How to regenerate static passwords in VMware Tanzu Application Service for VMs
Article ID: 297395
Updated On:
Products
Issue/Introduction
This article applies to all versions of TAS and explains why you may need to regenerate the static passwords in TAS for a variety of reasons.
Resolution
You may need to regenerate the static passwords in TAS for a variety of reasons. These reasons may include, but aren't limited to:
- Your password(s) have been compromised.
- You need to rotate passwords periodically.
Follow the instructions below to generate passwords that are installed through Operations (Ops) Manager:
From a terminal window that is ssh'd into the Ops Manager VM, perform the following steps:
1. SSH to Ops Manager
2. Target the Ops Manager UAA using uaac target:
$ uaac target https://<opsman-url>/uaa --skip-ssl-validation
3. Generate token so that it can be used by UAAC:
$ uaac token owner get Client ID: opsman Client secret: <leave blank> User name: <username to login to opsmanager>Password: ************************* Successfully fetched token via owner password grant. Target: https://<opsman-url>/uaa Context: admin, from client opsman
Get the access token from uaac context and put it in the environment variable TOKEN using export TOKEN='...'
$ uaac context
[1]*[https://<opsman-url>/uaa]
skip_ssl_validation: true
[0]*[admin]
user_id: 36f914af-0376-49cb-9072-af114330efb1
client_id: opsman
access_token: eyJhbGciOiJSUzI1NiIsImtpZCI6ImtleS0xIiwidHlwIjoiSldUIn0.eyJqdGkiOiJkY2I0MGFkMzY5NmM0MzcxOTU3ZjE4ZGZiNjRiYjM0MiIsInN1YiI6IjM2ZjkxNGFmLTAzNzYtNDljYi05MDcyLWFmMTE0MzMwZWZiMSIsInNjb3BlIjpbIm9wc21hbi5hZG1pbiIsInNjaW0ubWUiLCJvcHNtYW4udXNlciIsInVhYS5hZG1pbiIsImNsaWVudHMuYWRtaW4iXSwiY2xpZW50X2lkIjoib3BzbWFuIiwiY2lkIjoib3BzbWFuIiwiYXpwIjoib3BzbWFuIiwiZ3JhbnRfdHlwZSI6InBhc3N3b3JkIiwidXNlcl9pZCI6IjM2ZjkxNGFmLTAzNzYtNDljYi05MDcyLWFmMTE0MzMwZWZiMSIsIm9yaWdpbiI6InVhYSIsInVzZXJfbmFtZSI6ImFkbWluIiwiZW1haWwiOiJhZG1pbkB0ZXN0Lm9yZyIsImF1dGhfdGltZSI6MTQ5MjEyNTAzMSwicmV2X3NpZyI6IjVlZmJkMzZmIiwiaWF0IjoxNDkyMTI1MDMxLCJleHAiOjE0OTIxNjgyMzEsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC91YWEvb2F1dGgvdG9rZW4iLCJ6aWQiOiJ1YWEiLCJhdWQiOlsic2NpbSIsIm9wc21hbiIsImNsaWVudHMiLCJ1YWEiXX0.kfxjgkGeLOMMuWAnOCjHEIvByFC4OUdd1KvNYDKuWC3JZW9OjQLdc9XfY136OebJIG4oZeWyvKariGM8t52r2f0koFtyHCVYsvTFnhsb6s2Sw2QuqcxLhV8efTiLZkAraC39EO1arOLsdF4vjCCImdSgoLlBCDs0xx0lrgWcEEAr7mR-Oa1ezEiSCS1P1HVd-w3o8h483Ossh2lDuTRnUIWZjrYu2mmywqGmXAL44xWTq8oqslGJJoM-OeRhDeekElarH107S7a6FNuttdywN5_XAbFwjfvutpOIZT7WFvCVbNq9w8IIV3Y2lLGBV4IxvmypZUJLCaXF0-6LXgIODw
token_type: bearer
refresh_token: 9e77368f7ef44060ad69c9483047673f-r
