How to login and access Credhub in Tanzu Application Service
search cancel

How to login and access Credhub in Tanzu Application Service

book

Article ID: 297967

calendar_today

Updated On:

Products

VMware Tanzu Application Service for VMs

Issue/Introduction

In a Tanzu Application Service (TAS) foundation where a BOSH Director VM and a TAS tile are deployed, if you have a use case where you are required to login to either of the CredHub instances below, the following article provides explicit instructions on how to make:
  • CredHub present as a process running on BOSH Director VM
  • CredHub deployed as a VM instance in a TAS deployment
Note: This was tested with Ops Manager 2.5 and TAS 2.5.

Environment

Product Version: 2.5

Resolution

Note: This article assumes that the `credhub` CLI is installed on the Ops Manager VM. A quick way to check is to SSH to the Ops Manager VM and run “credhub --version


Scenario 1 

If your use case requires you to login and access the CredHub that was deployed on the BOSH Director VM, follow the instructions below:

1. SSH to your Ops Manager VM:
ssh ubuntu@<opsman-url-or-IP>

2. Export "BOSH Commandline Credentials" from the Ops Manager UI > Ops Manager/Director tile > Credentials tab > BOSH Commandline Credentials

a. Open the BOSH Commandline Credentials, copy the value of key "credential".

b. Paste that in a Notepad and remove "bosh" from that value.

c. From the Ops Manager VM terminal session, run the following command:
export BOSH_CLIENT=ops_manager BOSH_CLIENT_SECRET=<redacted> BOSH_CA_CERT=/var/tempest/workspaces/default/root_ca_certificate BOSH_ENVIRONMENT=<redacted>

3. Export environment variables required to access CredHub:
export CREDHUB_CLIENT=$BOSH_CLIENT CREDHUB_SECRET=$BOSH_CLIENT_SECRET

4. Target the Credhub API and log in:
credhub api -s $BOSH_ENVIRONMENT:8844 --ca-cert $BOSH_CA_CERT

credhub login


Note: In modern CredHub versions, you can start using CredHub directly without logging in since CREDHUB_* environment variables are present.


Scenario 2

If your use case requires you to login and access CredHub deployed as a VM in your TAS deployment, then follow the below instructions to login and access CredHub.

1. SSH to your Ops Manager VM:
ssh ubuntu@<opsman-url-or-IP>

2. Export "BOSH Commandline Credentials" from the Ops Manager UI > Ops Manager/Director tile > Credentials tab > BOSH Commandline Credentials.

a. Open the BOSH Commandline Credentials, copy the value of key "credential".

b. Paste that in a Notepad and remove "bosh" from that value.

c. From the Ops Manager VM terminal session, run the following command:
export BOSH_CLIENT=ops_manager BOSH_CLIENT_SECRET=<redacted> BOSH_CA_CERT=/var/tempest/workspaces/default/root_ca_certificate BOSH_ENVIRONMENT=<redacted>

3. Get "Credhub Client Credentials" for TAS. Got to Ops Manager UI > PAS/ERT tile > Credentials tab > Credhub Admin Client Client Credentials, and copy "identity" and "password" in a notepad for the next steps.

4. Export CREDHUB_CLIENT and CREDHUB_SECRET. Use values of "identity" and "password" obtained from Step 3 as client name and secret.
export CREDHUB_CLIENT= <identity> CREDHUB_SECRET= <password>

5. Change to root and edit the /etc/hosts file to add the following 2 entries:
sudo -i

vim /etc/hosts

a. Add the following lines with the necessary IP addresses. Go to UAA and Credhub VMs IPs in PAS Deployment - Ops Manager UI > PAS/ERT tile > Status Tab > Look for IPs of Credhub and UAA VMs:
<IP-of-Credhub-VM-in-cf-deployment> credhub.service.cf.internal
<IP-of-UAA-VM-in-cf-deployment> uaa.service.cf.internal
b. Save the changes.

c. Exit out of root.

6. Target the CredHub API. Target API using one of the following options:
credhub api -s  <IP-of-credhub-VM-in-cf-deployment>:8844 --skip-tls-validation

OR

credhub api -s credhub.service.cf.internal:8844 --ca-cert $BOSH_CA_CERT

7. Log into CredHub:
credhub login

Note: In modern CredHub versions, you can start using CredHub directly, without logging in since CREDHUB_* environment variables are present.

Additional Information

This was tested with Ops Manager v2.5 and PAS v2.5 but must be applicable to all versions above 2.x