workloads that require a different process, detailed and specific steps are provided.

Access Token

Access Token Account Type

GitHub

  1. Sign in to Github account.

  2. Navigate to Settings > Developer settings.

  3. Create a new PAT.

  4. Do not delete the old credential yet. Keep a rollback window until validation completes.

  5. Log on to Commvault SaaS.

  6. Update credentials by following the steps in the Updating a Credential in a Built-in Credential Vault Commvault documentation page.

  7. Run a test connection and then perform a test backup.

  8. After validation, remove the old credential in the GitHub website.

GitLab

  1. Sign in to Gitlab account.

  2. Navigate to Edit Profile > Access token.

  3. Create a new PAT.

  4. Log on to Commvault SaaS.

  5. Update credentials by following the steps in the Updating a Credential in a Built-in Credential Vault Commvault documentation page.

  6. Perform a test backup to validate the connection.

  7. After validation, remove the old credential in the GitLab website.

Azure DevOps

  1. Sign in to Azure DevOps account.

  2. Navigate to User settings > Personal access token.

  3. Create a new PAT.

  4. Log on to Commvault SaaS.

  5. Update credentials by following the steps in the Updating a Credential in a Built-in Credential Vault Commvault documentation page.

  6. Perform a test backup to validate the connection.

  7. After validation, remove the old credential in the Azure DevOps website.

Big Data Apps Database Account

Big Data Apps Database Account Type

Couchbase

  1. Sign in to the Couchbase admin portal.

  2. In the upper-right corner of the portal, click the username, and then click Change Password.

  3. Enter the current password and the new password.

  4. Save the details.

  5. Log on to Commvault SaaS.

  6. Update credentials by following the steps in the Updating a Credential in a Built-in Credential Vault Commvault documentation page.

  7. Run a small test backup to validate the connection.

  8. After validation, remove the old credential in the vendor console.

MongoDB

  1. Log on to Ops Manager UI.

  2. Navigate to the Deployment tab.

  3. Select the MongoDB cluster that has the user.

  4. Go to Security > Users.

  5. Locate the user whose password you want to change.

  6. Beside the user, click Edit.

  7. Enter the new password and confirm it.

  8. Save changes and deploy the updated configuration.

    Ops Manager will automatically push the updated user credentials to the cluster using its automation agents.

    Note

    If the cluster is not managed by Ops Manager, connect to the cluster using mongoShell and update the user credentials with the appropriate database commands.

  9. Log on to Commvault SaaS.

  10. Change the MongoDB authentication credentials by following the steps in the Updating a Credential in a Built-in Credential Vault Commvault documentation page.

  11. Run Discover from Nodes tab of your MongoDB Instance or trigger a small test backup to validate connection.

  12. Change the SSL/TLS credentials by following the steps in the Updating a Credential in a Built-in Credential Vault Commvault documentation page.

  13. Run Discover from Nodes tab of your MongoDB instance or trigger a small test backup to validate connection

Cloud Account

Cloud Account Type

  1. Sign in to the portal (for example, Microsoft Azure, AWS, Google Cloud, and OCI).

  2. Navigate to the security or identity area (such as IAM, Entra ID, SSO, or database user management).

  3. Create a new secret (password, key, app secret, certificate) following your policy (length, rotation interval, or MFA).

  4. Do not delete the old credential yet. Keep a rollback window until validation completes.

  5. Log on to Commvault SaaS.

  6. Update credentials by following the steps in the Updating a Credential in a Built-in Credential Vault Commvault documentation page.

  7. If the workload uses a cloud account, go to Protect > Virtual machines > Hypervisors , select the cloud account, and then update the keys/secret.

  8. Test the connection and then perform a test backup.

  9. After validation, remove the old credential in the vendor console.

Azure DevOps

  1. Sign in to the Azure portal.

  2. Navigate to App registration > Oauth App > Certificates and secret.

    Tip

    Go to App registrations, search for and select the multi-tenant app in use, and then navigate to Certificates & secrets for that app

  3. Create a new secret (password, key, app secret, certificate) following your policy (length, rotation interval, or MFA).

  4. Do not delete the old credential yet. Keep a rollback window until validation completes.

  5. Log on to Commvault SaaS.

  6. Update credentials by following the steps in the Updating a Credential in a Built-in Credential Vault Commvault documentation page.

  7. Test the connection and then perform a test backup.

  8. After validation, remove the old credential in the vendor console.

Google Workspace

Gmail and GDrive

You must change your Key for your service account in your Google Workspace Marketplace every 90 days as a best practice.

  1. Log on to the Google Cloud Resource Manager portal (https://console.cloud.google.com/cloud-resource-manager) using your super administrator account.

  2. From the navigation pane, go to APIs & Services > Enabled APIs & services.

    The APIs & Services page appears.

    Note

    Verify that you have selected the correct project in the upper-right corner of the APIs and Services page.

  3. From the list, select Google Workspace Marketplace SDK.

  4. Select the Credentials tab.

    The Credentials compatible with this API page appears

  5. Go to your service account and go to the KEYS tab.

  6. Click Delete to delete the existing key.

  7. Click Add Key > Create new key.

    A dialog box appears with the key type options.

