How to put Ops Manager into Rescue Mode
search cancel

How to put Ops Manager into Rescue Mode

book

Article ID: 293468

calendar_today

Updated On:

Products

Operations Manager

Issue/Introduction

If you are using an external user store (for example, SAML or LDAP) and become locked out of Operations Manager, you can enable rescue mode to troubleshoot and reconfigure your SAML or LDAP configuration. When in rescue mode, the Operations Manager will allow you to access it without authentication.

Please note that this feature is currently broken in Ops Manager versions 2.0 (all), 2.1.0-2.1.15, 2.2.0-2.2.6 and 2.3.0. It is fixed in Ops Manager 2.1.16+, 2.2.7+, 2.3.1+.

If you are experiencing an issue on a version of Ops Manager where rescue mode is broken, please see the following article or contact Pivotal Support.

How to troubleshoot and fix Operations Manager authentication issues with SAML IDP

Resolution

In order to enable rescue mode:

    1. Connect via SSH to the Operations Manager VM.
    2. Run the command, sudo touch /var/tempest/workspaces/default/rescue_mode.
    3. Rescue mode will be enabled immediately.
    4. Prior to accessing Operations Manager in your browser after enabling rescue mode, you'll be required to enter the decryption passphrase.

 

To disable rescue mode:

  1. Simply delete the rescue_mode file.
  2. Run sudo rm /var/tempest/workspaces/default/rescue_mode.

 

Note:  A restart of Operations Manager is required after disabling or enabling rescue mode.

service tempest-web restart

 

Impact

This is a very risky operation! While Operations Manager is running in rescue mode, it will not require anyone to authenticate and it will allow an unauthenticated user to Apply Changes. As such, you should minimize the amount of time where rescue mode is enabled or even limit access to Operations Manager while rescue mode is enabled (perhaps with a firewall or IP restriction).

Despite the limitation above, Operations Manager does still prevent users from changing passwords (if an internal user store is being used) and the decryption key. This happens because it requires the current password/passkey before making these changes.

 

Additional Information

While rescue mode is enabled, Operations Manager will display the username in the upper right corner as "rescue mode."

 

 

 


Powered by Wolken Software