Pivotal Knowledge Base


Where can I locate credentials when the initial install fails?


Pivotal Cloud Foundry® 1.3.x, 1.4.x, 1.5.x, 1.6.x


You are trying to perform the initial installation of Pivotal Cloud Foundry® (PCF), but it's failing for some reason. To troubleshoot further, you need to locate the VM or service credentials for one of the system components.


Normally you could locate the credentials in Ops Manager under the product tile that contains the component you need to troubleshoot, however prior to completing the first installation the credentials tab in Ops Manager is disabled. This is the intended behavior of Ops Manager.


The following steps show how to locate the VM passwords.  These are encrypted and stored on the Ops Manager VM.

  1. SSH to the Ops Manager VM.
  2. Run git clone https://github.com/pivotal-cf/encrypt-decrypt-scripts
  3. Run cp /var/tempest/workspaces/default/*installation.yml encrypt-decrypt-scripts/
  4. Run cd encrypt-decrypt-scripts
  5. Run bash decrypt.sh <ops-manager-password>

The steps above will pull down a script that is capable of decrypting the encrypted file, make a copy of your installation config, decrypt the copy and place it in the folder encrypt-decrypt-scripts/decrypted.

From there you can use any text editor to view the configuration and search for the credentials for particular components. Here's an example of what this would look like in the file.

  - guid: nats-0463aca02452d767a6f4
    installation_name: nats
    - value:
        identity: vcap
        salt: e6cc39c8f345f82a
        password: 615c81aab82c80d7
      identifier: vm_credentials

This shows the VM credentials for the NATS job, where identity is the user name and password is obviously the password.  From here, you could use those to login via your IaaS Console or directly with SSH.

Impact / Risks

Ops Manager encrypts this file because it contains a large amount of sensitive information. With the file an attacker could gain access to virtually any part of your PCF system.  Do not leave this file laying around unprotected.  Once you have extracted the information you need, delete the unencrypted versions of your config by removing the encrypt-decrypt-scripts/decrypted directory.

Additional Information

The encrypt and decrypt scripts are open source and hosted on Github.  You can review the full code of the project at this link.


Powered by Zendesk