Rotating TAS UAA admin user & client password
search cancel

Rotating TAS UAA admin user & client password

book

Article ID: 370676

calendar_today

Updated On:

Products

VMware Tanzu Application Service

Issue/Introduction

TAS UAA admin credentials are crucial for securing and managing access to Tanzu Application System, ensuring that only authenticated and authorized users can perform actions within the system. Regular rotation of credentials helps in mitigating the risks associated with credential leakage. Many security standards and regulations require credential rotation as part of their compliance requirements. This article provides a standard procedure to rotate TAS UAA credentials.

Resolution

Pre-reqs

1. Install tools

1.1 cf-cli

2. Obtain values

2.1 CUR_ADMIN_PASSWORD - the current TAS UAA admin password

2.2 NEW_ADMIN_PASSWORD - decide on a new password at least 32 characters long, with both lower and upper cases, with alphanumeric characters, with at least one of “_” or “-” characters.

2.3 TAS_SYSTEM_DOMAIN - the TAS system domain name, which can be found in Ops manager UI → TAS Tile → Domains Tab.

3. If the "Tanzu Observability by Wavefront Nozzle" tile is not deployed, then proceed to "Updating UAA". If the "Tanzu Observability by Wavefront Nozzle" tile is deployed in the foundation, then there is a need to stop the "cc_exporter" job in the "tas-exporters" instance before proceeding with updating the admin password in UAA.  The "cc_exporter" job logs in with the "admin" account periodically as scheduled, and if the password is updated before the tile is redeployed/updated then it is likely that the admin account will get locked out due to repeated failed login attempts by the said job.  Run the following commands to stop the "cc_exporter" job to prevent it from logging in while the password change procedure is being executed.  Note that the "Apply Changes" in the final step (#8) would update this job with the new password and start it automatically.

# ssh into the tas-exporters instance
bosh -d wavefront-nozzle-xxxyyyzzz ssh tas-exporters/0

# once logged in to the tas-exporters instance, become root
sudo -i

# stop the cc_exporter job
monit stop cc_exporter

# exit out of the VM

  

 

Updating UAA

1. Log into cf-cli as the admin user (enter the current password CUR_ADMIN_PASSWORD when prompted)

cf api api.[TAS_SYSTEM_DOMAIN]
cf login -u admin

 

2. Change the admin user password (enter the current password CUR_ADMIN_PASSWORD and the new password NEW_ADMIN_PASSWORD when prompted)

cf passwd

 

3. Confirm the new password has been set by logging in again (enter the new password NEW_ADMIN_PASSWORD when prompted)

cf login -u admin

 

Updating TAS Tile in Ops Manager UI

1. Log into Ops Manager VM using ssh.

 

2. Target the Ops Manager UAA for use by the UAAC CLI by running:

uaac target https://<opsman-url>/uaa --skip-ssl-validation

 

3. Generate a token so that it can be used by the UAAC CLI to communicate with the Ops Manager API.  Log in with a user that has Administrator rights or "Full Control" permissions. 

If the Ops Manager authentication is configured to use Internal UAA or LDAP, then run the following command to login with an admin user and its password.

$ uaac token owner get opsman -s "" 
User name:  admin
Password:

 

If the Ops Manager authentication is configured to use SAML or OIDC Identity Provider, then run the following command to login using the SSO flow.  Using a browser, navigate to the URL shown in the Passcode prompt to authenticate and copy the passcode.  Then, paste the passcode at the prompt and press Enter.

$ uaac token sso get opsman -s ""
Passcode (from https://<opsman-url>/uaa/passcode):

 

Upon successful authentication, the output should show:

Successfully fetched token via owner passcode grant.

 

Get the access token by running `uaac context` command, and export the environment variable TOKEN with the value of 'access_token' from the output.