expires_in: 43199
scope: opsman.admin scim.me opsman.user uaa.admin clients.admin
jti: dcb40ad3696c4371957f18dfb64bb342
$ export TOKEN=eyJhbGciOiJSUzI1NiIsImtpZCI6ImtleS0xIiwidHlwIjoiSldUIn0.eyJqdGkiOiJkY2I0MGFkMzY5NmM0MzcxOTU3ZjE4ZGZiNjRiYjM0MiIsInN1YiI6IjM2ZjkxNGFmLTAzNzYtNDljYi05MDcyLWFmMTE0MzMwZWZiMSIsInNjb3BlIjpbIm9wc21hbi5hZG1pbiIsInNjaW0ubWUiLCJvcHNtYW4udXNlciIsInVhYS5hZG1pbiIsImNsaWVudHMuYWRtaW4iXSwiY2xpZW50X2lkIjoib3BzbWFuIiwiY2lkIjoib3BzbWFuIiwiYXpwIjoib3BzbWFuIiwiZ3JhbnRfdHlwZSI6InBhc3N3b3JkIiwidXNlcl9pZCI6IjM2ZjkxNGFmLTAzNzYtNDljYi05MDcyLWFmMTE0MzMwZWZiMSIsIm9yaWdpbiI6InVhYSIsInVzZXJfbmFtZSI6ImFkbWluIiwiZW1haWwiOiJhZG1pbkB0ZXN0Lm9yZyIsImF1dGhfdGltZSI6MTQ5MjEyNTAzMSwicmV2X3NpZyI6IjVlZmJkMzZmIiwiaWF0IjoxNDkyMTI1MDMxLCJleHAiOjE0OTIxNjgyMzEsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC91YWEvb2F1dGgvdG9rZW4iLCJ6aWQiOiJ1YWEiLCJhdWQiOlsic2NpbSIsIm9wc21hbiIsImNsaWVudHMiLCJ1YWEiXX0.kfxjgkGeLOMMuWAnOCjHEIvByFC4OUdd1KvNYDKuWC3JZW9OjQLdc9XfY136OebJIG4oZeWyvKariGM8t52r2f0koFtyHCVYsvTFnhsb6s2Sw2QuqcxLhV8efTiLZkAraC39EO1arOLsdF4vjCCImdSgoLlBCDs0xx0lrgWcEEAr7mR-Oa1ezEiSCS1P1HVd-w3o8h483Ossh2lDuTRnUIWZjrYu2mmywqGmXAL44xWTq8oqslGJJoM-OeRhDeekElarH107S7a6FNuttdywN5_XAbFwjfvutpOIZT7WFvCVbNq9w8IIV3Y2lLGBV4IxvmypZUJLCaXF0-6LXgIODw
4. Download the Ops Manager Database as a JSON file and save the output in a text editor:
$ export OPSURL=https://opsman.fqdn # replace this with your Ops Manager URL.
$ curl -s -k -H 'Accept: application/json;charset=utf-8' -H "Content-Type: application/json" -H "Authorization: bearer $TOKEN" ${OPSURL}/api/installation_settings | python -m json.tool > installsettings.json
$ uaac curl https://<opsman-url>/api/installation_settings -k
5. Make a backup copy of "installsettings.json"
cp installsettings.json installsettings.json.original
6. Find and delete certain credential blocks of JSON that represent a credential. When the updated JSON file is uploaded back to Ops Manager, it will cause Ops Manager to recreate its values when "Apply Changes" is hit (see step 8 below). When removing a credential, make sure to delete the entire block that represents it.
If you are using vi, the cleanest way to delete a JSON block is to enable line numbers (:se nu), note the first and last line numbers of the block you wish to remove, then type :<first_line_number>,<last_line_number>d. If you encounter errors where you have followed these procedures but the passwords are not being updated, you may have accidentally introduced non-printing characters into the JSON file. For this reason, it's important to be careful as you edit the JSON file.
