Pivotal Knowledge Base

Follow

How to Regenerate Static Passwords in Pivotal Cloud Foundry

Environment

 Product  Version
 Pivotal Cloud Foundry® (PCF)

 All Versions  

Purpose

You may need to regenerate the static passwords in Pivotal Cloud Foundry for a variety of reasons. These reasons may include, but aren't limited to:

  • Your password/s have been compromised.
  • You need to rotate passwords periodically.

Follow the instructions below to generate passwords that are installed via Ops Manager:

From a terminal window that is ssh'd into the Ops Manager VM, perform the following steps:

1. SSH to Ops Manager 

2. Target the Ops Manager UAA using UAAC target:

$ uaac target https://<opsman-url>/uaa --skip-ssl-validation

3. Generate token so that it can be used by UAAC:

$ uaac token owner get
Client ID:  opsman
Client secret: <leave blank>
User name:  <username to login to opsmanager>
Password: ************************* Successfully fetched token via owner password grant.
Target: https://<opsman-url>/uaa
Context: admin, from client opsman

4. Download the Ops Manager Database as a JSON file and save the output in a text editor:

$ curl -s -k -H 'Accept: application/json;charset=utf-8' -H "Content-Type: application/json" -H "Authorization: bearer $TOKEN" ${OPSURL}/api/installation_settings | python -m json.tool > installsettings.json
$ uaac curl https://<opsman-url>/api/installation_settings -k

5. Make a backup copy of "installationsetting.json"

cp installsettings.json installsettings.json.original

6. Find and delete certain credential blocks of JSON that represent a credential. When the updated JSON file is uploaded back to Ops Manager, it will cause Ops Manager to recreate its values when "Apply Changes" is hit (see step 8 below). When removing a credential, make sure to delete the entire block that represents it. Here are some example scenarios:  

I). Within the "director" job of the "p-bosh" product:

    • To rotate credentials for the "director" user for Bosh, locate the block with "identifier": "director_credentials," such as
           {
              "deployed": false,
              "identifier": "director_credentials",
              "value": {
                "identity": "director",
                "password": "Ubx9bzDP73oZzQkgBYo-eR8UwXb27Eq7"
           },
    • The block with "uaa_admin_user_credentials"
        "uaa_admin_user_credentials": {
              "identity": "admin",
              "password": "lAuSbwu2qM_Yt2i0xoWc6fusiCI3O9IK"
            },
    • The block with "uaa_admin_client_credentials"
             "uaa_admin_user_credentials": {
              "identity": "admin",
              "password": "lAuSbwu2qM_Yt2i0xoWc6fusiCI3O9IK"
            },

  II). For credentials under the Elastic Runtime tile, such as the UAA admin credentials, this is within the UAADB job of "CF" product:

    • To rotate credentials for the "admin" user for UAA, locate the block with "identifier": "admin_credentials", such as :
      {
          "deployed": true,
          "identifier": "admin_credentials",
          "value": {
                     "identity": "admin",
                     "password": "jgGuCppRYOUcgVDsc6lDyOp7g4i-BciI"
                   }
       },

     III). To rotate "vcap" user password for all Bosh VMs within all products:

    • All blocks with the key "vm_credentials," such as:        
 "vm_credentials": {
            "identity": "vcap",
            "salt": "2a717f911bad21c5",
            "password": "p6NL_oHurqzjwS23hdjsz4nzRFiLpqDwp"
}

7. Upload the modified JSON DB to Ops Manager.  

Note: "UAAC curl" cannot be used for this operation since it involves reading the request body from a file.

  • Get the access token from UAAC context and put it in the environment variable TOKEN using export TOKEN='...'
     $ uaac context
    
