forked from pivotal-cf/docs-pcf-install
-
Notifications
You must be signed in to change notification settings - Fork 0
/
credentials.html.md.erb
97 lines (70 loc) · 6.17 KB
/
credentials.html.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
---
title: Retrieving Credentials from Your Deployment
owner: Ops Manager
---
This topic describes how the credentials for your Pivotal Cloud Foundry (PCF) deployment are stored and how you can access them.
* **What credentials does PCF store?**
* Many PCF components use credentials to authenticate connections, and PCF installations often have hundreds of active credentials. This includes certificates, VM credentials, and credentials for jobs running on the VMs.
* **Where does PCF store credentials?**
* PCF stores credentials in either the Ops Manager database or CredHub. In PCF v1.11 and later, the Ops Manager Director VM includes a co-located [CredHub](https://docs.cloudfoundry.org/credhub/index.html) instance. Ops Manager, PAS, and service tiles running on PCF can use this CredHub instance to store their credentials. For example, in PCF v1.12, PAS began migrating its credentials to CredHub. See the [PAS Release Notes](../pcf-release-notes/runtime-rn.html) for a full list.
* **When do I need to access these credentials?**:
* You may need to access credentials for Ops Manager, PAS, and service tiles as part of regular administrative tasks in PCF, including troubleshooting. Many procedures in this documentation require you to retrieve credentials.
* **How can I retrieve credentials?**
* The workflow for retrieving credentials depends on where they are stored. See the procedures below.
## <a id="credhub"></a> Retrieve Credentials Stored in CredHub
To retrieve credentials from CredHub using the Ops Manager API, do the following:
<p class="note"><strong>Note</strong>: You can also retrieve credentials using the CredHub CLI from Ops Manager Director VM. For more information, see the <a href="https://github.com/cloudfoundry-incubator/credhub-cli">CredHub CLI Readme</a>.</p>
1. Perform the procedures in the [Using the Ops Manager API](./ops-man-api.html) topic to authenticate and access the Ops Manager API.
1. Use the Ops Manager API to retrieve a list of deployed products:
<pre class="terminal">$ curl "http<span>s:</span>//OPS-MAN-FQDN/api/v0/deployed/products" \
-X GET \
-H "Authorization: Bearer UAA-ACCESS-TOKEN"</pre>
Replace `UAA-ACCESS-TOKEN` with the access token recorded in the previous step.
1. In the response to the above request, locate the `guid` for the product from which you want to retrieve credentials. For example, if you want to retrieve PAS credentials, find the `installation_name` starting with `cf-` and copy its `guid`.
1. Run the following `curl` command to list the names of the credentials stored in CredHub for the product you selected. If you already know the name of the credential, you can skip this step.
<pre class="terminal">$ curl "http<span>s:</span>//OPS-MAN-FQDN/api/v0/deployed/products/PRODUCT-GUID/variables" \
-X GET \
-H "Authorization: Bearer UAA-ACCESS-TOKEN"</pre>
Replace `PRODUCT-GUID` with the value of `guid` from the previous step.
1. Run the following `curl` command to view the credential:
<pre class="terminal">$ curl "http<span>s:</span>//OPS-MAN-FQDN/api/v0/deployed/products/PRODUCT-GUID/variables?name=VARIABLE-NAME" \
-X GET \
-H "Authorization: Bearer UAA-ACCESS-TOKEN"</pre>
Replace `VARIABLE-NAME` with the name of the credential you want to retrieve.
## <a id="opsman"></a> Retrieve Credentials Stored in the Ops Manager Database
To retrieve credentials stored in the Ops Manager database and not CredHub, use the Ops Manager UI or API as outlined in the procedures below.
### <a id="ui"></a> Retrieve Credentials Using the Ops Manager UI
1. From Ops Manager, select the product tile for which you want to retrieve credentials.
1. Click the **Credentials** tab.
1. Locate the credential that you need and click **Link to Credential**.
### <a id="api"></a> Retrieve Credentials Using the Ops Manager API
1. Perform the procedures in the [Using the Ops Manager API](./ops-man-api.html) topic to authenticate and access the Ops Manager API.
1. Use the Ops Manager API to retrieve a list of deployed products:
<pre class="terminal">$ curl "http<span>s:</span>//OPS-MAN-FQDN/api/v0/deployed/products" \
-X GET \
-H "Authorization: Bearer UAA-ACCESS-TOKEN"</pre>
Replace `UAA-ACCESS-TOKEN` with the access token recorded in the previous step.
1. In the response to the above request, locate the `guid` for the product from which you want to retrieve credentials. For example, if you want to retrieve PAS credentials, find the `installation_name` starting with `cf-` and copy its `guid`.
1. Run the following `curl` command to list references for the credentials stored in Ops Manager for the product you selected. If you already know the reference for the credential, you can skip this step.
<pre class="terminal">$ curl "http<span>s:</span>//OPS-MAN-FQDN/api/v0/deployed/products/PRODUCT-GUID/credentials" \
-X GET \
-H "Authorization: Bearer UAA-ACCESS-TOKEN"</pre>
Replace `PRODUCT-GUID` with the value of `guid` from the previous step.
1. Run the following `curl` command to view the credential:
<pre class="terminal">$ curl "http<span>s:</span>//OPS-MAN-FQDN/api/v0/deployed/products/PRODUCT-GUID/credentials/CREDENTIAL-REFERENCE" \
-X GET \
-H "Authorization: Bearer UAA-ACCESS-TOKEN"</pre>
Replace `CREDENTIAL-REFERENCE` with the name of the credential you want to retrieve.
## <a id="rotate"></a> Changing Ops Manager Credentials
### Ops Manager Password
1. Log in to Ops Manager and navigate to `My Account`. You can access this at `https://OPS-MAN-FQDN/uaa/profile`.
<%= image_tag("ops-mgr-my-account.png") %>
2. Navigate to `Change Password`. You can access this at `https://OPS-MAN-FQDN/uaa/change_password`.
3. Enter your current password and a new password.
<%= image_tag("opsman-change-password.png") %>
### Ops Manager Decryption Passphrase
You must have the existing passphrase to update the decryption passphrase.
1. Log in to Ops Manager, and navigate to `Settings`. You can access this at `https://OPS-MAN-FQDN/encryption_passphrase/edit`.
<%= image_tag("ops-mgr-settings.png") %>
1. In the `Decryption Passphrase` panel, enter your current decryption passphrase and the new decryption passphrase, then click **Save**.
<%= image_tag("ops-mgr-decryption-passphrase.png") %>