  8. Under Key type, select JSON, and then click Create.

    A confirmation dialog box appears.

  9. Click Close.

  10. Import the new JSON file into Commvault SaaS.

    1. Log on to Commvault SaaS.

    2. From the Command Center navigation pane, go to Manage > Security.

    3. Click the Credential vault tile.

    4. In the Actions column for the service account credential entity that you want to update, click the action button Updating a Credential Vault (1), and then select Edit.

    5. In the JSON file path area, click Upload, and then upload the newly generated service account JSON file.

    6. Click Save.

Database Account

Database Account Type

Oracle (on-prem) and Oracle RAC (on-prem)

  1. Sign in to the Oracle Database host (as Oracle OS user or with SQL*Plus access).

  2. Connect to the database as SYSDBA:

    sqlplus username/password@service_name as sysdba

  3. Change the password for the Commvault backup user:

    ALTER USER $[username] IDENTIFIED BY $[new_password];

  4. Validate the connection with new password.

  5. Log on to Commvault SaaS.

  6. Update credentials by following the steps in the Updating a Credential in a Built-in Credential Vault Commvault documentation page.

  7. Perform a test backup.

PostgreSQL

  1. Sign in to the PostgreSQL server as super user: 

    psql -U postgres -d database_name

    Replace postgres with your superuser account if it is different.

  2. Change the password for the Commvault backup user:

    ALTER USER username WITH PASSWORD 'new_password';

  3. Verify the new password by connecting to PostgreSQL:

    psql -U username -d database_name -h host

  4. Log on to Commvault SaaS.

  5. Update credentials by following the steps in the Updating a Credential in a Built-in Credential Vault Commvault documentation page.

  6. Perform a test backup.

MySQL

  1. Connect to MySQL as a privileged user (for example, root).

    mysql -u root -p

  2. Change the password for the Commvault backup user:  

    ALTER USER 'username'@'%' IDENTIFIED BY 'new_password'; 
FLUSH PRIVILEGES;

    Replace % with a specific host if the user is restricted to one host.

  3. Verify the new password by connecting to MySQL:  

    mysql -u username -p -h host database_name

  4. Log on to Commvault SaaS.

  5. Update credentials by following the steps in the Updating a Credential in a Built-in Credential Vault Commvault documentation page.

  6. Perform a test backup.

SAP Oracle

  1. Go to Commvault SaaS, and update the SAP Oracle credential in credential vault.

  2. Perform a test backup.

SAP HANA

  1. Go to Commvault SaaS, and update the SAP HANA credential in credential vault.

  2. Perform a test backup.

RDS SQL

  1. In the AWS Management Console, go to the RDS service.

  2. Select the RDS instance for which you want to change the master user password.

  3. Click Modify.

  4. In the Master password field, enter the new password.

  5. Re-enter the new password in the confirmation field.

  6. Apply the changes.

  7. Log on to Commvault SaaS.

  8. Update credentials by following the steps in the Updating a Credential in a Built-in Credential Vault Commvault documentation page.

  9. Perform a test backup.

Azure SQL and Managed SQL

  1. Follow these steps based on the type of user account.

    • Azure SQL Server Admin

      1. Sign in to the Azure Portal.

      2. Navigate to your Azure SQL Server resource.

      3. Click Reset password.

      4. Enter the new server admin password.

      5. Save the changes.

    • Contained User

      1. Open SQL Server Management Studio (SSMS).

      2. Connect to the Azure SQL Server.

      3. At the server level or database level (where the contained user was created), run the following command: 

      ALTER USER user_name 
 WITH PASSWORD = 'new_strong_password_here' 
OLD_PASSWORD = 'old_strong_password_here';

  2. Log on to Commvault SaaS.

  3. Update credentials by following the steps in the Updating a Credential in a Built-in Credential Vault Commvault documentation page.

  4. Perform a test backup.

Kubernetes Service Account

Kubernetes Service Account Type

  1. Sign in to the Cluster Management Interface:

    • Vanilla Kubernetes: Use kubeconfig access or connect to the API server.

    • EKS: AWS Console > EKS > Cluster.

    • AKS: Azure Portal > Kubernetes services.

    • GKE: Google Cloud Console > Kubernetes Engine.

    • OpenShift: Web Console (Administrator view).

  2. Identify the ServiceAccount

    Find the ServiceAccount (SA) used by Commvault:

    • Check in Commvault configuration.

    • Review Kubernetes manifests for the SA name.

  3. Create a new credential for the ServiceAccount

    • Create a new ServiceAccount

      Assign the same cluster access level as the old one (for example cluster-admin or equivalent ClusterRole).

    • Reuse the existing ServiceAccount

      Generate a new secret token (kubernetes.io/service-account-token).

  4. Retrieve and Store the New Token

    • Extract the token from the new secret.

    • Store it securely in your organization’s password manager or secret store.

  5. Keep the Old Credential for Rollback

    Do not delete the old ServiceAccount or token until the new one is validated and working.

  6. Log on to Commvault SaaS.

  7. Update credentials by following the steps in the Updating a Credential in a Built-in Credential Vault Commvault documentation page.