    [1]*[https://<opsman-url>/uaa]
      skip_ssl_validation: true
    
      [0]*[admin]
          user_id: 36f914af-0376-49cb-9072-af114330efb1
          client_id: opsman
          access_token: eyJhbGciOiJSUzI1NiIsImtpZCI6ImtleS0xIiwidHlwIjoiSldUIn0.eyJqdGkiOiJkY2I0MGFkMzY5NmM0MzcxOTU3ZjE4ZGZiNjRiYjM0MiIsInN1YiI6IjM2ZjkxNGFmLTAzNzYtNDljYi05MDcyLWFmMTE0MzMwZWZiMSIsInNjb3BlIjpbIm9wc21hbi5hZG1pbiIsInNjaW0ubWUiLCJvcHNtYW4udXNlciIsInVhYS5hZG1pbiIsImNsaWVudHMuYWRtaW4iXSwiY2xpZW50X2lkIjoib3BzbWFuIiwiY2lkIjoib3BzbWFuIiwiYXpwIjoib3BzbWFuIiwiZ3JhbnRfdHlwZSI6InBhc3N3b3JkIiwidXNlcl9pZCI6IjM2ZjkxNGFmLTAzNzYtNDljYi05MDcyLWFmMTE0MzMwZWZiMSIsIm9yaWdpbiI6InVhYSIsInVzZXJfbmFtZSI6ImFkbWluIiwiZW1haWwiOiJhZG1pbkB0ZXN0Lm9yZyIsImF1dGhfdGltZSI6MTQ5MjEyNTAzMSwicmV2X3NpZyI6IjVlZmJkMzZmIiwiaWF0IjoxNDkyMTI1MDMxLCJleHAiOjE0OTIxNjgyMzEsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC91YWEvb2F1dGgvdG9rZW4iLCJ6aWQiOiJ1YWEiLCJhdWQiOlsic2NpbSIsIm9wc21hbiIsImNsaWVudHMiLCJ1YWEiXX0.kfxjgkGeLOMMuWAnOCjHEIvByFC4OUdd1KvNYDKuWC3JZW9OjQLdc9XfY136OebJIG4oZeWyvKariGM8t52r2f0koFtyHCVYsvTFnhsb6s2Sw2QuqcxLhV8efTiLZkAraC39EO1arOLsdF4vjCCImdSgoLlBCDs0xx0lrgWcEEAr7mR-Oa1ezEiSCS1P1HVd-w3o8h483Ossh2lDuTRnUIWZjrYu2mmywqGmXAL44xWTq8oqslGJJoM-OeRhDeekElarH107S7a6FNuttdywN5_XAbFwjfvutpOIZT7WFvCVbNq9w8IIV3Y2lLGBV4IxvmypZUJLCaXF0-6LXgIODw
          token_type: bearer
          refresh_token: 9e77368f7ef44060ad69c9483047673f-r
          expires_in: 43199
          scope: opsman.admin scim.me opsman.user uaa.admin clients.admin
          jti: dcb40ad3696c4371957f18dfb64bb342

    $ export TOKEN=eyJhbGciOiJSUzI1NiIsImtpZCI6ImtleS0xIiwidHlwIjoiSldUIn0.eyJqdGkiOiJkY2I0MGFkMzY5NmM0MzcxOTU3ZjE4ZGZiNjRiYjM0MiIsInN1YiI6IjM2ZjkxNGFmLTAzNzYtNDljYi05MDcyLWFmMTE0MzMwZWZiMSIsInNjb3BlIjpbIm9wc21hbi5hZG1pbiIsInNjaW0ubWUiLCJvcHNtYW4udXNlciIsInVhYS5hZG1pbiIsImNsaWVudHMuYWRtaW4iXSwiY2xpZW50X2lkIjoib3BzbWFuIiwiY2lkIjoib3BzbWFuIiwiYXpwIjoib3BzbWFuIiwiZ3JhbnRfdHlwZSI6InBhc3N3b3JkIiwidXNlcl9pZCI6IjM2ZjkxNGFmLTAzNzYtNDljYi05MDcyLWFmMTE0MzMwZWZiMSIsIm9yaWdpbiI6InVhYSIsInVzZXJfbmFtZSI6ImFkbWluIiwiZW1haWwiOiJhZG1pbkB0ZXN0Lm9yZyIsImF1dGhfdGltZSI6MTQ5MjEyNTAzMSwicmV2X3NpZyI6IjVlZmJkMzZmIiwiaWF0IjoxNDkyMTI1MDMxLCJleHAiOjE0OTIxNjgyMzEsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC91YWEvb2F1dGgvdG9rZW4iLCJ6aWQiOiJ1YWEiLCJhdWQiOlsic2NpbSIsIm9wc21hbiIsImNsaWVudHMiLCJ1YWEiXX0.kfxjgkGeLOMMuWAnOCjHEIvByFC4OUdd1KvNYDKuWC3JZW9OjQLdc9XfY136OebJIG4oZeWyvKariGM8t52r2f0koFtyHCVYsvTFnhsb6s2Sw2QuqcxLhV8efTiLZkAraC39EO1arOLsdF4vjCCImdSgoLlBCDs0xx0lrgWcEEAr7mR-Oa1ezEiSCS1P1HVd-w3o8h483Ossh2lDuTRnUIWZjrYu2mmywqGmXAL44xWTq8oqslGJJoM-OeRhDeekElarH107S7a6FNuttdywN5_XAbFwjfvutpOIZT7WFvCVbNq9w8IIV3Y2lLGBV4IxvmypZUJLCaXF0-6LXgIODw
  • Using "curl" command, upload the modified JSON file to Ops Manager:
    curl -s -k -H 'Accept: application/json;charset=utf-8' -H "Content-Type: multipart/form-data" -H "Authorization: bearer $TOKEN" ${OPSURL}/api/installation_settings -X POST -F "installation[file]=@installsettings.json" 

8. Go to Ops Manager web UI and hit "Apply Changes." This should regenerate the password that was cleared from the above operation. Verify that the password has been changed by hitting the "Credentials" tab for the respective tile for which the password has been rotated. 

Comments

Powered by Zendesk