This topic describes how the credentials for your VMware Tanzu Operations Manager (Ops Manager) deployment are stored and how you can access them.
To retrieve credentials from CredHub using the Ops Manager API:
Follow the procedures in Using the Ops Manager API to authenticate and access the Ops Manager API.
Use the Ops Manager API to retrieve a list of deployed products:
curl "https://OPS-MANAGER-FQDN/api/v0/deployed/products" \
-X GET \
-H "Authorization: Bearer UAA-ACCESS-TOKEN"
Where UAA-ACCESS-TOKEN
is the access token recorded in the previous step.
In the response to the above request, locate the guid
for the product from which you want to retrieve credentials. For example, if you want to retrieve TAS for VMs credentials, find the installation_name
starting with cf-
and copy its guid
.
Run the following curl
command to list the names of the credentials stored in CredHub for the product you selected. If you already know the name of the credential, you can skip this step.
curl "https://OPS-MANAGER-FQDN/api/v0/deployed/products/PRODUCT-GUID/variables" \
-X GET \
-H "Authorization: Bearer UAA-ACCESS-TOKEN"
Where PRODUCT-GUID
is the value of guid
from the previous step.
Run the following command to view the credential:
curl "https://OPS-MANAGER-FQDN/api/v0/deployed/products/PRODUCT-GUID/variables?name=VARIABLE-NAME" \
-X GET \
-H "Authorization: Bearer UAA-ACCESS-TOKEN"
Where VARIABLE-NAME
is the name of the credential you want to retrieve.
To retrieve credentials stored in the Ops Manager database and not CredHub, use the Ops Manager UI or API as outlined in the procedures below.
From Ops Manager, select the product tile for which you want to retrieve credentials.
Click the Credentials tab.
Locate the credential that you need and click Link to Credential.
Follow the procedures in Using the Ops Manager API to authenticate and access the Ops Manager API.
Use the Ops Manager API to retrieve a list of deployed products:
curl "https://OPS-MANAGER-FQDN/api/v0/deployed/products" \
-X GET \
-H "Authorization: Bearer UAA-ACCESS-TOKEN"
Where UAA-ACCESS-TOKEN
is the access token recorded in the previous step.
In the response to the above request, locate the guid
for the product from which you want to retrieve credentials. For example, if you want to retrieve TAS for VMs credentials, find the installation_name
starting with cf-
and copy its guid
.
Run the following command to list references for the credentials stored in Ops Manager for the product you selected. If you already know the reference for the credential, you can skip this step.
curl "https://OPS-MANAGER-FQDN/api/v0/deployed/products/PRODUCT-GUID/credentials" \
-X GET \
-H "Authorization: Bearer UAA-ACCESS-TOKEN"
Where PRODUCT-GUID
is the value of guid
from the previous step.
Run the following command to view the credential:
curl "https://OPS-MANAGER-FQDN/api/v0/deployed/products/PRODUCT-GUID/credentials/CREDENTIAL-REFERENCE" \
-X GET \
-H "Authorization: Bearer UAA-ACCESS-TOKEN"
Where CREDENTIAL-REFERENCE
is the name of the credential you want to retrieve.
In a web browser, navigate to https://OPS-MANAGER-FQDN
and log in, where OPS-MANAGER-FQDN
is the Fully Qualified Domain Name of your Ops Manager.
In Ops Manager, navigate to My Account in the dropdown under your username. You can access this at https://OPS-MANAGER-FQDN/uaa/profile
.
Navigate to Change Password. You can access this at https://OPS-MANAGER-FQDN/uaa/change_password
.
Enter your current password and a new password.
You must have the existing passphrase to update the decryption passphrase.
In a web browser, navigate to https://OPS-MANAGER-FQDN
and log in, where OPS-MANAGER-FQDN
is the Fully Qualified Domain Name of your Ops Manager.
In Ops Manager, navigate to Settings in the dropdown under your username. You can access this at https://OPS-MANAGER-FQDN/encryption_passphrase/edit
.
In the Decryption Passphrase
pane, enter your current decryption passphrase and a new decryption passphrase.
Click Update.
If you use an S3 compatible blobstore, you can rotate your blobstore credentials from the Director Config pane of the BOSH Director tile. After entering new credentials and clicking Review Pending Changes, then Apply Changes, BOSH recreates the VMs in your deployment to apply the new credentials.
In a web browser, navigate to https://OPS-MANAGER-FQDN
and log in, where OPS-MANAGER-FQDN
is the Fully Qualified Domain Name of your Ops Manager.
In the Installation Dashboard, click the BOSH Director tile.
In the Director Config pane, select the Recreate VMs deployed by the BOSH Director checkbox.
Under Blobstore Location, select S3 Compatible Blobstore
For Access Key, enter a new access key.
For Secret Key, enter a new secret key.
Click Review Pending Changes, then Apply Changes.
Clear the Recreate VMs deployed by the BOSH Director checkbox.