If you are using an external user store, such as SAML or LDAP, and you become locked out of Operations Manager, you can enable rescue mode to troubleshoot and reconfigure your SAML or LDAP configuration. When in rescue mode, the Operations Manager will allow you to access it without authentication.
This article covers how to enable rescue mode in Operations Manager.
Note: This feature is currently broken in Ops Manager versions 2.0 (all), 2.1.0-2.1.15, 2.2.0-2.2.6 and 2.3.0. . If you are experiencing an issue on a version of Ops Manager where rescue mode is broken, refer to How to troubleshoot and fix Operations Manager authentication issues with SAML IDP. This feature is fixed in Ops Manager 2.1.16+, 2.2.7+, 2.3.1+.
This is a very risky operation! While Operations Manager is running in rescue mode, it will not require anyone to authenticate and it will allow an unauthenticated user to Apply Changes. You should minimize the amount of time where rescue mode is enabled or even limit access to Operations Manager while rescue mode is enabled. For example, limit access with a firewall or IP restriction.
Despite this limitation, Operations Manager does still prevent users from changing passwords (if an internal user store is being used) and the decryption key. This happens because it requires the current password/passkey before making these changes.
While rescue mode is enabled, Operations Manager will display the username in the upper right corner as rescue mode.
In order to enable rescue mode, connect to the Operations Manager VM with Secure Shell (SSH). Run this command:sudo touch /var/tempest/workspaces/default/rescue_mode
Prior to accessing Operations Manager in your browser after enabling rescue mode, you'll be required to enter the decryption passphrase.
To disable rescue mode, delete the rescue_mode file by running this command:
sudo rm /var/tempest/workspaces/default/rescue_mode
Note: A restart of Operations Manager is required after disabling or enabling rescue mode. You can restart Operations Manger with this command:
service tempest-web restart