Pivotal Knowledge Base

Follow

How to put Ops Manager into Rescue Mode

Environment

 Product  Version
 Pivotal Cloud Foundry® (PCF)  1.7.x

Purpose

If you are using an external user store (for example, SAML) and become locked out of Ops Manager, you can enable "rescue mode" to troubleshoot and reconfigure your SAML configuration. When in rescue mode, the Ops Manager will allow you to access it without authentication.

Procedure

To enable rescue mode, connect via SSH to the Ops Manager VM. Run the command sudo touch /var/tempest/workspaces/default/rescue_mode. Rescue mode will be enabled immediately. Prior to accessing Ops Manager in your browser after enabling rescue mode, you'll be required to enter the decryption passphrase.  

To disable rescue mode, simply delete the rescue_mode file. Run sudo rm /var/tempest/worspaces/default/rescue_mode.

Note:  A restart of Operations Manager is required after disabling or enabling rescue mode. 

service tempest-web restart

Impact/Risks

This is a very risky operation! While Ops Manager is running in rescue mode, it will not require anyone to authenticate and it will allow an unauthenticated user to Apply Changes. As such, you should minimize the amount of time where rescue mode is enabled or even limit access to Ops Manager while rescue mode is enabled (perhaps with a firewall or IP restriction).

Despite the limitation above, Ops Manager does still prevent users from changing passwords (if an internal user store is being used) and the decryption key. This happens because it requires the current password/passkey before making these changes.

Additional Information

While rescue mode is enabled, Ops Manager will display the user name in the upper right corner as "rescue mode."

 

Comments

Powered by Zendesk