How to rotate the telemetry-ca-cert in Operations Manager
search cancel

How to rotate the telemetry-ca-cert in Operations Manager

book

Article ID: 293734

calendar_today

Updated On:

Products

Operations Manager

Issue/Introduction

 

For the Telemetry tile v.1.2.1 and earlier this tile's certificates did not rotate under the main API. If you are on a version higher than v.1.2.1 please use the main API rotation procedure

https://docs.pivotal.io/ops-manager/2-10/security/pcf-infrastructure/advanced-certificate-rotation.html

 

 

This articles provides instructions on how to rotate the /telemetry-ca-cert in Operations Manager (Ops Manager).

The instructions in this article use the CredHub maestro advanced rotation to rotate this specific certificate in an Ops Manager 2.10 environment.

For instructions on getting started with maestro, refer to Getting Started with CredHub Maestro.

For a walk-through of how advanced certificate rotation works with maestro, refer to Advanced Certificate Rotation with CredHub Maestro.

 


Environment

Product Version: 2.10

Resolution


For the Telemetry tile v.1.2.1 and earlier this tile's certificates did not rotate under the main API. If you are on a version higher than v.1.2.1 please use the main API rotation procedure

https://docs.pivotal.io/ops-manager/2-10/security/pcf-infrastructure/advanced-certificate-rotation.html

 

Following this documentation, Rotate a Single CA and Its Leaf Certificates, these steps cover how to rotate the /telemetry-ca-cert in Ops Manager:
 

Note: If you are running Ops Manager v2.8 or v2.9, you may need to run the additional command maestro update-transitional latest --name "/telemetry-ca-cert" during this step. In the maestro version packaged with Ops Manager 2.10, this is done automatically.


1. maestro regenerate ca --name "/telemetry-ca-cert"

2. Run Apply Changes on the entire foundation.

Note: Be sure that each service tile has the Upgrade all service instances errand enabled.

3. Run the command: maestro update-transitional signing --name "/telemetry-ca-cert"

4. Run the command: maestro regenerate leaf --signed-by "/telemetry-ca-cert"



5. Run Apply Changes on the entire foundation.

Note: Be sure that each service tile has the Upgrade all service instances errand enabled.

6. Run the command: maestro update-transitional remove --name "/telemetry-ca-cert"

7. Run Apply Changes on the entire foundation

Note: Confirm each service tile has the Upgrade all service instances errand enabled.

If you encounter issues with the above method, please contact Tanzu Support.

Powered by Wolken Software