Pivotal Knowledge Base


Where can I Locate the Credentials when the Initial Install Fails?


Pivotal Cloud Foundry® versions 1.3.x, 1.4.x, 1.5.x, and 1.6.x


You are trying to perform the initial installation of Pivotal Cloud Foundry® (PCF), but it's failing for some reason. To troubleshoot further, you need to locate the virtual machine (VM) or the service credentials for one of the system components.


Normally, you could locate the credentials in Ops Manager under the product tile that contains the component you need to troubleshoot, however prior to completing the first installation the credentials tab in Ops Manager is disabled. This is the intended behavior of the Ops Manager.


The following steps show how to locate the VM passwords.  These are encrypted and stored on the Ops Manager VM.

  1. SSH to the Ops Manager VM.
  2. Run git clone https://github.com/pivotal-cf/encrypt-decrypt-scripts
  3. Run cp /var/tempest/workspaces/default/*installation.yml encrypt-decrypt-scripts/
  4. Run cd encrypt-decrypt-scripts
  5. Run bash decrypt.sh <ops-manager-password>

The steps above will pull down a script that is capable of decrypting the encrypted file, make a copy of your installation config, decrypt the copy and place it in the folder encrypt-decrypt-scripts/decrypted.

From there you can use any text editor to view the configuration and search for the credentials for particular components. Here's an example of what this would look like in the file.

  - guid: nats-0463aca02452d767a6f4
    installation_name: nats
    - value:
        identity: vcap
        salt: e6cc39c8f345f82a
        password: 615c81aab82c80d7
      identifier: vm_credentials

This shows the VM credentials for the NATS job, where identity is the username and password is obviously the password.  From here, you could use those to login via your IaaS Console or directly with SSH.


Ops Manager encrypts this file because it contains a large amount of sensitive information. With the file, an attacker could gain access to virtually any part of your PCF system. Do not leave this file lying around unprotected. Once you have extracted the information you need, delete the unencrypted versions of your config by removing the encrypt-decrypt-scripts/decrypted directory.

Additional Information

The encrypt and decrypt scripts are the open source scripts and are hosted on Github. You can review the full code of the project here.


Powered by Zendesk