 $ uaac context

[1]*[https://<opsman-url>/uaa]
  skip_ssl_validation: true

  [0]*[admin]
      user_id: 36f914af-xxxx-xxxx-xxxx-af114330efb1
      client_id: opsman
      access_token: eyJhbxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx-6LXgIODw
      token_type: bearer
      refresh_token: 9e7xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx-r
      expires_in: 43199
      scope: opsman.admin scim.me opsman.user uaa.admin clients.admin
      jti: dcbxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx342

$ export TOKEN=eyJhbxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx-6LXgIODw

 

4. Download the Ops Manager Database as a JSON file.

4.a Set the ops manager FQDN.

export OPSURL=https://<opsman-url>   # replace this with your Ops Manager URL.

4.b Run the following command to retrieve the Ops Manager Database and save it as a JSON file named "installsettings.json".

curl -s -k -H 'Accept: application/json;charset=utf-8' -H "Content-Type: application/json" -H "Authorization: bearer $TOKEN" ${OPSURL}/api/installation_settings | python3 -m json.tool > installsettings.json

 

5. Make a backup copy of "installsettings.json" 

cp installsettings.json installsettings.json.original

 

6. Update the TAS UAA admin user & client password by opening the JSON file in a text editor.

6.a. Edit the TAS UAA admin credential block with the new admin password NEW_ADMIN_PASSWORD.

For credentials under the TAS tile, such as the UAA admin credentials, these are found within the block of the UAA job (marked by '"installation_name": "uaa"') within the jobs block of the CF product (marked by '"installation_name": "cf-$UUID"').

To rotate credentials for the "admin" user for UAA, locate the block with "identifier": "admin_credentials", such as:

{
    "deployed": true,
    "identifier": "admin_credentials",
    "value": {
               "identity": "admin",
               "password": "[NEW_ADMIN_PASSWORD]"
             }
 },

6.b. Delete the TAS admin client credential block, which looks like this:

{
  "deployed": true,
  "identifier": "admin_client_credentials",
  "value": {
    "identity": "admin",
    "password": "MiPxxxxxxxxxxxxxxxxxxxxxcfE"
  }
}

 

7. Upload the modified JSON DB to Ops Manager.

Note: "UAAC curl" cannot be used for this operation since it involves reading the request body from a file.

7.a Get the access token from UAAC context and put it in the environment variable TOKEN using export TOKEN='...'.

 $ uaac context

[1]*[https://<opsman-url>/uaa]
  skip_ssl_validation: true

  [0]*[admin]
      user_id: 36f914af-xxxx-xxxx-xxxx-af114330efb1
      client_id: opsman
      access_token: eyJhbGxxxxxxxxxxxxxxxxxx-6LXgIODw
      token_type: bearer
      refresh_token: 9e773xxxxxxxxxxxxxxxx-r
      expires_in: 43199
      scope: opsman.admin scim.me opsman.user uaa.admin clients.admin
      jti: dcb4xxxxxxxxxxxxxxxxxxxxx342

$ export TOKEN=eyJhbGxxxxxxxxxxxxxxxxxx-6LXgIODw

7.b Using "curl" command, upload the modified JSON file to Ops Manager:

curl -s -k -H 'Accept: application/json;charset=utf-8' -H "Content-Type: multipart/form-data" -H "Authorization: bearer $TOKEN" ${OPSURL}/api/installation_settings -X POST -F "installation[file][email protected]" -w "%{http_code}\n"

It is expected to see a successful return of status code 200, for example,

{}200

 

8. Go to Ops Manager web UI and hit "Apply Changes." Make sure that TAS Tile is included as part of this Apply Changes.
If the "Tanzu Observability by Wavefront Nozzle" tile is deployed, make sure to include it as well.  It is also recommended including all the other Tiles using UAA admin creds as part of this Apply Changes, such as p-spring-cloud-services, p-healthwatch2-pas-exporter, p-scheduler, appMetrics, appdynamics, etc.  

Powered by Wolken Software