In some cases, if the password was leaked or when you change administrators, you will need to rotate credentials for MySQL for PCF. If you are also using Elastic Runtime MySQL, the same procedure will rotate credentials for that installation as well.

In order to make this change, follow these steps:

1. Retrieve the root CA certificate of your deployment and pipe it into a certificate file. Run the following command:
$ curl "https://YOUR-OPSMAN-IP-ADDRESS/api/v0/security/root_ca_certificate" -X GET > YOUR-ROOT-CA.crt

2. Retrieve the p-mysql root password, navigate to the Ops Manager Installation Dashboard and select the tile MySQL and then select Credentials > Mysql Server > Mysql Admin Password. Click on the Link to Credential. This p-mysql root password is called Mysql Admin Password.

3. Retrieve the Elastic Runtime MySQL root password, navigate to the Ops Manager Installation Dashboard and select the tile Pivotal Elastic Runtime and then select Credentials > Mysql Server > Mysql Admin Credentials. Click on the Link to Credential. This Elastic Runtime MySQL root password is called Mysql Admin credentials.

4. Refer to the steps here for retrieving the UAAC access token.

5. Create a file called uaac-token that contains only the LONG_ACCESS_TOKEN_STRING from the output of step 4.

6. Use curl to make a request to the Ops Manager API. Authenticate with the contents of the uaac-token file and pipe the response into installation_settings_current.json

$ curl -skH "Authorization: Bearer $(cat uaac-token)" https://YOUR-OPSMAN-FQDN/api/installation_settings > installation_settings_current.json

7. Check to see that both the p-mysql and Elastic Runtime MySQL root passwords are in the current installation settings file:

$ grep -c YOUR-P-MYSQL-ROOT-PASSWORD installation_settings_current.json
$ grep -c YOUR-ERT-MYSQL-ROOT-PASSWORD installation_settings_current.json

8. Remove both passwords from the installation settings file.

$ sed -e's/"value":{"identity":"root","password":"[^"]*"},\("identifier":"mysql_admin\)/\1/g' installation_settings_current.json > installation_settings_updated.json
8. Validate that both passwords have been removed from the installation_settings_updated.json file

$ grep -c YOUR-P-MYSQL-ROOT-PASSWORD installation_settings_updated.json
0
$ grep -c YOUR-ERT-MYSQL-ROOT-PASSWORD installation_settings_updated.json
0

9. Upload the updated installation settings.

$ curl -skX POST -H "Authorization: Bearer $(cat uaac-token)" "https://YOUR-OPSMAN-FQDN/uaa/api/installation_settings" -F 'installation[file]=@installation_settings_updated.json'
{}

10. Navigate to the Ops Manager Installation Dashboard and click Apply Changes.This will push out the new password to the UAA.

11. Once the installation has been completed, validate that the p-mysql root password has been changed. Retrieve the new password from MySQL > Credentials. Use the IP address for the MySQL Proxy located in the Status tab.

$ mysql -uroot -p -h 198.39.100.2
Enter password:
Welcome to the ###DB monitor.  Commands end with ; or \g.

12. Validate that the Elastic Runtime MySQL password has been changed using the new password in Elastic Runtime > Credentials. Use the IP address for the MySQL Proxy, located in the Status tab.

$ mysql -uroot -p -h 10.83.32.22
Enter password:
Welcome to the ###DB monitor.  Commands end with ; or \g.

Impact and Risks

Be careful when running the curl commands and sed. Avoid making changes to installation_settings_current.json manually and use the sed as mentioned in steps. If you face any issues, you can go back to the original settings by running the following command and then applying changes to the Ops Manager.

$ curl -skX POST -H "Authorization: Bearer $(cat uaac-token)" "https://YOUR-OPSMAN-FQDN/uaa/api/installation_settings" -F 'installation[file]=@installation_settings_current.json'