Synopsis

This article describes how to

  • change the maglev user password

  • create a new SSH key to replace one that's been lost, and

  • recover the maglev user password after losing an SSH key.

Challenges in Catalyst Center on AWS

Catalyst Center on AWS instances cannot be booted from an ISO image, as is possible in an on-premises Catalyst Center environment.

Make system changes

Complete the steps described in this topic to make system changes in Catalyst Center on AWS.

The AWS EC2 serial console does not contain a color profile that the maglev-config update command needs. You must export a color terminal (like xterm), but then the export command is not in the allowed commands list. You'll need to contact the Cisco TAC for assistance getting full shell access.

Step 1

Select your Catalyst Center instance in the Connect to Instance (AWS > EC2) page, then click Connect.

Step 2

After the page updates, click the EC2 serial console tab, then click Connect.

Step 3

Log in as the maglev user, using the password set during initial deployment either through Cisco Global Launchpad, AWS CloudFormation, or AWS Marketplace.

Step 4

Contact the Cisco TAC and obtain the consent token you need to provide in order to get full shell access.

Step 5

Run the _shell -v _shell -v consent-token command.

Step 6

Get a color terminal by running the export TERM=xterm command.

Step 7

Run the sudo maglev-config update command and make the necessary changes (such as the maglev user's password).

Create a new SSH key

An SSH key is the primary method for authenticating a remote SSH session with Catalyst Center. If you lose an SSH key, there are two ways to create a new one.

Option 1: Using the ssh-keygen utility

You can pick the key type (for example, rsa ed25519). Refer to this sample output.

 Note

You can skip the password by pressing Enter twice without typing anything.

$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/Users/faimehmo/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /Users/faimehmo/.ssh/id_rsa
Your public key has been saved in /Users/faimehmo/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:Xd5G4nB6fR+BqMeSpXqEZeFikk0niz6lbkvb91vk/hX faimehmo@FAIMEHMO-M-Y6V6
The key's randomart image is:
+---[RSA 3072]----+
|                 |
|                 |
|     X X  .      |
|    = = .o  . .  |
|   + * +Z ++.E . |
|  . = =  *Z=  . .|
|   = . ..=+=+... |
|  o.+ ..o.=. ....|
|  .+...Y.Y....  .|
+----[SHA256]-----+

You will have a key pair saved, as shown in the output. Note the output is modified to make it invalid.

Option 2: Using an AWS key pair

Open the AWS > EC2 > Network & Security > Key Pairs page to create a new key pair. After the public key is downloaded to your machine, extract the public key from the key file before pushing it to a Catalyst Center instance.

$ ssh-keygen -y -f aws.pem
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCr2P+1/2AB68ThH0KFE06MtzwvrXOb5QEc0PVr100000000000xza
TBT9pAnRgoOefJVrU470saq8dcQcaEVHcdz2Tw/71sUK8HhyGcFH4SuR/vLBoZ/IHGA8k9SYuNd8hqS0+Wnb4A8cODlU
Ay26lZlh6UzxEi5c1BjRYDRU+aEyLDExZG5C5dolAKlyLEUwSu57kgBjDeppKSz0l94hzN2o7srWLhPnLzkt3t+c3uOxq
Scd3cqDSlv1gWLZIsuTXQKoSmC46uAEXBnw0oAqT/UAKYzP3lYADW4hnmdEu/QQ6e9vEl7Rw04jt14t5NZi85SUBD+sfRRuDs+9Ivzd1

Note the output is modified to make it invalid.

Transfer the SSH key to a Catalyst Center on AWS instance

After you have created the new SSH key, complete these steps to transfer the key to your Catalyst Center on AWS instance.

Step 1

Copy the content from one of these sources:

  • The public key (id_rsa.pub)

  • The output of the ssh-keygen -y -f aws.pem command (as described in the "Option 2: Using an AWS key pair" section in Create a new SSH key).

Step 2

Paste this content as a new line in your Catalyst Center on AWS instance's /home/maglev/.ssh/authorized_keys file.

Recover the maglev user password after losing an SSH key

Complete this procedure to mount the Catalyst Center disk to another Amazon Elastic Compute Cloud (EC2) instance so you can recover the maglev user password.

Step 1

Set up a recovery EC2 instance:

  1. Access the (Catalyst Center?Catalyst Center on AWS?) volume by opening another EC2 instance of type r5a.8xlarge in the same region where Catalyst Center was deployed.

  2. Name this new instance recovery.

  3. Since you lost the SSH key, select Create new key pair in the Key pair (login) section and save the key securely.

  4. Launch the recovery instance.

  5. Once this instance enters the Running state, stop it.

Step 2

Recover the maglev user password:

  1. Make note of Catalyst Center's EBS volume by selecting its instance and pointing to the Storage section in the EC2 instance detail view.

    The volume name resemble vol-094f89431461f79ef.

  2. Shut down the Catalyst Center EC2 instance.

    This will allow you to attach its volume to the recovery EC2 instance you created earlier.

  3. Choose Elastic Block Store > Volumes.

  4. Detach from the Catalyst Center instance by selecting the Catalyst Center EBS volume and then clicking Detach Volume from the Actions menu.

    This will allow you attach to the recovery instance. The EBS volume's status changes to Available.

  5. Select the Catalyst Center volume, then select Attach Volume from the Actions menu.

  6. In the next screen, select the recovery instance from the Instance drop-down list.

  7. Specify an available Device name (for example, /dev/sdx), then click Attach Volume.

  8. After the recovery instance enters the Running state and a status check indicates that all checks have passed, start the recovery EC2 instance and connect to it using the Console option.

  9. Get root level access by running the sudo -i command.

  10. Check the disks by running the lsblk -fm command.

    In this example, nvme1n1 is the Catalyst Center disk and the root disk is of size 62G.

  11. Mount the Catalyst Center root disk by running these commands:

    • mkdir tmp

    • mount /dev/nvme1n1p2 tmp/

  12. Change the maglev user password by running these commands:

    • chroot tmp/

    • passwd maglev

  13. After the password change, exit the chroot environment and shut down the recovery instance.

Step 3

Restore the Catalyst Center instance.

  1. After the recovery EC2 instance has been stopped, browse to Volumes and detach the Catalyst Center volume from the recovery instance.

  2. Attach the Catalyst Center volume back to Catalyst Center EC2 instance.

  3. Start the Catalyst Center instance.

  4. After this instance enters the Running state and a status check indicates that all checks have passed, connect to the instance using the Console option.

Step 4

Update the maglev user password.

 Note

The maglev user password was updated on the OS level, but it is not synced with the platform database etcd. You must sync the password by running the maglev-config update command.

  1. Contact the Cisco TAC and obtain the consent token you need to provide in order to get full shell access.

  2. Run the _shell -v _shell -v consent-token command.

  3. Get a color terminal by running the export TERM=xterm command.

  4. Run the sudo maglev-config update command to change the maglev user's password (along with any other system settings you want to change).

Step 5

Create a new SSH key.