Here are some example scenarios:
a. Within the "director" job of the "p-bosh" product:
- To rotate credentials for the "director" user for BOSH, locate the block with "identifier": "director_credentials," such as:
{
"deployed": false,
"identifier": "director_credentials",
"value": {
"identity": "director",
"password": "####################"
},
- The block with "uaa_admin_user_credentials"
- The block with "uaa_admin_client_credentials"
"uaa_admin_user_credentials": {
"identity": "admin",
"password": "#####################"
},
"uaa_admin_user_credentials": {
"identity": "admin",
"password": "#####################"
},
b. For credentials under the TAS tile, such as the UAA admin credentials, this is within the UAADB job of "CF" product:
- To rotate credentials for the "admin" user for UAA, locate the block with "identifier": "admin_credentials", such as:
{
"deployed": true,
"identifier": "admin_credentials",
"value": {
"identity": "admin",
"password": "####################"
}
},
c. To rotate "vcap" user password for all BOSH VMs within all products:
- All blocks with the key "vm_credentials," such as:
"vm_credentials": {
"identity": "vcap",
"salt": "2a717f911bad21c5",
"password": "####################"
}
7. Upload the modified JSON DB to Ops Manager.
Note: "UAAC curl" cannot be used for this operation since it involves reading the request body from a file.
- Get the access token from UAAC context and put it in the environment variable TOKEN using export TOKEN='...'
$ uaac context
[1]*[https://<opsman-url>/uaa]
skip_ssl_validation: true
[0]*[admin]
user_id: 36f914af-0376-49cb-9072-af114330efb1
client_id: opsman
access_token: eyJhbGciOiJSUzI1NiIsImtpZCI6ImtleS0xIiwidHlwIjoiSldUIn0.eyJqdGkiOiJkY2I0MGFkMzY5NmM0MzcxOTU3ZjE4ZGZiNjRiYjM0MiIsInN1YiI6IjM2ZjkxNGFmLTAzNzYtNDljYi05MDcyLWFmMTE0MzMwZWZiMSIsInNjb3BlIjpbIm9wc21hbi5hZG1pbiIsInNjaW0ubWUiLCJvcHNtYW4udXNlciIsInVhYS5hZG1pbiIsImNsaWVudHMuYWRtaW4iXSwiY2xpZW50X2lkIjoib3BzbWFuIiwiY2lkIjoib3BzbWFuIiwiYXpwIjoib3BzbWFuIiwiZ3JhbnRfdHlwZSI6InBhc3N3b3JkIiwidXNlcl9pZCI6IjM2ZjkxNGFmLTAzNzYtNDljYi05MDcyLWFmMTE0MzMwZWZiMSIsIm9yaWdpbiI6InVhYSIsInVzZXJfbmFtZSI6ImFkbWluIiwiZW1haWwiOiJhZG1pbkB0ZXN0Lm9yZyIsImF1dGhfdGltZSI6MTQ5MjEyNTAzMSwicmV2X3NpZyI6IjVlZmJkMzZmIiwiaWF0IjoxNDkyMTI1MDMxLCJleHAiOjE0OTIxNjgyMzEsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC91YWEvb2F1dGgvdG9rZW4iLCJ6aWQiOiJ1YWEiLCJhdWQiOlsic2NpbSIsIm9wc21hbiIsImNsaWVudHMiLCJ1YWEiXX0.kfxjgkGeLOMMuWAnOCjHEIvByFC4OUdd1KvNYDKuWC3JZW9OjQLdc9XfY136OebJIG4oZeWyvKariGM8t52r2f0koFtyHCVYsvTFnhsb6s2Sw2QuqcxLhV8efTiLZkAraC39EO1arOLsdF4vjCCImdSgoLlBCDs0xx0lrgWcEEAr7mR-Oa1ezEiSCS1P1HVd-w3o8h483Ossh2lDuTRnUIWZjrYu2mmywqGmXAL44xWTq8oqslGJJoM-OeRhDeekElarH107S7a6FNuttdywN5_XAbFwjfvutpOIZT7WFvCVbNq9w8IIV3Y2lLGBV4IxvmypZUJLCaXF0-6LXgIODw
