This topic describes how your VMware Tanzu Operations Manager deployment stores its credentials, and how you can access them.

  • What credentials does Tanzu Operations Manager store?
    • Many Tanzu Operations Manager components use credentials to authenticate connections, and Tanzu Operations Manager installations often have hundreds of active credentials. This includes certificates, virtual machine (VM) credentials, and credentials for jobs running on the VMs.
  • Where does Tanzu Operations Manager store these credentials?
    • Tanzu Operations Manager stores credentials in either the Tanzu Operations Manager database or BOSH CredHub.
  • When do I need to access these credentials?
    • You may need to access credentials for Tanzu Operations Manager, TAS for VMs, and service tiles as part of regular administrative tasks in Tanzu Operations Manager, including troubleshooting. Many procedures in this documentation require you to retrieve credentials.
  • How can I retrieve credentials?
    • The workflow for retrieving credentials depends on where they are stored. For more information, see the procedures below.

Retrieve credentials stored in BOSH CredHub

To retrieve credentials from CredHub using the Tanzu Operations Manager API:

  1. Follow the procedures in Using the Tanzu Operations Manager API to authenticate and access the Tanzu Operations Manager API.

  2. Use the Tanzu Operations Manager API to retrieve a list of deployed products:

    curl "https://OPS-MANAGER-FQDN/api/v0/deployed/products" \
-X GET \
-H "Authorization: Bearer UAA-ACCESS-TOKEN"

    Where UAA-ACCESS-TOKEN is the access token recorded in the previous step.

  3. In the response to the above request, locate the guid for the product from which you want to retrieve credentials. For example, if you want to retrieve TAS for VMs credentials, find the installation_name starting with cf- and copy its guid.

  4. Run the following curl command to list the names of the credentials stored in CredHub for the product you selected. If you already know the name of the credential, you can skip this step.

    curl "https://OPS-MANAGER-FQDN/api/v0/deployed/products/PRODUCT-GUID/variables" \
-X GET \
-H "Authorization: Bearer UAA-ACCESS-TOKEN"

    Where PRODUCT-GUID is the value of guid from the previous step.

  5. Run the following command to view the credential:

    curl "https://OPS-MANAGER-FQDN/api/v0/deployed/products/PRODUCT-GUID/variables?name=VARIABLE-NAME" \
-X GET \
-H "Authorization: Bearer UAA-ACCESS-TOKEN"

    Where VARIABLE-NAME is the name of the credential you want to retrieve.

Retrieve credentials stored in the Tanzu Operations Manager database

To retrieve credentials stored in the Tanzu Operations Manager database and not CredHub, use the Tanzu Operations Manager UI or API as outlined in the procedures below.

Retrieve credentials using the Tanzu Operations Manager UI

  1. From Tanzu Operations Manager, select the product tile for which you want to retrieve credentials.

  2. Click the Credentials tab.

  3. Locate the credential that you need and click Link to Credential.

Retrieve credentials using the Tanzu Operations Manager API

  1. Follow the procedures in Using the Tanzu Operations Manager API to authenticate and access the Tanzu Operations Manager API.

  2. Use the Tanzu Operations Manager API to retrieve a list of deployed products:

    curl "https://OPS-MANAGER-FQDN/api/v0/deployed/products" \
-X GET \
-H "Authorization: Bearer UAA-ACCESS-TOKEN"

    Where UAA-ACCESS-TOKEN is the access token recorded in the previous step.

  3. In the response to the above request, locate the guid for the product from which you want to retrieve credentials. For example, if you want to retrieve TAS for VMs credentials, find the installation_name starting with cf- and copy its guid.

  4. Run the following command to list references for the credentials stored in Tanzu Operations Manager for the product you selected. If you already know the reference for the credential, you can skip this step.

    curl "https://OPS-MANAGER-FQDN/api/v0/deployed/products/PRODUCT-GUID/credentials" \
-X GET \
-H "Authorization: Bearer UAA-ACCESS-TOKEN"

    Where PRODUCT-GUID is the value of guid from the previous step.

  5. Run the following command to view the credential:

    curl "https://OPS-MANAGER-FQDN/api/v0/deployed/products/PRODUCT-GUID/credentials/CREDENTIAL-REFERENCE" \
-X GET \
-H "Authorization: Bearer UAA-ACCESS-TOKEN"

    Where CREDENTIAL-REFERENCE is the name of the credential you want to retrieve.

Changing Tanzu Operations Manager credentials

Tanzu Operations Manager password

  1. In a web browser, navigate to https://OPS-MANAGER-FQDN and log in, where OPS-MANAGER-FQDN is the Fully Qualified Domain Name of your Tanzu Operations Manager.

  2. In Tanzu Operations Manager, navigate to My Account in the dropdown under your username. You can access this at https://OPS-MANAGER-FQDN/uaa/profile.

  3. Navigate to Change Password. You can access this at https://OPS-MANAGER-FQDN/uaa/change_password.

  4. Enter your current password and a new password.

Tanzu Operations Manager decryption passphrase

You must have the existing passphrase to update the decryption passphrase.

  1. In a web browser, navigate to https://OPS-MANAGER-FQDN and log in, where OPS-MANAGER-FQDN is the Fully Qualified Domain Name of your Tanzu Operations Manager.

  2. In Tanzu Operations Manager, navigate to Settings in the dropdown under your username. You can access this at https://OPS-MANAGER-FQDN/encryption_passphrase/edit.

  3. In the Decryption Passphrase pane, enter your current decryption passphrase and a new decryption passphrase.

  4. Click Update.

S3 compatible blobstore credentials

If you use an S3 compatible blobstore, you can rotate your blobstore credentials from the Director Config pane of the BOSH Director tile. After entering new credentials and clicking Review Pending Changes, then Apply Changes, BOSH recreates the VMs in your deployment to apply the new credentials.

  1. In a web browser, navigate to https://OPS-MANAGER-FQDN and log in, where OPS-MANAGER-FQDN is the Fully Qualified Domain Name of your Tanzu Operations Manager.

  2. In the Installation Dashboard, click the BOSH Director tile.

  3. In the Director Config pane, select the Recreate VMs deployed by the BOSH Director check box.

  4. Under Blobstore Location, select S3 Compatible Blobstore

  5. For Access Key, enter a new access key.

  6. For Secret Key, enter a new secret key.

  7. Click Review Pending Changes, then Apply Changes.

  8. Clear the Recreate VMs deployed by the BOSH Director check box.

check-circle-line exclamation-circle-line close-line
Scroll to top icon