TAS UAA admin credentials are crucial for securing and managing access to Tanzu Application System, ensuring that only authenticated and authorized users can perform actions within the system. Regular rotation of credentials helps in mitigating the risks associated with credential leakage. Many security standards and regulations require credential rotation as part of their compliance requirements. This article provides a standard procedure to rotate TAS UAA credentials.
1. Install tools
1.1 cf-cli
2. Obtain values
2.1 CUR_ADMIN_PASSWORD - the current TAS UAA admin password
2.2 NEW_ADMIN_PASSWORD - decide on a new password at least 32 characters long, with both lower and upper cases, with alphanumeric characters, with at least one of “_” or “-” characters.
2.3 TAS_SYSTEM_DOMAIN - the TAS system domain name, which can be found in Ops manager UI → TAS Tile → Domains Tab.
1. Log into cf-cli as the admin user (enter the current password CUR_ADMIN_PASSWORD when prompted)
cf api api.[TAS_SYSTEM_DOMAIN]
cf login -u admin
2. Change the admin user password (enter the current password CUR_ADMIN_PASSWORD and the new password NEW_ADMIN_PASSWORD when prompted)
cf passwd
3. Confirm the new password has been set by logging in again (enter the new password NEW_ADMIN_PASSWORD when prompted)
cf login -u admin
Updating TAS Tile in Ops Manager UI
1. Log into ops manager VM through ssh
2. Target the Ops Manager UAA using uaac target:
uaac target https://<opsman-url>/uaa --skip-ssl-validation
3. Generate token so that it can be used by UAAC. It is recommended to log in as a user with Administrator or "Full Control". For example, the login user is admin below.
$ uaac token owner get opsman -s ""
User name: admin
Password: *************************
Successfully fetched token via owner password grant.
Target: https://<opsman-url>/uaa
Context: admin, from client opsman
Get the access token from uaac context and put it in the environment variable TOKEN using export TOKEN='...'
$ uaac context
[1]*[https://<opsman-url>/uaa]
skip_ssl_validation: true
[0]*[admin]
user_id: 36f914af-xxxx-xxxx-xxxx-af114330efb1
client_id: opsman
access_token: eyJhbxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx-6LXgIODw
token_type: bearer
refresh_token: 9e7xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx-r
expires_in: 43199
scope: opsman.admin scim.me opsman.user uaa.admin clients.admin
jti: dcbxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx342
$ export TOKEN=eyJhbxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx-6LXgIODw
4. Download the Ops Manager Database as a JSON file and save the output in a text editor
4.a Set the ops manager FQDN.
export OPSURL=https://opsman.fqdn # replace this with your Ops Manager URL.
4.b Check if python is installed in ops manager VM.
ubuntu@opsmgr-01-xxxxx:~$ which python
/usr/bin/python
ubuntu@opsmgr-xxxxx:~$ python
-bash: python: command not found
4.c If python is installed, run the following command to retrieve the Ops Manager Database.
curl -s -k -H 'Accept: application/json;charset=utf-8' -H "Content-Type: application/json" -H "Authorization: bearer $TOKEN ${OPSURL}/api/installation_settings | python -m json.tool > installsettings.json
Else, use the one below instead if python is not found.
curl -s -k -H 'Accept: application/json;charset=utf-8' -H "Content-Type: application/json" -H "Authorization: bearer $TOKEN ${OPSURL}/api/installation_settings | python3 -m json.tool > installsettings.json
5. Make a backup copy of "installsettings.json"
cp installsettings.json installsettings.json.original
6. Update the TAS UAA admin user & client password
6.a. Edit the TAS UAA admin credential block with the new admin password NEW_ADMIN_PASSWORD.
For credentials under the TAS tile, such as the UAA admin credentials, this is within the UAADB job of "CF" product.
To rotate credentials for the "admin" user for UAA, locate the block with "identifier": "admin_credentials", such as:
{
"deployed": true,
"identifier": "admin_credentials",
"value": {
"identity": "admin",
"password": "[NEW_ADMIN_PASSWORD]"
}
},
6.b. Delete the TAS admin client credential block, which looks like this:
{
"deployed": true,
"identifier": "admin_client_credentials",
"value": {
"identity": "admin",
"password": "MiPxxxxxxxxxxxxxxxxxxxxxcfE"
}
}
7. Upload the modified JSON DB to Ops Manager.
Note: "UAAC curl" cannot be used for this operation since it involves reading the request body from a file.
7.a Get the access token from UAAC context and put it in the environment variable TOKEN using export TOKEN='...'.
$ uaac context
[1]*[https://<opsman-url>/uaa]
skip_ssl_validation: true
[0]*[admin]
user_id: 36f914af-xxxx-xxxx-xxxx-af114330efb1
client_id: opsman
access_token: eyJhbGxxxxxxxxxxxxxxxxxx-6LXgIODw
token_type: bearer
refresh_token: 9e773xxxxxxxxxxxxxxxx-r
expires_in: 43199
scope: opsman.admin scim.me opsman.user uaa.admin clients.admin
jti: dcb4xxxxxxxxxxxxxxxxxxxxx342
$ export TOKEN=eyJhbGxxxxxxxxxxxxxxxxxx-6LXgIODw
7.b Using "curl" command, upload the modified JSON file to Ops Manager:
curl -s -k -H 'Accept: application/json;charset=utf-8' -H "Content-Type: multipart/form-data" -H "Authorization: bearer $TOKEN" ${OPSURL}/api/installation_settings -X POST -F "installation[file][email protected]" -w "%{http_code}\n"
It is expected to see a successful return of status code 200, for example,
{}200
8. Go to Ops Manager web UI and hit "Apply Changes." Make sure that TAS Tile is included as part of this Apply Changes.
It is also recommended including all the other Tiles using UAA admin creds as part of this Apply Changes, such as p-spring-cloud-services, p-healthwatch2-pas-exporter, p-scheduler, appMetrics, appdynamics, etc.