Rotating Bosh UAA Credentials
search cancel

Rotating Bosh UAA Credentials

book

Article ID: 370605

calendar_today

Updated On:

Products

VMware Tanzu Application Service

Issue/Introduction

Bosh UAA credentials are crucial for securing and managing access to Bosh director, ensuring that only authenticated and authorized users can perform actions within the system. Regular rotation of credentials helps in mitigating the risks associated with credential leakage. Many security standards and regulations require credential rotation as part of their compliance requirements. This article provides a standard procedure to rotate Bosh UAA credentials.

Resolution

1.) Target and Auth Ops manager UAA.

uaac target https://${OPSMAN_FQDN}/uaa --skip-ssl-validation
uaac token owner get opsman admin -s "" -p ${OPSMAN_ADMIN_PASSWORD}

2.) Create an env.yml file.

---
target: opsmanger.hostname.domain
connect-timeout: 30            # default 5
request-timeout: 1800          # default 1800
skip-ssl-validation: true     # default false
username: admin
password: OPSMAN_ADMIN_PASSWORD
decryption-passphrase: OPSMAN_DECRYPTION_PASSPHRASE

3.) Use om CLI to get the installationsettings.json.  Also create a backup file.

om -e env.yml curl -p /api/installation_settings  > installsettings.json

cp installsettings.json installsettings.json.original

4.) Identify and show the current credential.  The credential name should be the same as the URL in Ops man → Director Tile → Credentials Tab.  For example, the UAA admin credential URL is https://OPSMAN_FQDN/api/v0/deployed/director/credentials/uaa_admin_user_credentials.

jq '.products[] | .uaa_admin_user_credentials' installsettings.json
{
  "identity": "admin",
  "password": "Uo_xxxxxxxxxxxxxxxxx_QC"
}

5.) Delete the credential from the installsettings.json into a new file, call new_installsettings.json.  It is recommended to install jq command, which makes this easy to automate. 

jq 'del(.products[] | .uaa_admin_user_credentials)' installsettings.json  > new_installsettings.json

6.) Confirm the credential is now removed.

 jq '.products[] | .uaa_admin_user_credentials' new_installsettings.json
null
null

7.) Use curl to upload the new_installsettings.json file.

curl -s -k -H 'Accept: application/json;charset=utf-8' -H "Content-Type: multipart/form-data" -H "Authorization: bearer $(uaac context admin | egrep access_token | awk -F ":" '{print $2}' | sed s/' '//g)" https://${OPSMAN_FQDN}/api/installation_settings -X POST -F "installation[file]=@new_installsettings.json"

8.) Ops manager should report a different credential now. 

om -e env.yml curl -p /api/installation_settings | jq '.products[] | .uaa_admin_user_credentials'

{
  "identity": "admin",
  "password": "WF-xxxxxxxxxxxxxxxxxxxxxxx_4y"
}

9.) Apply changes to the director tile will roll it out.

Powered by Wolken Software