okta, openvpn, portal

Okta Notes.md

@@ -7,10 +7,18 @@ Okta -> Admin -> input username -> assign applications
 ## OKTA API Tokens
 Don't use the GUI for Okta tokens. Chris can generate a new Okta token with the correct user and access. Also, better to look in the bash history for Okta tokens
 
+## How to Reset ldap.read OKTA user
+
+`ldap.read@defpoint.com` is the Okta user that has the API token that Splunk uses to auth to Okta and pull logs. If the ldap.read account is suspended, the API token is suspended as well. The `ldap.read` account's password expires after 60 days. To see when the password will expire, go to [Reports -> Okta Password Health](https://mdr-multipass-admin.okta.com/reports). Don't open with EXCEL! Add 60 days to the date in the last column.  
+
+- Be on prod VPN.
+- Log into OKTA in an Incognito window using the `ldap.read` username and the current password from Vault (`engineering/root`). Three failed logins will lock the user. MFA is disabled for the account. 
+- Once the password has been updated, update Vault in this location, `engineering/root` with a key of `ldap.read@defpoint.com`. You will have to create a new version of engineering/root to save the password. 
+- Set reminder in your calendar to reset the password in less than 60 days or OKTA logs will stop flowing.
 
 ## Password expiration report
 OKTA -> Reports -> Okta Password Health
-Open with Brackets Not excel
+Open with Text editor Not excel
 
 [Okta Reports](https://mdr-multipass-admin.okta.com/reports)
 

OpenVPN Notes.md

@@ -16,19 +16,6 @@ Helpful... [OpenVPN - Managing settings for the web services from the command li
 
 There is a strict dependency that OpenVPN be started after `firewalld`.
 
-
-## How to Reset ldap.read 
-
-`ldap.read@defpoint.com` is the Okta user that OpenVPN uses to auth to Okta. The `ldap.read` account's password expires after 60 days. To see when the password will expire, go to [Reports -> Okta Password Health](https://mdr-multipass-admin.okta.com/reports). Don't open with EXCEL! Add 60 days to the date in the last column.  
-
-- Be on prod VPN.
-- Log into OKTA in an Incognito window using the `ldap.read` username and the current password from Vault (`engineering/root`). Three failed logins will lock the user. Brad's phone is currently setup with the Push notification for the account. The MFA is required for the account. To change the password without Brad, remove MFA with your account in OKTA and set it up on your own phone. 
-- Once the password has been updated, update Vault in this location, `engineering/root` with a key of `ldap.read@defpoint.com`. You will have to create a new version of engineering/root to save the password. 
-- Store the new password and the creds for openvpn and drop off the VPN. Log into the [OpenVPN web GUI](https://openvpn.xdr.accenturefederalcyber.com/admin/) as the openvpn user (password in Vault) and update the credentials for `ldap.read`. Authentication -> ldap -> update password -> Save Settings. Then update running server. Repeat this for the [Dev Environment](https://openvpn.xdrtest.accenturefederalcyber.com/admin/) 
-- Verify that you are able to login to the VPN. 
-- Set reminder in your calendar to reset the password in less than 60 days. 
-
-
 ------------
 when okta push is slow, get the 6 digits from your okta app
 and put into Viscosity your password as  `password,123456`

Portal Notes.md

@@ -14,69 +14,6 @@ salt 'customer-portal*' cmd.run 'docker restart portal nginx'
 
 Verify Vault service is running. Logs are sent to Splunk. See Splunk search below in this document. 
 
