Managing Ops Manager Verifiers

This topic describes how to disable and re-enable verifiers for fields in the BOSH Director and other product tiles.

Ops Manager provides this option for troubleshooting purposes. For example, your deployment may have a unique configuration that the verifier cannot detect. In this case, you can unblock your deployment by disabling the verifier.

Note: Pivotal recommends contacting support before you disable Ops Manager verifiers.

WARNING: Pivotal recommends recording and routinely revisiting which verifiers you disable. The Ops Manager UI does not indicate which verifiers you disable. Disabled verifiers persist through upgrades.

About Verifiers

Ops Manager verifiers narrow the feedback loop for operators by checking that fields are configured correctly. Ops Manager verifiers reach out and find objects in the world. For example, given an IP, a verifier can ping the IP to see that it responds.

Verifiers run early in a deployment. With verifiers turned off, deployments may fail much later.

Verifiers run on two occasions:

Verifier Label Triggers when you… Blocks deployment?
form Click Save in a pane. Does not block deployment. Error message is a warning.
install_time Click Apply Changes. Blocks you from deploying. Disabling verifiers unblocks deployment.

Disable Verifiers by Type

You can disable verifiers by verifier type. For example, you can disable all MySQL verifiers for a tile. To disable a verifier type for a tile, you must find and record the type, then use the Ops Manager API.

Step 1: Record the Verifier Type

To record the verifier type, do the following:

  1. Log in to Ops Manager and go to Review Pending Changes.

  2. Click Apply Changes and see the verifier error message.

  3. Record the type in the verifier error message. For example, WildcardDomainVerifier.

The Ops Manager screenshot shows the following
          error: The domain '*.apps.example.com' failed to resolve,
          type:WildcardDomainVerifier

Step 2: Use the Ops Manager API

To disable verifiers, you must use the Ops Manager API. To get started with the Ops Manager API, follow the procedures in Using the Ops Manager API.

The API endpoint varies by tile. Go to one of the procedures below:

Disable Verifiers for the BOSH Director Tile

To disable a verifier type for the BOSH Director, do the following:

  1. Run the following API command:

    curl "https://OPS-MAN-FQDN/api/v0/staged/director/verifiers/install_time/VERIFER-TYPE" \
     -X PUT \
     -H "Authorization: Bearer UAA-ACCESS-TOKEN" \
     -H "Content-Type: application/json" \
     -d '{ "enabled": false }'
    

    Where:

    • OPS-MAN-FQDN is the fully-qualified domain name (FQDN) for your Ops Manager deployment.
    • VERIFIER-TYPE is the verifier type you recorded in Step 1: Record the Verifier Type .
    • UAA_ACCESS_TOKEN is your UAA access token. For more information, see Access the API.

    For more information about this endpoint, see Turning off a verifier for the director in the Ops Manager API documentation.

  2. To confirm your verifier type is disabled, run the following command:

    curl "https://OPS-MAN-FQDN/api/v0/staged/director/verifiers/install_time" \
     -X GET \
     -H "Authorization: Bearer UAA-ACCESS-TOKEN"
    

    See that the Ops Manager API shows false for the verifier type you disabled. In the following example, DirectorConfigurationVerifer is set to false:

    {
    "verifiers": [
    {
      "type": "AllocatedIpAddressVerifier",
      "enabled": true
    },
    {
      "type": "AvailabilityZonesVerifier",
      "enabled": true
    },
    {
      "type": "DirectorConfigurationVerifier",
      "enabled": false
    },
    {
      "type": "IaasConfigurationVerifier",
      "enabled": true
    },
    {
      "type": "NetworksExistenceVerifier",
      "enabled": true
    },
    {
      "type": "NetworksPingableVerifier",
      "enabled": true
    },
    {
      "type": "PrivilegeVerifier",
      "enabled": true
    }]}
    

    For more information about this endpoint, see Retrieving a list of install time verifiers for a specific product in the Ops Manager API documentation.

  3. Record the product and the verifier type that you disabled in a secure location. Pivotal recommends recording and routinely revisiting which verifiers you disable.

Disable Verifiers for Other Tiles

To disable a verifier type for tiles other than the BOSH Director, do the following:

  1. Run the following command and record the guid corresponding to your product.

    curl "https://OPS-MAN-FQDN/api/v0/staged/products" \
    -X GET \
    -H "Authorization: Bearer UAA_ACCESS_TOKEN"
    

    Where:

    • OPS-MAN-FQDN is the fully-qualified domain name (FQDN) for your Ops Manager deployment.
    • UAA_ACCESS_TOKEN is your UAA access token. For more information, see Access the API.

    See the following example output:

    {[{
      "installation_name": "component-type1-installation-name",
      "guid": "component-type1-guid",
      "type": "component-type1"
    },
    {
      "installation_name": "p-bosh-installation-name",
      "guid": "p-bosh-guid",
      "type": "p-bosh"
    }]}
    For more information about this endpoint, see Listing all staged products in the Ops Manager API documentation.

  2. To disable your verifier by type, run the following command.

    curl "https://OPS-MAN-FQDN/api/v0/staged/products/PRODUCT-GUID/verifiers/install_time/VERIFIER-TYPE" \
    -X PUT \
    -H "Authorization: Bearer UAA_ACCESS_TOKEN" \
    -H "Content-Type: application/json" \
    -d '{ "enabled": false }'
    

    Where:

    • OPS-MAN-FQDN is the fully-qualified domain name (FQDN) for your Ops Manager deployment.
    • PRODUCT-GUID is the GUID you recorded in the previous step.
    • VERIFIER-TYPE is the verifier type you recorded in Step 1: Record the Verifier Type .

    For more information about this endpoint, see Turning off a verifier for a specific product in the Ops Manager API documentation.

  3. To confirm your verifier type is disabled, run the following command.

    curl "https://OPS-MAN-FQDN/api/v0/staged/products/PRODUCT-GUID/verifiers/install_time" \
    -X GET \
    -H "Authorization: Bearer UAA_ACCESS_TOKEN"
    

    See that the Ops Manager API shows false for the verifier type you disabled. In the following example, MysqlDatabaseVerifier is set to false:

    {
      "verifiers":[
      {
      "type":"BlobstoreVerifier",
      "enabled":true
    },
    {
      "type":"MysqlDatabaseVerifier",
      "enabled":false
    },
    {
      "type":"SsoUrlVerifier",
      "enabled":true
    },
    {
      "type":"WildcardDomainVerifier",
      "enabled":true
    }]}

    For more information about this endpoint, see Retrieving a list of install time verifiers for a specific product in the Ops Manager API documentation.

  4. Record the product and the verifier type that you disabled in a secure location. Pivotal recommends recording and routinely revisiting which verifiers you disable.

Re-enable Verifiers by Type

Pivotal recommends recording and routinely revisiting which verifiers you disable. The Ops Manager UI does not indicate which verifiers you disable. Disabled verifiers persist through upgrades.

To re-enable verifiers, follow the steps detailed in Use the Ops Manager API above. Instead of setting enabled to false, set it to true.

If you do not know what verifiers are disabled, curl the verifiers endpoint for each installed product. For more information, see Retrieving a list of install time verifiers for a specific product in the Ops Manager API documentation.

Create a pull request or raise an issue on the source for this page in GitHub