How to check and rotate Ops Manager SAML Certificate before it expires
Article ID: 293613
Updated On:
Products
Operations Manager
Issue/Introduction
Symptoms:
Currently, the Operations Manager (Ops Manager) SAML certificate is not rotatable and is only good for 2 years. If the certificate expires, operators will not be able to login to Ops Manager until the certificate is rotated.
This article applies to users who have SAML IDP authentication enabled. It also describes how to check if your SAML Certificate is about to expire as well as how to rotate the SAML Certificate.
For those who doesn't enable SAML authentication, they may still see a warning message in OPS manager complaining about an expiring SAML SP certificate and even though it doesn't impact OPS manager functionality, users can still use the steps below generate a new SAML SP certificate to get rid of that warning.
The Ops Manager and the BOSH Director SAML Certificate expired or is about to expire, preventing operators from logging into Ops Manager.
Note: "
Currently, the Operations Manager (Ops Manager) SAML certificate is not rotatable and is only good for 2 years. If the certificate expires, operators will not be able to login to Ops Manager until the certificate is rotated.
This article applies to users who have SAML IDP authentication enabled. It also describes how to check if your SAML Certificate is about to expire as well as how to rotate the SAML Certificate.
For those who doesn't enable SAML authentication, they may still see a warning message in OPS manager complaining about an expiring SAML SP certificate and even though it doesn't impact OPS manager functionality, users can still use the steps below generate a new SAML SP certificate to get rid of that warning.
The Ops Manager and the BOSH Director SAML Certificate expired or is about to expire, preventing operators from logging into Ops Manager.
Note: "
product_guid" value of "p-bosh-xx" refers to the Director Tile in Operations Manager (Ops Manager).
{
"valid_until": "2019-06-14T09:26:19Z",
"configurable": false,
"property_reference": ".properties.saml_service_provider_cert",
"property_type": "rsa_cert_credentials",
"product_guid": "p-bosh-xxxxxxxxxxxxxxxxxxx",
"location": "ops_manager",
"variable_path": null,
"issuer": "/C=US/O=Pivotal",
"valid_from": "2017-06-14T09:26:19Z"
},Environment
Cause
Ops Manager provides an API that allows the operators to rotate all non-configurable certificates in the system, except for its own SAML certificate. This is a known bug that will be addressed in future versions of Ops Manager.
Note: If using Internal Authentication, Operators can complete any upgrade tasks first without having to worry about the certificate being expired.
Note: If using Internal Authentication, Operators can complete any upgrade tasks first without having to worry about the certificate being expired.
Resolution
To resolve this issue, follow the steps below:
1. Check to see when the Ops Manager SAML Certificate will expire. You can grab the SAML certification from the web interface or from the CLI.
a. From the web interface, download the Ops Manager SAML Provider Certificate. Use the link, https://<(opsmanger.domain)>uaa/saml/metadata, to download the file,
Note: Change <(opsmanger.domain)> to whatever domain being used in your environment.
The certificate string will be in the
saml-sp.xml.Note: Change <(opsmanger.domain)> to whatever domain being used in your environment.
The certificate string will be in the
<ds:X509Certificate> xml tag. You can format this string using a web tool, such as https://www.samltool.com/format_x509cert.php.b. From the CLI open the file,
/home/tempest-web/ramdisk/uaa/config/login.yml and find the variable login.serviceProviderCertificate.
2. Copy the certificate to a file named opsman.saml.cert.
-----BEGIN CERTIFICATE----- ... -----END CERTIFICATE-----
3. Check the expiration date of the certificate using the following command:
openssl x509 -in opsman.saml.cert -noout -startdate -enddate notBefore=Oct 2 02:55:33 2018 GMT notAfter=Oct 2 02:55:33 2020 GMT
4. Regenerate the Ops Manager SAML Certificate. Please choose the correct methods depends on your OPS Manager version.
For OPS Manager version 2.3 and earlier:
Note: Please consult internally with your IDP provider before regenerating the Operations Manager and BOSH Director SAML Certificates. Once the certificates have been generated, they will need to be imported into the IDP Provider configuration in order for login to function properly.
a. SSH into the Operations Manager VM.
b. Connect to the database using the following command:
sudo -u tempest-web psql tempest_productionc. Execute the following query to delete the existing SAML Certification and Key:
update uaa_configs set encrypted_saml_service_provider_cert = null, encrypted_saml_service_provider_private_key = null;
d. Then restart Operations Manager with the following command:
sudo service tempest-web restart. Upon restarting, Operations Manager will generate a new SAML Certification and Key.e. Upon the next "Apply Changes", Operations Manager will update the BOSH Director with the new SAML Certificate.
For OPS manager version 2.4 and later:
a. SSH into the Operations Manager VM. and then sudo to root
sudo su -
b. Connect to the Ruby IRB using the following command, note that you need to replace
d. Get an instance of
For Opsman v3.0.18 or later and v2.10.64 or later:
For other Opsman versions:
TEMPEST_INFRASTRUCTURE with the actual infra you are using (vsphere, aws, azure, gcp, openstack), in the example here we are using 'vsphere' :
cd /home/tempest-web/tempest/web; RAILS_ENV='production' TEMPEST_INFRASTRUCTURE='vsphere' TEMPEST_WEB_DIR='/home/tempest-web' DATA_ROOT='/var/tempest' LOG_DIR='/var/log/opsmanager' SECRET_KEY_BASE="1234" su tempest-web --command 'bundle exec rails console'c. Setup the ops manager decryption passphrase:
EncryptionKey.instance.passphrase = '<om passphrase>'d. Get an instance of
Uaa::UaaConfig:For Opsman v3.0.18 or later and v2.10.64 or later:
uaa_config = Uaa::UaaConfig.singletonFor other Opsman versions:
uaa_config = Uaa::UaaConfig.instanceNOTE: if the following error is observed when running "UAA::UaaConfig.instance" then you may have used double quotes instead of single quotes in step C when setting the "EncryptionKey.instance.passphrase". Make sure to use single quotas around your passphrase. If your passphrase includes single quotes then you can wrap it with percent and parentheses %(PASSPHRASE) instead of single quotes.
irb(main):002:0> uaa_config = Uaa::UaaConfig.singleton
(Object doesn't support #inspect) e. Forcefully generate a new SAML SP certificate (save the output, as you may need to share this newly generated certificate with your IDP):
uaa_config.generate_saml_service_provider_cert(force:true)f. Write the certificate into DB and commit the change:
uaa_config.send('saml_service_provider_cert')
uaa_config.save!
WARNING: Before proceeding, collaborate with your IDP regarding the new SAML certificate generated above. Failure to do so may result in all SSO users being locked out of the platform.g. Exit the IRB and restart the ops manager web server:
service tempest-web restarte. Upon the next "Apply Changes", Operations Manager will update the BOSH Director with the new SAML Certificate.
5. At this stage SAML SP certificate has been updated. You can continue to work with your IDP to update the SP certificate (if you are using SAML) or just login into OPS manager and confirm that SAML SP certificate expiration message disappeared (if you are using internal authentication).
Feedback
Yes
No
Powered by
