LATEST VERSION: 1.9 - CHANGELOG
Pivotal Cloud Foundry v1.9

Creating UAA Clients for BOSH Director

Page last updated:

This topic describes the process of creating a UAA client for the BOSH Director. You must create an automation client to run BOSH from a script or set up a continuous integration pipeline.

Local Authentication

To perform this procedure, the UAAC client must be installed on the Ops Manager virtual machine (VM).

  1. Open a terminal and SSH into the Ops Manager VM. Provide your SSH key, or when prompted, enter the password you configured for SSH access during Ops Manager deployment.

    $ ssh ubuntu@OPS-MANAGER-FQDN
    Password: ***********
    

  2. Navigate to the Ops Manager Installation Dashboard and select the Ops Manager Director tile. In Ops Manager Director, click the Status tab, and copy the Ops Manager Director IP address.

  3. Using the uaac target command, target Ops Manager Director UAA on port 8443 using the IP address you copied, and specify the location of the root certificate. The default location is /var/tempest/workspaces/default/root_ca_certificate.

    $ uaac target https://OPS-DIRECTOR-IP:8443 --ca-cert \
    /var/tempest/workspaces/default/root_ca_certificate
    
    Target: https://10.85.16.4:8443
    

    Note: You can also curl or point your browser to the following endpoint to obtain the root certificate: https://OPS-MANAGER-FQDN/api/v0/security/root_ca_certificate

  4. Log in to the Ops Manager Director UAA and retrieve the owner token. Perform the following step to obtain the values for UAA-LOGIN-CLIENT-PASSWORD and UAA-ADMIN-CLIENT-PASSWORD:

    • Select the Ops Manager Director tile from the Ops Manager Installation Dashboard.
    • Click the Credentials tab, and locate the entries for Uaa Login Client Credentials and Uaa Admin User Credentials.
    • For each entry, click Link to Credential to obtain the password.
    $ uaac token owner get login -s UAA-LOGIN-CLIENT-PASSWORD
    User name:  admin
    Password:  UAA-ADMIN-CLIENT-PASSWORD
    
    Successfully fetched token via owner password grant.
    Target: https://10.85.16.4:8443
    Context: admin, from client login
    
    Note: To obtain the password for the UAA login and admin clients, you can also curl or point your browser to the following endpoints: https://OPS-MANAGER-FQDN/api/v0/deployed/director/credentials/uaa_login_client_credentials and https://OPS-MANAGER-FQDN/api/v0/deployed/director/credentials/uaa_admin_user_credentials
  5. Create a new UAA Client with bosh admin privileges.

    $ uaac client add ci --authorized_grant_types client_credentials \
    --authorities bosh.admin --secret CI-SECRET
    
    scope: uaa.none
    client_id: ci
    resource_ids: none
    authorized_grant_types: client_credentials
    autoapprove:
    action: none
    authorities: bosh.admin
    name: ci
    lastmodified: 1469727130702
    id: ci
    
  6. Set the client and secret as environment variables on the VM.

    $ ubuntu@ip-10-0-0-12:~$ export BOSH_CLIENT=ci
    $ ubuntu@ip-10-0-0-12:~$ export BOSH_CLIENT_SECRET=CI-SECRET
    
  7. Target BOSH using the client. Replace OPS-MANAGER-DIRECTOR-IP with the IP address of your Ops Manager Director VM.

    $ bosh --ca-cert /var/tempest/workspaces/default/root_ca_certificate \
    target OPS-MANAGER-DIRECTOR-IP
    

You can now use the UAA client you created to run BOSH in automated or scripted environments, such as continuous integration pipelines.

SAML Authentication to the BOSH Director

Typically, there is no browser access to a BOSH Director in order to authenticate using SAML. Ops Manager provides an option to create UAA clients during SAML configuration so that BOSH can be automated via scripts and tooling.

  1. Select Provision an admin client in the Bosh UAA when configuring Ops Manager for SAML.

  2. After deploying Ops Manager Director (BOSH), click the Credentials tab in the Ops Manager Director tile.

  3. Click the link for the Uaa Bosh Client Credentials to get the client name and secret.

  4. Open a terminal and SSH into the Ops Manager VM. Provide your SSH key, or, when prompted, enter the password you configured for SSH access during Ops Manager deployment.

    $ ssh ubuntu@OPS-MANAGER-FQDN
    Password: ***********
    

  5. Set the client and secret as environment variables on the VM.

    $ ubuntu@ip-10-0-0-12:~$ export BOSH_CLIENT=bosh_admin_client
    $ ubuntu@ip-10-0-0-12:~$ export BOSH_CLIENT_SECRET=CLIENT_SECRET
    

  6. Target BOSH using the client. Replace OPS-MANAGER-DIRECTOR-IP with the IP address of your Ops Manager Director VM.

    $ bosh --ca-cert /var/tempest/workspaces/default/root_ca_certificate \
    target OPS-MANAGER-DIRECTOR-IP
    

Was this helpful?
What can we do to improve?
View the source for this page in GitHub