Pivotal Knowledge Base

Follow

How to change the "MySQL" password for Pivotal Cloud Foundry® (p-mysql)

Environment

Product Version
Pivotal Cloud Foundry® (PCF) 1.6x, 1.7.x

Purpose

In some cases, for example, if the password was leaked or when you change administrators, you may need to rotate credentials for MySQL for PCF. If you are also using Elastic Runtime MySQL, this procedure will rotate credentials for that installation as well.

Procedure 

To make this change, follow these steps.

1. Retrieve the root CA certificate of your deployment and pipe it into a certificate file. Run the following command:
$ curl "https://YOUR-OPSMAN-IP-ADDRESS/api/v0/security/root_ca_certificate" -X GET > YOUR-ROOT-CA.crt

2. Retrieve the p-mysql root password, navigate to the Ops Manager Installation Dashboard and select the tile MySQL and then Credentials > Mysql Server > Mysql Admin Password. Click on the Link to Credential link. This p-mysql root password is called Mysql Admin Password.

3. Retrieve the Elastic Runtime MySQL root password, navigate to the Ops Manager Installation Dashboard and select the tile Pivotal Elastic Runtime and then Credentials > Mysql Server > Mysql Admin Credentials. Click on the Link to Credential link. This Elastic Runtime MySQL root password is called Mysql Admin credentials.

4. Refer to the steps here for retrieving the UAAC access token.

5. Create a file called uaac-token that contains only the LONG_ACCESS_TOKEN_STRING from the output of step# 4.

6. Use curl to make a request to the Ops Manager API. Authenticate with the contents of the uaac-token file and pipe the response into installation_settings_current.json

$ curl -skH "Authorization: Bearer $(cat uaac-token)" https://YOUR-OPSMAN-FQDN/api/installation_settings > installation_settings_current.json

7. Check to see that both the p-mysql and Elastic Runtime MySQL root passwords are in the current installation settings file:

$ grep -c YOUR-P-MYSQL-ROOT-PASSWORD installation_settings_current.json
$ grep -c YOUR-ERT-MYSQL-ROOT-PASSWORD installation_settings_current.json

12. Remove both passwords from the installation settings file.

$ sed -e's/"value":{"identity":"root","password":"[^"]*"},\("identifier":"mysql_admin\)/\1/g' installation_settings_current.json > installation_settings_updated.json

8. Validate that both passwords have been removed from the installation_settings_updated.json file

$ grep -c YOUR-P-MYSQL-ROOT-PASSWORD installation_settings_updated.json
0
$ grep -c YOUR-ERT-MYSQL-ROOT-PASSWORD installation_settings_updated.json
0

9. Upload the updated installation settings.

$ curl -skX POST -H "Authorization: Bearer $(cat uaac-token)" "https://YOUR-OPSMAN-FQDN/uaa/api/installation_settings" -F 'installation[file]=@installation_settings_updated.json'
{}

10. Navigate to the Ops Manager Installation Dashboard and click Apply Changes.This will push out the new password to the UAA.

11. Once the installation has completed, validate that the p-mysql root password has been changed. Retrieve the new password from MySQL > Credentials. Use the IP address for the MySQL Proxy located in the Status tab.

$ mysql -uroot -p -h 198.39.100.2
Enter password:
Welcome to the MariaDB monitor.  Commands end with ; or \g.

12. Validate that the Elastic Runtime MySQL password has been changed, using the new password in Elastic Runtime > Credentials. Use the IP address for the MySQL Proxy, located in the Status tab.

$ mysql -uroot -p -h 10.83.32.22
Enter password:
Welcome to the MariaDB monitor.  Commands end with ; or \g.

Impact/Risk

Please also be careful when running the curl commands and sed. Please avoid making changes to installation_settings_current.json manually and use the sed as mentioned in steps. If you face any issues, you can revert to the original settings by running the following command and then Applying changes on Ops Manager.

$ curl -skX POST -H "Authorization: Bearer $(cat uaac-token)" "https://YOUR-OPSMAN-FQDN/uaa/api/installation_settings" -F 'installation[file]=@installation_settings_current.json'

Comments

Powered by Zendesk