-## Deploy Process
-
-For PROD: Stop docker containers on both servers, but upgrade the containers one server at a time. This way you can quickly get the site back up on the previous server. 
-
-One at a time to reduce risk.
-```
-#Stop both
-salt 'customer-portal*' test.ping
-salt 'customer-portal*' cmd.run 'docker container ls'
-salt 'customer-portal*' cmd.run 'docker stop portal nginx'
-
-#Update First Portal Server
-salt -C 'customer* and G@ec2:availability_zone:us-gov-east-1a' test.ping
-salt -C 'customer* and G@ec2:availability_zone:us-gov-east-1a' cmd.run 'docker rm portal nginx'
-salt -C 'customer* and G@ec2:availability_zone:us-gov-east-1a' cmd.run 'docker images'
-salt -C 'customer* and G@ec2:availability_zone:us-gov-east-1a' cmd.run 'docker rmi <image-ids>'
-salt -C 'customer* and G@ec2:availability_zone:us-gov-east-1a' state.sls docker.portal --output-diff
-
-#Update Second Portal Server
-salt -C 'customer* and G@ec2:availability_zone:us-gov-east-1b' test.ping
-salt -C 'customer* and G@ec2:availability_zone:us-gov-east-1b' cmd.run 'docker rm portal nginx'
-salt -C 'customer* and G@ec2:availability_zone:us-gov-east-1b' cmd.run 'docker images'
-salt -C 'customer* and G@ec2:availability_zone:us-gov-east-1b' cmd.run 'docker rmi <image-ids>'
-salt -C 'customer* and G@ec2:availability_zone:us-gov-east-1b' state.sls docker.portal --output-diff
-```
-
-For TEST: Both at the same time
-```
-salt 'customer-portal*' test.ping
-salt 'customer-portal*' cmd.run 'docker container ls'
-salt 'customer-portal*' cmd.run 'docker stop portal nginx'
-salt 'customer-portal*' cmd.run 'docker rm portal nginx'
-salt 'customer-portal*' cmd.run 'docker images'
-salt 'customer-portal*' cmd.run 'docker rmi <image-ids>'
-salt 'customer-portal*' state.sls docker.portal --output-diff
-```
-
-To verify the version, login to Portal and go to the Staff Tools. 
-
-From the [XDR Wiki page](https://github.xdr.accenturefederalcyber.com/MDR-Content/mdr-content/wiki/Customer-Portal)
-Last time we tried the `ec2_tags` grain targeting did not work.
-
-```
-salt -G 'ec2_tags:Name:customer-portal' cmd.run "docker images" – You will need to grab the docker image ID for the container that needs to be updated
-salt -G 'ec2_tags:Name:customer-portal' cmd.run "docker stop portal"
-salt -G 'ec2_tags:Name:customer-portal' cmd.run "docker rm portal"
-salt -G 'ec2_tags:Name:customer-portal' cmd.run "docker rmi ${image id from above}
-salt -G 'ec2_tags:Name:customer-portal' state.sls docker
-salt -G 'ec2_tags:Name:customer-portal' state.sls docker.portal
-```
-
-### Deploy specific tag to nginx and/or portal
-
-```
-#login to ECR using the docker salt state
-salt 'customer-portal*' state.sls docker.portal --output-diff test=true
-
-#create a new branch and modify the file to the needed tags then push it up.  
-salt 'customer-portal*' state.sls docker.portal-revert saltenv=feature/bp_na_salt_portal_tag
-
-#once you are done delete the branch
-```
-
 ## Command line access
 ```
 docker exec -ti nginx bash
@@ -162,6 +99,8 @@ User.objects.filter(email="richard.t.page@accenturefederal.com").delete()
 User.objects.filter(email="wesley.a.leonard@accenturefederal.com").delete()
 
 
+
+
 ## Troubleshooting the docker image
 
 

Portal Upgrade Notes.md

@@ -0,0 +1,75 @@
+# Portal Upgrade Notes
+
+## Upgrade/Deploy Process
+
+For PROD: Stop docker containers on both servers, but upgrade the containers one server at a time. This way you can quickly get the site back up on the previous server. 
+
+One at a time to reduce risk.
+```
+#Stop both
+salt 'customer-portal*' test.ping
+salt 'customer-portal*' cmd.run 'docker container ls'
+salt 'customer-portal*' cmd.run 'docker stop portal nginx'
+
+#Update First Portal Server
+salt -C 'customer* and G@ec2:availability_zone:us-gov-east-1a' test.ping
+salt -C 'customer* and G@ec2:availability_zone:us-gov-east-1a' cmd.run 'docker rm portal nginx'
+salt -C 'customer* and G@ec2:availability_zone:us-gov-east-1a' cmd.run 'docker images'
+salt -C 'customer* and G@ec2:availability_zone:us-gov-east-1a' cmd.run 'docker rmi <image-ids>'
+salt -C 'customer* and G@ec2:availability_zone:us-gov-east-1a' state.sls docker.portal --output-diff
+
+#Update Second Portal Server
+salt -C 'customer* and G@ec2:availability_zone:us-gov-east-1b' test.ping
+salt -C 'customer* and G@ec2:availability_zone:us-gov-east-1b' cmd.run 'docker rm portal nginx'
+salt -C 'customer* and G@ec2:availability_zone:us-gov-east-1b' cmd.run 'docker images'
+salt -C 'customer* and G@ec2:availability_zone:us-gov-east-1b' cmd.run 'docker rmi <image-ids>'
+salt -C 'customer* and G@ec2:availability_zone:us-gov-east-1b' state.sls docker.portal --output-diff
+```
+
+For TEST: Both at the same time
+```
+salt 'customer-portal*' test.ping
+salt 'customer-portal*' cmd.run 'docker container ls'
+salt 'customer-portal*' cmd.run 'docker stop portal nginx'
+salt 'customer-portal*' cmd.run 'docker rm portal nginx'
+salt 'customer-portal*' cmd.run 'docker images'
+salt 'customer-portal*' cmd.run 'docker rmi <image-ids>'
+salt 'customer-portal*' state.sls docker.portal --output-diff
+```
+
+To verify the version, login to Portal and go to the Staff Tools. 
+
+From the [XDR Wiki page](https://github.xdr.accenturefederalcyber.com/MDR-Content/mdr-content/wiki/Customer-Portal)
+Last time we tried the `ec2_tags` grain targeting did not work.
+
+```
+salt -G 'ec2_tags:Name:customer-portal' cmd.run "docker images" – You will need to grab the docker image ID for the container that needs to be updated
+salt -G 'ec2_tags:Name:customer-portal' cmd.run "docker stop portal"
+salt -G 'ec2_tags:Name:customer-portal' cmd.run "docker rm portal"
+salt -G 'ec2_tags:Name:customer-portal' cmd.run "docker rmi ${image id from above}
+salt -G 'ec2_tags:Name:customer-portal' state.sls docker
+salt -G 'ec2_tags:Name:customer-portal' state.sls docker.portal
+```
+
+### Deploy specific tag to nginx and/or portal
+
+```
+#login to ECR using the docker salt state
+salt 'customer-portal*' state.sls docker.portal --output-diff test=true
+
+#create a new branch and modify the file to the needed tags then push it up.  
+salt 'customer-portal*' state.sls docker.portal-revert saltenv=feature/bp_na_salt_portal_tag
+
+#once you are done delete the branch
+```
+
+## Database Upgrade
+
+Portal's PostgreSQL DB is stored in AWS RDS. 
+
+Steps:
+- Stop Portal
+- Upgrade DB
+- Start Portal
+- Update TF code
+- Apply TF code to ensure no issues