Pivotal Knowledge Base


How to put Ops Manager into Rescue Mode


Pivotal Cloud Foundry® (PCF) versions 1.7.x, 1.8.x, 1.9.x, 1.10.x, 1.11.x, and 1.12.x
Ops Manager


If you are using an external user store (for example, SAML) and become locked out of Ops Manager, you can enable "rescue mode" to troubleshoot and reconfigure your SAML configuration. When in rescue mode, the Ops Manager will allow you to access it without authentication.


To enable rescue mode, connect via SSH to the Ops Manager VM. Run the command, sudo touch /var/tempest/workspaces/default/rescue_mode. Rescue mode will be enabled immediately. Prior to accessing Ops Manager in your browser after enabling rescue mode, you'll be required to enter the decryption passphrase.

To disable rescue mode, simply delete the rescue_mode file. Run sudo rm /var/tempest/worspaces/default/rescue_mode.

Note-  A restart of Operations Manager is required after disabling or enabling rescue mode.

service tempest-web restart


This is a very risky operation! While Ops Manager is running in rescue mode, it will not require anyone to authenticate and it will allow an unauthenticated user to Apply Changes. As such, you should minimize the amount of time where rescue mode is enabled or even limit access to Ops Manager while rescue mode is enabled (perhaps with a firewall or IP restriction).

Despite the limitation above, Ops Manager does still prevent users from changing passwords (if an internal user store is being used) and the decryption key. This happens because it requires the current password/passkey before making these changes.

Additional Information

While rescue mode is enabled, Ops Manager will display the username in the upper right corner as "rescue mode."



Powered by Zendesk