Having a quick look I can see that host information can be found in the table host_details, and this includes a password value which is an encryped version of the password. I cannot tell how the password has been encrypted before being added to the database

I am not seeing a password field in that table either:

mysql> select * from cloud.host_details where id=1;
----+---------+-----------------+-------
| id | host_id | name | value |
----+---------+-----------------+-------
| 1 | 1 | product_version | 6.0.2 |
----+---------+-----------------+-------
1 row in set (0.00 sec)

I did change the password on the host first, as the directions in the admin guide directs you to do. Either way, I suppose this means the procedure has changed for 3.0.5? Thanks for the help.

Hi, Peter. I checked the CloudStack 3.0.5 admin guide and the instructions under Changing Host Password are not valid. If you're certain the host id is 1, use the following to view the current password:
> select * from `cloud`.`host_details` where name = 'password' and host_id = 1;
Unless you have a large number of hosts, the following should be fine and will help with understanding what this table contains:
> select * from `cloud`.`host_details`;

The password is likely encrypted so you must update it with a password encrypted with the database key. By default it's set to "password". It's set with cloud-setup-databases+ or +cloud-setup-encryption+ so get the key from your notes, or you may be able to find it in the +bash+ history. If you can't find it, get the ciphertext for the password in +/etc/cloud/management/db.properties (the db.cloud.encrypt.secret setting) and decrypt it with:
> java -classpath /usr/share/java/cloud-jasypt-1.8.jar org.jasypt.intf.cli.JasyptPBEStringDecryptionCLI encrypt.sh input="database_key_ciphertext" password="management_server_key" verbose=false
If you don't know the management server key (default is also password) you can get it from:
> cat /etc/cloud/management/key

Once you have the database key, the following steps can be used to encrypt the new password and update the database accordingly.

1. Encrypt the new password and make a note of the resulting ciphertext (use the correct database key):
> java -classpath /usr/share/java/cloud-jasypt-1.8.jar org.jasypt.intf.cli.JasyptPBEStringEncryptionCLI encrypt.sh input="newpassword123" password="database_key" verbose=false
2. *Back up the database*:
> mysqldump -u root -p cloud | bzip2 > cloud_backup.sql.bz2
3. Update the password in the host_details table (make sure use the id for the correct row, i.e. the one with the password):
> update `cloud`.`host_details` set value = 'ciphertext_from_step_1' where id = 1234;

Do the above for all hosts in the cluster.

If it's a vSphere cluster you also need to update the password in the cluster_details (this cluster password seems to only be used occasionally, such as when adding a new host to a cluster).

1. Get the cluster id:
> select * from `cloud`.`cluster`;
2. Find the id of the row to update in the cluster_details table (i.e. the row with the password for the cluster with the id from step 1):
> select * from `cloud`.`cluster_details` where cluster_id = 1234;
3. And update that row:
> update `cloud`.`cluster_details` set value = 'ciphertext_from_step_1' where id = 1234;

Best regards,

{color:#555555}Kirk Kosinski{color} !http://www.linkedin.com/favicon.ico!
{color:#999999}MCITP: EA / VA / EDA7, VCP 4 / 5, CCA{color}

Thank you very much for the write up Kirk!

I see know why I didn't see the password in host_details: I was selecting where 'id=1' instead of where 'host_id=1'.

Kirk, I believe there is one thing to revise in your instructions: the mysql command in step 3 should be

update `cloud`.`host_details` set value = 'ciphertext_from_step_1' where host_id = 1234 and name = 'password';

Notice using host_id instead of id. Also, if I'm thinking correctly, you need "name = 'password'" or else every row value for that host will be replaced by the password.

Also, I had some trouble using the '$' symbol in my password, because the encryption command seems to interpret it as a special character even when it's in quotes, so I just avoided the dollar signs.

Thank you!