It is expected security practice to change passwords when a developer leaves. These check-lists and notes are from the last time this was done--circa Apr 23, 2018. Changes in bold require downtime. All other changes may be made without impact to production operations.

https://trello.com/c/EET4GJZP

Nota bene. Password changes are not readily reversible in Oracle given our current configuration of password profiles, account auditing, and limitations of DBA scope.

Credential changes SHORE

HQ production environment

• HQ password safe password reset.
• LIMSHQ modify tasweb credential on all Tomcat servers.
• BuildHQ dev password reset.
• NEXUS HQ change credential for upload, server management.
• Oracle LIMSHQ schema passwords to be changed: LIMS, OPS, DESCINFO2, SPLAT, PUBLISH, PITALOG, TRANSFER--30 character random passwords are supplied from the Password Safe credential generation policy.
• LIMSHQ Tomcat instances: remove manager app, tomcat-users.xml, edit logging.properties to match, remove tomcat-users reference from server.xml
  Will only need to be done again on release of new distributions of Tomcat.

• Generate credential hashes for webapp usage for WRITER, SDRMREAD via

  /reference/EncryptString-eg?s=credential-to-obfuscate

  
  

• LIMSHQ modify context.xml hashes for new oracle passwords.
• Oracle LIMSHQ schema passwords to be changed: SDRM.
  Requires Tomcat host shutdown, application rebuild, deployment, and test.
  SDRMREAD requires an associated change in Tomcat context.xml.

• Oracle LIMSHQ schema passwords to be changed: WRITER, SDRMREAD.
  Requires Tomcat host shutdown, then Oracle password change and verification, then context.xml modification, then restart Tomcat, then spot check applications.

• Oracle LIMSHQ schema passwords to be changed: ConfluenceOwner.
  Requires Confluence shutdown, then Oracle password change and credential change in Confluence configuration--c:\srv\Confluence\confluence.cfg.xml--look for hibernate properties for username and password. Then Confluence may be restarted.

HQ test environment

• SHORT modify tasweb credential on all Tomcat servers.
• Oracle SHORT schema passwords to be changed: LIMS, OPS, DESCINFO2, SPLAT, PUBLISH, PITALOG, TRANSFER.
• Generate credential hashes for webapp usage for WRITER, SDRMREAD (same service as above).
• SHORT Tomcat instances: remove manager app, tomcat-users.xml, edit logging.properties to match, remove tomcat-users reference from server.xml
  Will only need to be done again on release of new distributions of Tomcat.
• SHORT modify context.xml hashes for new oracle passwords.
• Oracle SHORT schema passwords to be changed: SDRM.
  There is no live SaDR host in this environment--just change the database credentials.
• Oracle SHORT schema passwords to be changed: WRITER, SDRMREAD.
  Requires Tomcat host shutdown, then Oracle password change and verification, then context.xml modification, then restart Tomcat, then spot check applications.
• Oracle SHORT schema passwords to be changed: ConfluenceOwner.
  Requires Confluence shutdown, then Oracle password change and credential change in Confluence configuration--c:\srv\Confluence\confluence.cfg.xml--look for hibernate properties for username and password. Then Confluence may be restarted.

Account removals

• Shared Mac RF52890 -- A232b.
• VPN access to ship -- managed by the MCS.
• Build HQ
• Build JR
• Subversion account
• Confluence account disabled and removed from any group
• Authorizations removed from Trello
• Authorizations removed from Google ocean-drilling.org sites
• Exchange lists: programmers, developer
• Exchange lists: jr_programmers, jr_developer

Credential changes SHIP

LIMSJR production environment

• JR password safe password reset.
• LIMSJR modify tasweb credential on all Tomcat servers.
• BuildJR dev password reset.
• NEXUS JR change credential for upload, server management.
• Oracle LIMSJR schema passwords to be changed: LIMS, OPS, DESCINFO2, SPLAT, PUBLISH, PITALOG, TRANSFER.
• LIMSJR Tomcat instances: remove manager app, tomcat-users.xml, edit logging.properties to match, remove tomcat-users reference from server.xml
• Generate credential hashes for webapp usage.
  
• LIMSJR modify context.xml hashes for new oracle passwords.
• There is no SDRM account in the shipboard environment.
• There is no SDRMREAD in the shipboard environment, but the SPLAT application will reach out to shore--i.e. when the shore credential changes, so must the shipboard references to it.
• Oracle LIMSJR schema passwords to be changed: WRITER.

LIMSJR test environment

• SHIPT modify tasweb credential on all Tomcat servers.
• Oracle SHIPT schema passwords to be changed: LIMS, OPS, DESCINFO2, SPLAT, PUBLISH, PITALOG, TRANSFER
• Generate credential hashes for webapp usage.
• SHIPT Tomcat instances: remove manager app, tomcat-users.xml, edit logging.properties to match, remove tomcat-users reference from server.xml
• SHIPT modify context.xml hashes for new oracle passwords.
• Oracle SHIPT schema passwords to be changed: SDRM. Requires app rebuild.
• Oracle SHIPT schema passwords to be changed: WRITER.
• The resteasy-drillreport.war should be unzipped. Modify WEB-INF/rest.xml to reflect the change in OPS credential. Repackage and distribute.

Nota bene. Regarding the WRITER credential. Generating a 30 char password from Password Safe with all possible symbols is problematic. Specifying which characters must be URL encoded for the encrypt/decrypt service to produce a functional result is challenging.

So opted to used a 30 char password only based on hexadecimal digits. Applied in SHORT.