Pivotal Knowledge Base


How to change the "admin" password for UAA


Product Version
Pivotal Cloud Foundry® (PCF) 1.7.x


In some cases, for example, if the password was leaked or when you change administrators, you may need to change the password for the admin user in UAA. This is the user that can be used to log on to Apps Manager and to manage other users with the cf cli.


To make this change, connect via SSH into the Ops Manager VM and follow these steps.

1. Decrypt the installation.yml file. Run sudo -u tempest-web RAILS_ENV=production /home/tempest-web/tempest/web/scripts/decrypt <passphrase> /var/tempest/workspaces/default/installation.yml /tmp/installation.yml.

2. Edit /tmp/installation.yml. Search for the existing password, change it to your new password or leave it blank.  If you leave the password blank then Ops Manager will generate a new password for you when you apply changes.  Save the file.

3. Make a backup of the original installation.yml file. Run cp /var/tempest/workspaces/default/installation.yml ~/installation-orig.yml.

4. Encrypt the modified installation.yml and overwrite the original. sudo -u tempest-web RAILS_ENV=production /home/tempest-web/tempest/web/scripts/encrypt <passphrase> /tmp/installation.yml /var/tempest/workspaces/default/installation.yml

5. Restart Ops Manager's Web UI. Run sudo service tempest-web stop && sudo service tempest-web start.

6. Refresh your browser, enter the decryption passphrase and wait for UAA to start. Log on and Apply Changes. This will push out the new password to the UAA.

7. Once Apply Changes has succeeded, in Ops Manager, navigate to the Elastic Runtime tile's credentials screen. Go to the admin user and click "Show Credentials". You should see the new admin credential listed.

8. Take the new admin credentials and attempt to log on to Ops Manager. This should succeed. Attempting to log on with the old password should fail. 


PCF does not officially support changing the UAA admin user's password.  The instructions above are not officially tested as a part of the Ops Manager test suite, so use them at your own risk.  

Please also be careful when editing installation.yml. YAML files make use of white space as a delimiter, so be careful when making changes. Also, make sure you use spaces instead of tabs.  

If Ops Manager is unable to load your edited installation.yml file, you can revert to the backup with these steps.

1. Run cp ~/installation-orig.yml /var/tempest/workspaces/default/installation.yml.

2. Run sudo service tempest-web stop && sudo service tempest-web start.

3. Refresh your browser, enter the decryption passphrase and wait for UAA to start.

Please contact support with questions, concerns, or if you require assistance with the above procedure.

Additional Information

  • It may be tempting to change the admin user's password with the uaac utility. Unfortunately, this is not sufficient because it will only update the admin user's password in UAA. This leaves Ops Manager out of sync and can cause jobs and errands to fail.
  • If you want to change the admin user for Ops Manager, see this KB article.


Powered by Zendesk