Accessing BOSH CredHub with the CredHub CLI
Page last updated:
This topic provides the procedure for accessing BOSH CredHub with the CredHub CLI.
For example, you may need to access BOSH CredHub to rotate the Services TLS CA and its leaf certificates. For more information, see Rotating the Services TLS CA and Its Leaf Certificates.
Overview
Ops Manager stores some of its internal CA (certificate authority) and non-CA certificates in the BOSH CredHub credentials store. For more information, see BOSH CredHub.
To access the BOSH CredHub credentials store, you must retrieve credentials from the BOSH Director and then use the credentials to log in to CredHub from the Ops Manager VM.
Procedure
To access BOSH CredHub:
In the Ops Manager Installation Dashboard, click the BOSH Director tile.
Click the Credentials tab.
In the BOSH Director section, click the link to the BOSH Commandline Credentials.
Record the values for
BOSH_CLIENT
andBOSH_CLIENT_SECRET
.
For example:{"credential":"BOSH_CLIENT=ops_manager BOSH_CLIENT_SECRET=abCdE1FgHIjkL2m3n-3PqrsT4EUVwXy5 BOSH_CA_CERT=/var/tempest/workspaces/default/root_ca_certificate BOSH_ENVIRONMENT=10.0.0.5 bosh "}
The
BOSH_CLIENT
is the BOSH CredHub client name and theBOSH_CLIENT_SECRET
is the BOSH CredHub client secret.Follow the procedure in Gather Credential and IP Address Information to obtain the information needed to log in to the BOSH Director VM. Record the IP address for the BOSH Director and the Director Credentials.
Log in to the Ops Manager VM by following the procedure in Log Into the Ops Manager VM with SSH.
From the Ops Manager VM, set the API target of the CredHub CLI to your BOSH CredHub server by running the following command:
credhub api \ https://BOSH-DIRECTOR-IP:8844 \ --ca-cert=/var/tempest/workspaces/default/root_ca_certificate
Where
BOSH-DIRECTOR-IP
is the IP address of the BOSH Director VM you recorded above.
For example:$ credhub api \ https://10.0.0.5:8844 \ --ca-cert=/var/tempest/workspaces/default/root_ca_certificate
Log in to CredHub by running the following command:
credhub login \ --client-name=CREDHUB-CLIENT-NAME \ --client-secret=CREDHUB-CLIENT-SECRET
Where:
CREDHUB-CLIENT-NAME
is the value you recorded forBOSH_CLIENT
earlier in this procedure.CREDHUB-CLIENT-SECRET
is the value you recorded forBOSH_CLIENT_SECRET
earlier in this procedure.
For example:
$ credhub login \ --client-name=credhub \ --client-secret=abcdefghijklm123456789