Accessing BOSH CredHub with the CredHub CLI

Page last updated:

This topic provides the procedure for accessing BOSH CredHub with the CredHub CLI.

For example, you may need to access BOSH CredHub to rotate the Services TLS CA and its leaf certificates. For more information, see Rotating the Services TLS CA and Its Leaf Certificates.

Overview

Ops Manager stores some of its internal CA (certificate authority) and non-CA certificates in the BOSH CredHub credentials store. For more information, see BOSH CredHub.

To access the BOSH CredHub credentials store, you must retrieve credentials from the BOSH Director and then use the credentials to log in to CredHub from the Ops Manager VM.

Procedure

To access BOSH CredHub:

  1. In the Ops Manager Installation Dashboard, click the BOSH Director tile.

  2. Click the Credentials tab.

  3. In the BOSH Director section, click the link to the BOSH Commandline Credentials.

  4. Record the values for BOSH_CLIENT and BOSH_CLIENT_SECRET.
    For example:

    {"credential":"BOSH_CLIENT=ops_manager
    BOSH_CLIENT_SECRET=abCdE1FgHIjkL2m3n-3PqrsT4EUVwXy5
    BOSH_CA_CERT=/var/tempest/workspaces/default/root_ca_certificate
    BOSH_ENVIRONMENT=10.0.0.5 bosh "}
    

    The BOSH_CLIENT is the BOSH CredHub client name and the BOSH_CLIENT_SECRET is the BOSH CredHub client secret.

  5. Follow the procedure in Gather Credential and IP Address Information to obtain the information needed to log in to the BOSH Director VM. Record the IP address for the BOSH Director and the Director Credentials.

  6. Log in to the Ops Manager VM by following the procedure in Log in to the Ops Manager VM with SSH.

  7. From the Ops Manager VM, set the API target of the CredHub CLI to your BOSH CredHub server by running the following command:

    credhub api  \
    https://BOSH-DIRECTOR-IP:8844 \
    --ca-cert=/var/tempest/workspaces/default/root_ca_certificate
    

    Where BOSH-DIRECTOR-IP is the IP address of the BOSH Director VM you recorded above.

    For example:

    $ credhub api \
    https://10.0.0.5:8844 \
    --ca-cert=/var/tempest/workspaces/default/root_ca_certificate

  8. Log in to CredHub by running the following command:

    credhub login \
    --client-name=CREDHUB-CLIENT-NAME \
    --client-secret=CREDHUB-CLIENT-SECRET
    

    Where:

    • CREDHUB-CLIENT-NAME is the value you recorded for BOSH_CLIENT earlier in this procedure.
    • CREDHUB-CLIENT-SECRET is the value you recorded for BOSH_CLIENT_SECRET earlier in this procedure.

    For example:

    $ credhub login \
    --client-name=credhub \
    --client-secret=abcdefghijklm123456789