  8. If the Kubernetes cluster runs in a public cloud (EKS, AKS, GKE, OCP on cloud), go to Protect > Kubernetes > Clusters, and then update the key or secret.

    For more information, see Updating a Kubernetes Cluster

  9. Perform a test backup.

  10. Once the validation is complete, remove the old secret token and ServiceAccount from the Kubernetes cluster.

NDMP Account

NDMP Account Type

NDMP

For files using NDMP, password generated by NetApp for a user in vserver context is stored under the NDMP account type.

  1. Login to the NetApp ONTAP system via SSH as an admin user

  2. Generate NDMP password for a user using the following command:

    vserver services ndmp generate-password -user user_name -vserver SVM_name

    Where, SVM_name is the storage virtual machine and user_name is the NDMP user account name.

  3. When the system generates the NDMP password, copy and store it securely.

  4. Log on to Commvault SaaS.

  5. Update credentials by following the steps in the Updating a Credential in a Built-in Credential Vault Commvault documentation page.

  6. From the Command Center navigation pane, go to File server > NDMP > Configuration, edit the NDMP properties, and then verify if the preview works correctly. Alternatively, run an NDMP backup to verify that the credentials are working correctly.

Storage Array Account

Storage Array Account Type

NetApp

NetApp agent use the ONTAP credentials from the storage array account to connect to the NetApp array.

  1. Go to the cluster.

  2. Run the following command: 

    security login password -vserver svm_name -username user_name

    For more information, go to the Change an ONTAP administrator password page in the NetApp documentation website.

  3. Follow the prompts that appear to enter the current password and set a new password.

  4. Log on to Commvault SaaS.

  5. Update credentials by following the steps in the Updating a Credential in a Built-in Credential Vault Commvault documentation page.

  6. Perform a test backup.

HPE Nimble Storage

HPE Nimble Storage connections require Nimble Storage Array account credentials.

  1. Sign in to the HPE Nimble Storage portal.

  2. Navigate to the Administration tab, from the list, select Security.

  3. To edit an existing user's password, click the user name. Under More Actions, select Change Password. Enter existing password, a new Password, confirm the new password, and click Change.

  4. Log on to Commvault SaaS.

  5. Update credentials by following the steps in the Updating a Credential in a Built-in Credential Vault Commvault documentation page.

  6. Perform a test backup.

Pure Storage FlashArray

Pure Storage FlashArray connections require Pure Storage Array account credentials.

  1. Sign in to the Pure Storage FlashArray.

  2. Navigate to Settings, and then click the Access tab.

  3. To edit an existing user's password, click the actions button. In the Edit dialog box, enter Current Password, New Password, Confirm Password, Public Key, and then click Save.

  4. For the same user, click the actions button, select Recreate API Token. In the Recreate API Token dialog box, click Recreate button to confirm recreation of API token, and then click Recreate.

  5. In the API Token dialog box, copy the token.

  6. Log on to Commvault SaaS.

  7. Update credentials by following the steps in the Updating a Credential in a Built-in Credential Vault Commvault documentation page.

  8. Perform a test backup.

User Account

User Account Type

IBMi

  1. Sign in to the IBMi client using a user profile with SECADM special authority.

  2. Change the password for the user profile:

    CHGUSRPRF USRPRF($[User_Profile_Name]) PASSWORD($[new_password])

  3. Validate the connection with new password.

  4. Log on to Commvault SaaS.

  5. Update credentials by following the steps in the Updating a Credential in a Built-in Credential Vault Commvault documentation page.

  6. Perform a test backup.

Windows Account

Windows Account Type

Microsoft Hyper-V

  1. Log on to the physical computer or VM computer.

  2. Press Ctrl + Alt + End on your keyboard (or Ctrl + Alt + Delete) to open the security options.

  3. Select Change a password, and then follow the prompts to set a new password.

  4. To verify if the password has been changed successfully, log out of the machine and log back in using the new password.

  5. Log on to Commvault SaaS.

  6. Update credentials by following the steps in the Updating a Credential in a Built-in Credential Vault Commvault documentation page.

  7. Perform a test backup.

  8. After validation, remove the old credential in the vendor console.

CIFS

For files using NetApp CIFS, password generated by NetApp ONTAP for a user in vserver context is stored under the Windows account type.

  1. Login to the NetApp ONTAP system using SSH as an admin user.

  2. Run the following to reset the CIFS domain password:

    vserver cifs domain password reset -vserver SVM_name

    Where, SVM_name is the storage virtual machine.

  3. Log on to Commvault SaaS.

  4. Update credentials by following the steps in the Updating a Credential in a Built-in Credential Vault Commvault documentation page.

  5. Run a CIFS backup to verify that the credentials are working correctly.

VMware vCenter, Xen

  1. Sign in to the vendor console.

  2. Navigate to the user settings area that has an option to change the password.

  3. Modify the user's password.

  4. Log on to Commvault SaaS.

  5. Update credentials by following the steps in the Updating a Credential in a Built-in Credential Vault Commvault documentation page.

  6. Test the connection and then perform a test backup.

  7. After validation, remove the old credential in the console.

×

Loading...