token_type: bearer
refresh_token: 9e77368f7ef44060ad69c9483047673f-r
expires_in: 43199
scope: opsman.admin scim.me opsman.user uaa.admin clients.admin
jti: dcb40ad3696c4371957f18dfb64bb342
$ export TOKEN=eyJhbGciOiJSUzI1NiIsImtpZCI6ImtleS0xIiwidHlwIjoiSldUIn0.eyJqdGkiOiJkY2I0MGFkMzY5NmM0MzcxOTU3ZjE4ZGZiNjRiYjM0MiIsInN1YiI6IjM2ZjkxNGFmLTAzNzYtNDljYi05MDcyLWFmMTE0MzMwZWZiMSIsInNjb3BlIjpbIm9wc21hbi5hZG1pbiIsInNjaW0ubWUiLCJvcHNtYW4udXNlciIsInVhYS5hZG1pbiIsImNsaWVudHMuYWRtaW4iXSwiY2xpZW50X2lkIjoib3BzbWFuIiwiY2lkIjoib3BzbWFuIiwiYXpwIjoib3BzbWFuIiwiZ3JhbnRfdHlwZSI6InBhc3N3b3JkIiwidXNlcl9pZCI6IjM2ZjkxNGFmLTAzNzYtNDljYi05MDcyLWFmMTE0MzMwZWZiMSIsIm9yaWdpbiI6InVhYSIsInVzZXJfbmFtZSI6ImFkbWluIiwiZW1haWwiOiJhZG1pbkB0ZXN0Lm9yZyIsImF1dGhfdGltZSI6MTQ5MjEyNTAzMSwicmV2X3NpZyI6IjVlZmJkMzZmIiwiaWF0IjoxNDkyMTI1MDMxLCJleHAiOjE0OTIxNjgyMzEsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC91YWEvb2F1dGgvdG9rZW4iLCJ6aWQiOiJ1YWEiLCJhdWQiOlsic2NpbSIsIm9wc21hbiIsImNsaWVudHMiLCJ1YWEiXX0.kfxjgkGeLOMMuWAnOCjHEIvByFC4OUdd1KvNYDKuWC3JZW9OjQLdc9XfY136OebJIG4oZeWyvKariGM8t52r2f0koFtyHCVYsvTFnhsb6s2Sw2QuqcxLhV8efTiLZkAraC39EO1arOLsdF4vjCCImdSgoLlBCDs0xx0lrgWcEEAr7mR-Oa1ezEiSCS1P1HVd-w3o8h483Ossh2lDuTRnUIWZjrYu2mmywqGmXAL44xWTq8oqslGJJoM-OeRhDeekElarH107S7a6FNuttdywN5_XAbFwjfvutpOIZT7WFvCVbNq9w8IIV3Y2lLGBV4IxvmypZUJLCaXF0-6LXgIODw
- Using "curl" command, upload the modified JSON file to Ops Manager:
curl -s -k -H 'Accept: application/json;charset=utf-8' -H "Content-Type: multipart/form-data" -H "Authorization: bearer $TOKEN" ${OPSURL}/api/installation_settings -X POST -F "installation[file][email protected]"
8. Go to Ops Manager web UI and hit "Apply Changes." This should regenerate the password that was cleared from the above operation. Verify that the password has been changed by hitting the "Credentials" tab for the respective tile for which the password has been rotated.
Note: After changing a password, some VMs might be recreated while Apply Changes is running. Therefore, make sure High Availability in TAS (https://docs.pivotal.io/platform/application-service/2-8/concepts/high-availability.html#instance-counts) best practices are followed.
Additional Information
Feedback
