Renewing configuration secrets in openHAB 3

Tutorials & Examples
,
1

Hi all,

wanted to share my simple recipe for revoking/renewing secrets of an openHAB installation. This is useful for security purposes, for example if you want to regenerate the openhabcloud credentials, or you believe your secrets have been compromised.

Please make sure to backup your whole openHAB installation since this is touching internal configuration files of openHAB, and might make your system inaccessible.

This guide is not exhaustive – if you find something missing from the list, please let me know.

For guidance on folders, please see the manual openHAB on Linux | openHAB . The guidance below refers to default folder names of a linux “repository installation” (i.e. installation via apt).

  1. Stop openHAB
  2. Rename jsondb backup so that openHAB does not revert to the backup but instead regenerates the secret:
mv /var/lib/openhab/jsondb/backup /var/lib/openhab/jsondb/backup.old.$(date +%Y-%m-%d.%H.%M.%S)
  1. /var/lib/openhab/etc/keystore: replace with fresh file from openhab-x.y.z.zip distibution zip. Distribution zip contains an empty keystore which makes openHAB re-generate the contents (private key for https) on startup
  2. /var/lib/openhab/etc/key.properties: no action needed, does not contain anything too secret
  3. /var/lib/openhab/etc/users.properties. Contains karaf console password. Replace {CRYPT}oldpasswordhash{CRYPT} with plaintext password
  4. /var/lib/openhab/jsondb/users.json. Controls admin password to admin of Main UI . Delete the file
  5. /var/lib/openhab/openhabcloud/secret . Delete the file. Used in authentication to myopenhabcloud.org
  6. /var/lib/openhab/uuid. Delete the file. Used in authentication to myopenhabcloud.org
  7. /var/lib/openhab/etc/host.key. Private key for encryption (karaf console ssh host key?). Delete the file
  8. /var/lib/openhab/etc/host.key.pub. Public key corresponding to etc/host.key
  9. /var/lib/openhab/secrets/rsa_json_web_key.json. Main UI API explorer token. Remove the file
  10. Check /etc/openhab for any secrets, e.g. in thing files, rules, or services/
  11. Check /var/lib/openhab/userdata/config folder (e.g. persistence configuration via UI might very well contain database passwords)

Finally start openHAB, login to Main UI admin pages (you will be prompted to create new admin password).

Test out that you can login to karaf console via ssh (ssh openhab@127.0.0.1 -p8101)

Reconfigure new uuid and secret in myopenhab.org. Consider changing your password to myopenhab.org.

6 Likes
2

Thanks for creating the tutorial on the steps to do this. Wanted to add that you should change your myopenhab login password as well. If someone has those login details perhaps from you entering them when connected to a dodgy free public wifi point, this will stop them from simply logging in and grabbing the newly changed secrets again.

3

Thanks! I added that to first post as well.

4

This topic was automatically closed 41 days after the last reply. New replies are no longer allowed.