How to decrypt the installation YAML file in an installation.zip file obtained from using the Export Installation settings feature of Operations Manager
Article ID: 293887
Updated On:
Products
Issue/Introduction
Note: This article does not provide instructions on how to decrypt the installation.yml present on Operations Manager VM at this location: /var/tempest/workspaces/default/installation.yml. If you are looking to decrypt the file present in that location, follow this article instead: How to manually edit the installation YAML file on the Operations Manager VM
Note: It is not supported to decrypt installation.yml on other Ops Manager instance, because the decryption not only relies on passphrase, but also a salt value in encryption_keys table of Ops Manager database. The salt must be identical, otherwise decryption would fail with error "TempestEncryptor::DecryptError: bad decrypt".
Pre-checks
- You have downloaded installation.zip from Ops Manager (User > Settings > Export Installation Settings).
- After unzipping the installation.zip file, you have renamed and copied the encrypted installation.yml file to the Operation Manager VM in the /tmp/encrypted-installation.yml location.
- You are trying to decrypt the installation.yml file using your Ops Manager decryption passphrase and the following command:
sudo -u tempest-web SECRET_KEY_BASE="s" RAILS_ENV=production /home/tempest-web/tempest/web/scripts/decrypt /tmp/encrypted-installation.yml /tmp/decrypted-installation.yml
- After supplying the decryption passphrase, you see the following error:
Failed to decrypt /tmp/encrypted-installation.yml: #<TempestEncryptor::DecryptError: bad decrypt> ...
Environment
Product Version: All releases
Cause
The encryption done on the installation.yml file from the installation.zip (Export Installation Settings) is subtly different compared to the encryption done on the file present in /var/tempest/workspaces/default/installation.yml.
The next section of this article highlights the steps you can take to decrypt installation.yml obtained from the installation.zip file.
Resolution
Note: This change makes it impossible for the decrypt script to decrypt the installation.yml that's on the disk (/var/tempest/workspaces/default/installation.yml), we advise that you revert it back when you're done decrypting the installation.yml that's in the installation.zip.
1. SSH to the Operation Manager VM and become root.
2. Edit the file at this location: /home/tempest-web/tempest/web/lib/scripts/file_decryptor.rb
- Change this:
@encryptor = TempestEncryptor.new(EncryptionKey.instance.encryption_key)
@encryptor = TempestEncryptor.new(EncryptionKey.instance.full_encryption_key)
3. Save the changes.
4. The decrypt command will now execute successfully and you will have a copy of the decrypted installation.yml file at the location /tmp/decrypted-installation.yml.
sudo -u tempest-web SECRET_KEY_BASE="s" RAILS_ENV=production /home/tempest-web/tempest/web/scripts/decrypt /tmp/encrypted-installation.yml /tmp/decrypted-installation.yml
Important: Make sure to revert the changes done to the file at /home/tempest-web/tempest/web/lib/scripts/file_decryptor.rb.
Note: When running decrypt from Ops Manager directory /home/ubuntu you may encounter the error: Permission denied @ dir_chdir - /home/ubuntu. To remedy this, navigate out of /home/ubuntu.
Feedback
