-
Notifications
You must be signed in to change notification settings - Fork 140
/
credentials.html.md.erb
121 lines (82 loc) · 6.78 KB
/
credentials.html.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
---
title: Retrieving Credentials from Your Deployment
owner: Ops Manager
---
This topic describes how the credentials for your <%= vars.platform_name %> deployment are stored and how you can access them.
* **What credentials does <%= vars.platform_name %> store?**
* Many <%= vars.platform_name %> components use credentials to authenticate connections, and <%= vars.platform_name %> installations often have hundreds of active credentials. This includes certificates, virtual machine (VM) credentials, and credentials for jobs running on the VMs.
* **Where does <%= vars.platform_name %> store these credentials?**
* <%= vars.platform_name %> stores credentials in either the Ops Manager database
or [BOSH CredHub](../credhub/index.html#bosh).
* **When do I need to access these credentials?**
* You may need to access credentials for Ops Manager, <%= vars.app_runtime_abbr %>, and service tiles as part of regular administrative tasks in <%= vars.platform_name %>, including troubleshooting. Many procedures in this documentation require you to retrieve credentials.
* **How can I retrieve credentials?**
* The workflow for retrieving credentials depends on where they are stored. See the procedures below.
## <a id="credhub"></a> Retrieve Credentials Stored in BOSH CredHub
To retrieve credentials from CredHub using the Ops Manager API, do the following:
1. Perform the procedures in the [Using the Ops Manager API](./ops-man-api.html) topic to authenticate and access the Ops Manager API.
1. Use the Ops Manager API to retrieve a list of deployed products:
<pre class="terminal">$ curl "http<span>s:</span>//OPS-MAN-FQDN/api/v0/deployed/products" \
-X GET \
-H "Authorization: Bearer UAA-ACCESS-TOKEN"</pre>
Replace `UAA-ACCESS-TOKEN` with the access token recorded in the previous step.
1. In the response to the above request, locate the `guid` for the product from which you want to retrieve credentials. For example, if you want to retrieve <%= vars.app_runtime_abbr %> credentials, find the `installation_name` starting with `cf-` and copy its `guid`.
1. Run the following `curl` command to list the names of the credentials stored in CredHub for the product you selected. If you already know the name of the credential, you can skip this step.
<pre class="terminal">$ curl "http<span>s:</span>//OPS-MAN-FQDN/api/v0/deployed/products/PRODUCT-GUID/variables" \
-X GET \
-H "Authorization: Bearer UAA-ACCESS-TOKEN"</pre>
Replace `PRODUCT-GUID` with the value of `guid` from the previous step.
1. Run the following `curl` command to view the credential:
<pre class="terminal">$ curl "http<span>s:</span>//OPS-MAN-FQDN/api/v0/deployed/products/PRODUCT-GUID/variables?name=VARIABLE-NAME" \
-X GET \
-H "Authorization: Bearer UAA-ACCESS-TOKEN"</pre>
Replace `VARIABLE-NAME` with the name of the credential you want to retrieve.
## <a id="opsman"></a> Retrieve Credentials Stored in the Ops Manager Database
To retrieve credentials stored in the Ops Manager database and not CredHub, use the Ops Manager UI or API as outlined in the procedures below.
### <a id="ui"></a> Retrieve Credentials Using the Ops Manager UI
1. From Ops Manager, select the product tile for which you want to retrieve credentials.
1. Click the **Credentials** tab.
1. Locate the credential that you need and click **Link to Credential**.
### <a id="api"></a> Retrieve Credentials Using the Ops Manager API
1. Perform the procedures in the [Using the Ops Manager API](./ops-man-api.html) topic to authenticate and access the Ops Manager API.
1. Use the Ops Manager API to retrieve a list of deployed products:
<pre class="terminal">$ curl "http<span>s:</span>//OPS-MAN-FQDN/api/v0/deployed/products" \
-X GET \
-H "Authorization: Bearer UAA-ACCESS-TOKEN"</pre>
Replace `UAA-ACCESS-TOKEN` with the access token recorded in the previous step.
1. In the response to the above request, locate the `guid` for the product from which you want to retrieve credentials. For example, if you want to retrieve <%= vars.app_runtime_abbr %> credentials, find the `installation_name` starting with `cf-` and copy its `guid`.
1. Run the following `curl` command to list references for the credentials stored in Ops Manager for the product you selected. If you already know the reference for the credential, you can skip this step.
<pre class="terminal">$ curl "http<span>s:</span>//OPS-MAN-FQDN/api/v0/deployed/products/PRODUCT-GUID/credentials" \
-X GET \
-H "Authorization: Bearer UAA-ACCESS-TOKEN"</pre>
Replace `PRODUCT-GUID` with the value of `guid` from the previous step.
1. Run the following `curl` command to view the credential:
<pre class="terminal">$ curl "http<span>s:</span>//OPS-MAN-FQDN/api/v0/deployed/products/PRODUCT-GUID/credentials/CREDENTIAL-REFERENCE" \
-X GET \
-H "Authorization: Bearer UAA-ACCESS-TOKEN"</pre>
Replace `CREDENTIAL-REFERENCE` with the name of the credential you want to retrieve.
## <a id="rotate"></a> Changing Ops Manager Credentials
### <a id="om-password"></a> Ops Manager Password
1. Log in to Ops Manager and navigate to **My Account**. You can access this at `https://OPS-MAN-FQDN/uaa/profile`.
<%= image_tag("ops-mgr-my-account.png") %>
2. Navigate to **Change Password**. You can access this at `https://OPS-MAN-FQDN/uaa/change_password`.
3. Enter your current password and a new password.
<%= image_tag("opsman-change-password.png") %>
### <a id="om-passphrase"></a> Ops Manager Decryption Passphrase
You must have the existing passphrase to update the decryption passphrase.
1. Log in to Ops Manager, and navigate to **Settings**. You can access this at `https://OPS-MAN-FQDN/encryption_passphrase/edit`.
<%= image_tag("ops-mgr-settings.png") %>
1. In the `Decryption Passphrase` panel, enter your current decryption passphrase and the new decryption passphrase, then click **Save**.
<%= image_tag("ops-mgr-decryption-passphrase.png") %>
### <a id="blobstore"></a> S3 Compatible Blobstore Credentials
If you use an S3 compatible blobstore, you can rotate your blobstore credentials from the **Director Config** panel of the BOSH Director tile.
After entering new credentials and clicking **Review Pending Changes**, then **Apply Changes**, BOSH recreates the VMs in your deployment to apply the new credentials.
1. From a browser, navigate to `https://OPS-MAN-FQDN/` and log in to Ops Manager.
1. From the Installation Dashboard, click the BOSH Director tile.
1. From the **Director Config** panel, select the **Recreate VMs deployed by the BOSH Director** checkbox.
<%= image_tag("bosh-recreate.png") %>
1. For **Access Key**, enter a new access key.
<%= image_tag("blobstore.png") %>
1. For **Secret Key**, enter a new secret key.
1. Click **Review Pending Changes**, then **Apply Changes**.
1. Clear the **Recreate VMs deployed by the BOSH Director** checkbox.