Retrieving Credentials from Your Deployment

This topic describes how the credentials for your Pivotal Cloud Foundry (PCF) deployment are stored and how you can access them.

  • What credentials does PCF store?
    • Many PCF components use credentials to authenticate connections, and PCF installations often have hundreds of active credentials. This includes certificates, VM credentials, and credentials for jobs running on the VMs.
  • Where does PCF store credentials?
    • PCF stores credentials in either the Ops Manager database or CredHub. In PCF v1.11 and later, the Ops Manager Director VM includes a co-located CredHub instance. Ops Manager, Elastic Runtime, and service tiles running on PCF can use this CredHub instance to store their credentials. For example, in PCF v1.12, Elastic Runtime began migrating its credentials to CredHub. See the Elastic Runtime Release Notes for a full list.
  • When do I need to access these credentials?:
    • You may need to access credentials for Ops Manager, Elastic Runtime, and service tiles as part of regular administrative tasks in PCF, including troubleshooting. Many procedures in this documentation require you to retrieve credentials.
  • How can I retrieve credentials?
    • The workflow for retrieving credentials depends on where they are stored. See the procedures below.

Retrieve Credentials Stored in CredHub

To retrieve credentials from CredHub using the Ops Manager API, do the following:

Note: You can also retrieve credentials using the CredHub CLI from Ops Manager Director VM. For more information, see the CredHub CLI Readme.

  1. Perform the procedures in the Using the Ops Manager API topic to authenticate and access the Ops Manager API.
  2. Use the Ops Manager API to retrieve a list of deployed products:
    $ curl "https://OPS-MAN-FQDN/api/v0/deployed/products" \
    -X GET \
    -H "Authorization: Bearer UAA-ACCESS-TOKEN"
    Replace UAA-ACCESS-TOKEN with the access token recorded in the previous step.
  3. In the response to the above request, locate the guid for the product from which you want to retrieve credentials. For example, if you want to retrieve Elastic Runtime credentials, find the installation_name starting with cf- and copy its guid.
  4. Run the following curl command to list the names of the credentials stored in CredHub for the product you selected. If you already know the name of the credential, you can skip this step.
    $ curl "https://OPS-MAN-FQDN/api/v0/deployed/products/PRODUCT-GUID/variables" \
    -X GET \
    -H "Authorization: Bearer UAA-ACCESS-TOKEN"
    Replace PRODUCT-GUID with the value of guid from the previous step.
  5. Run the following curl command to view the credential:
    $ curl "https://OPS-MAN-FQDN/api/v0/deployed/products/PRODUCT-GUID/variables?name=VARIABLE-NAME" \
    -X GET \
    -H "Authorization: Bearer UAA-ACCESS-TOKEN"
    Replace VARIABLE-NAME with the name of the credential you want to retrieve.

Retrieve Credentials Stored in the Ops Manager Database

To retrieve credentials stored in the Ops Manager database and not CredHub, use the Ops Manager UI or API as outlined in the procedures below.

Retrieve Credentials Using the Ops Manager UI

  1. From Ops Manager, select the product tile for which you want to retrieve credentials.

  2. Click the Credentials tab.

  3. Locate the credential that you need and click Link to Credential.

Retrieve Credentials Using the Ops Manager API

  1. Perform the procedures in the Using the Ops Manager API topic to authenticate and access the Ops Manager API.
  2. Use the Ops Manager API to retrieve a list of deployed products:
    $ curl "https://OPS-MAN-FQDN/api/v0/deployed/products" \
    -X GET \
    -H "Authorization: Bearer UAA-ACCESS-TOKEN"
    Replace UAA-ACCESS-TOKEN with the access token recorded in the previous step.
  3. In the response to the above request, locate the guid for the product from which you want to retrieve credentials. For example, if you want to retrieve Elastic Runtime credentials, find the installation_name starting with cf- and copy its guid.
  4. Run the following curl command to list references for the credentials stored in Ops Manager for the product you selected. If you already know the reference for the credential, you can skip this step.
    $ curl "https://OPS-MAN-FQDN/api/v0/deployed/products/PRODUCT-GUID/credentials" \
    -X GET \
    -H "Authorization: Bearer UAA-ACCESS-TOKEN"
    Replace PRODUCT-GUID with the value of guid from the previous step.
  5. Run the following curl command to view the credential:
    $ curl "https://OPS-MAN-FQDN/api/v0/deployed/products/PRODUCT-GUID/credentials/CREDENTIAL-REFERENCE" \
    -X GET \
    -H "Authorization: Bearer UAA-ACCESS-TOKEN"
    Replace CREDENTIAL-REFERENCE with the name of the credential you want to retrieve.

Changing Ops Manager Credentials

Ops Manager Password

  1. Log in to Ops Manager and navigate to My Account. You can access this at https://OPS-MAN-FQDN/uaa/profile.

    Ops mgr my account

  2. Navigate to Change Password. You can access this at https://OPS-MAN-FQDN/uaa/change_password.

  3. Enter your current password and a new password.

    Opsman change password

Ops Manager Decryption Passphrase

You must have the existing passphrase to update the decryption passphrase.

  1. Log in to Ops Manager, and navigate to Settings. You can access this at https://OPS-MAN-FQDN/encryption_passphrase/edit.

    Ops mgr settings

  2. In the Decryption Passphrase panel, enter your current decryption passphrase and the new decryption passphrase, then click Save.

    Ops mgr decryption passphrase

Create a pull request or raise an issue on the source for this page in GitHub