Pivotal Knowledge Base

Follow

How to Change the "Admin" Password for UAA

Environment

Pivotal Cloud Foundry® (PCF) 1.7.x to 1.12.x

Purpose

In some cases, for example, if the password was leaked or when you change administrators, you may need to change the password for the admin user in UAA. This is the user that can be used to log on to Apps Manager and to manage other users with the cf cli.

Procedure

To make this change, connect via SSH into the Ops Manager virtual machine (VM) and follow these steps:

1. Decrypt the installation.yml file. Run sudo -u tempest-web RAILS_ENV=production /home/tempest-web/tempest/web/scripts/decrypt /var/tempest/workspaces/default/installation.yml /tmp/installation.yml.  When prompted, enter the decryption passphrase for Ops Manager.

2. Edit /tmp/installation.yml Search for the existing password, change it to your new password or leave it blank.  If you leave the password blank then Ops Manager will generate a new password for you when you apply changes. Save the file.

3. Make a backup of the original installation.yml file. Run cp /var/tempest/workspaces/default/installation.yml ~/installation-orig.yml.

4. Encrypt the modified installation.yml and overwrite the original. sudo -u tempest-web RAILS_ENV=production /home/tempest-web/tempest/web/scripts/encrypt /tmp/installation.yml /var/tempest/workspaces/default/installation.yml.  When prompted, enter the decryption passphrase for Ops Manager.

5. Restart Ops Manager's Web UI. Run sudo service tempest-web stop && sudo service tempest-web start.

6. Refresh your browser, enter the decryption passphrase and wait for UAA to start. Log on and Apply Changes. This will push out the new password to the UAA.

7. Once Apply Changes has succeeded, in Ops Manager, navigate to the Elastic Runtime tile's credentials screen. Go to the admin user and click "Show Credentials". You should see the new admin credential listed (for 1.12, you will still see the old password).

8. Take the new admin credentials and attempt to log on to Apps Manager or using the cf cli. This should succeed. Attempting to log on with the old password should fail. 

Impact

PCF does not officially support changing the UAA admin user's password.  The instructions above are not officially tested as a part of the Ops Manager test suite, so use them at your own risk.

Please also be careful when editing installation.yml. YAML files make use of white space as a delimiter, so be careful when making changes. Also, make sure you use spaces instead of tabs.

If Ops Manager is unable to load your edited installation.yml file, you can revert to the backup with the following steps:

1. Run cp ~/installation-orig.yml /var/tempest/workspaces/default/installation.yml.

2. Run sudo service tempest-web stop && sudo service tempest-web start.

3. Refresh your browser, enter the decryption passphrase and wait for UAA to start.

Please contact support with questions, concerns, or if you require assistance with the above procedure.

Additional Information

It may be tempting to change the admin user's password with the uaac utility. Unfortunately, this is not sufficient because it will only update the admin user's password in UAA. This leaves Ops Manager out of sync and can cause jobs and errands to fail.

Comments

Powered by Zendesk