CredHub lives in different places. This topic documents two of them: how you can talk to the CredHub service on the BOSH Director, and how you can talk to the CredHub service on Tanzu Application Service (TAS for VMs). You can connect to the CredHub service through its own API.
Important This procedure should be used only when you cannot use the Tanzu Operations Manager API. Use this procedure only as a fallback. Start with Using the Tanzu Operations Manager API.
If you are trying to access credentials stored in CredHub by a service broker, these are stored in the TAS for VMs CredHub. See Accessing TAS for VMs CredHub with the CredHub CLI in this topic for instructions for accessing CredHub.
To connect to the BOSH Director CredHub:
SSH into the BOSH director VM.
Run:
cat /var/vcap/jobs/director/config/director.yml
Locate the CredHub client name and secret in the output. The client name is director_to_credhub
.
Run:
cat /var/vcap/jobs/director/config/uaa_server_ca.cert
Copy the output to a file on your local machine. This is the CA cert that is used to establish trust with CredHub. You will use this in a later step.
Exit out of the BOSH Director VM.
Create the file uaa_server_ca.crt
. In it, paste the contents of uaa_server_ca.cert
that you copied from the earlier step.
Use the CredHub CLI to connect.
credhub api https://<director IP>:8844 --ca-cert uaa_server_ca.crt
credhub login --client-name=director_to_credhub --client-secret=<Secret you copied>
After you have successfully logged in, commands run successfully on the Bosh Director.
To connect to VMware Tanzu Application Service (TAS) for VMs CredHub:
SSH into the Operations Manager VM. This VM should already include the CredHub CLI.
Create two host entries in /etc/hosts. One for CredHub server and one for UAA. This is required because the CredHub API will use DNS names for some redirect and cert verifications.
/etc/hosts:
<TAS CredHub VM IP> credhub.service.cf.internal
<TAS UAA VM IP> uaa.service.cf.internal
Set CredHub CLI API endpoint to include root_ca_certificate:
credhub api --server credhub.service.cf.internal:8844 --ca-cert /var/tempest/workspaces/default/root_ca_certificate
Setting the target url: https://credhub.service.cf.internal:8844
Get the CredHub Admin Client Credentials from Operations Manager > TAS > Credentials tab.
Log in using CredHub Admin Client Credentials:
credhub login --client-name=credhub_admin_client --client-secret=<secret>
Login Successful