Retrieving Credentials from Your Deployment

This topic describes how the credentials for your VMware Tanzu Operations Manager (Ops Manager) deployment are stored and how you can access them.

What credentials does Ops Manager store?
- Many Ops Manager components use credentials to authenticate connections, and Ops Manager installations often have hundreds of active credentials. This includes certificates, virtual machine (VM) credentials, and credentials for jobs running on the VMs.
Where does Ops Manager store these credentials?
- Ops Manager stores credentials in either the Ops Manager database or BOSH CredHub.
When do I need to access these credentials?
- You may need to access credentials for Ops Manager, TAS for VMs, and service tiles as part of regular administrative tasks in Ops Manager, including troubleshooting. Many procedures in this documentation require you to retrieve credentials.
How can I retrieve credentials?
- The workflow for retrieving credentials depends on where they are stored. For more information, see the procedures below.

Retrieve Credentials Stored in BOSH CredHub

To retrieve credentials from CredHub using the Ops Manager API:

Follow the procedures in Using the Ops Manager API to authenticate and access the Ops Manager API.
Use the Ops Manager API to retrieve a list of deployed products:
```
curl "https://OPS-MANAGER-FQDN/api/v0/deployed/products" \
-X GET \
-H "Authorization: Bearer UAA-ACCESS-TOKEN"
```
Where UAA-ACCESS-TOKEN is the access token recorded in the previous step.
In the response to the above request, locate the guid for the product from which you want to retrieve credentials. For example, if you want to retrieve TAS for VMs credentials, find the installation_name starting with cf- and copy its guid.
Run the following curl command to list the names of the credentials stored in CredHub for the product you selected. If you already know the name of the credential, you can skip this step.
```
curl "https://OPS-MANAGER-FQDN/api/v0/deployed/products/PRODUCT-GUID/variables" \
-X GET \
-H "Authorization: Bearer UAA-ACCESS-TOKEN"
```
Where PRODUCT-GUID is the value of guid from the previous step.

Run the following command to view the credential:

curl "https://OPS-MANAGER-FQDN/api/v0/deployed/products/PRODUCT-GUID/variables?name=VARIABLE-NAME" \
-X GET \
-H "Authorization: Bearer UAA-ACCESS-TOKEN"

Where VARIABLE-NAME is the name of the credential you want to retrieve.

Retrieve Credentials Stored in the Ops Manager Database

To retrieve credentials stored in the Ops Manager database and not CredHub, use the Ops Manager UI or API as outlined in the procedures below.

Retrieve Credentials Using the Ops Manager UI

From Ops Manager, select the product tile for which you want to retrieve credentials.
Click the Credentials tab.
Locate the credential that you need and click Link to Credential.

Retrieve Credentials Using the Ops Manager API

Follow the procedures in Using the Ops Manager API to authenticate and access the Ops Manager API.
Use the Ops Manager API to retrieve a list of deployed products:
```
curl "https://OPS-MANAGER-FQDN/api/v0/deployed/products" \
-X GET \
-H "Authorization: Bearer UAA-ACCESS-TOKEN"
```
Where UAA-ACCESS-TOKEN is the access token recorded in the previous step.
In the response to the above request, locate the guid for the product from which you want to retrieve credentials. For example, if you want to retrieve TAS for VMs credentials, find the installation_name starting with cf- and copy its guid.
Run the following command to list references for the credentials stored in Ops Manager for the product you selected. If you already know the reference for the credential, you can skip this step.
```
curl "https://OPS-MANAGER-FQDN/api/v0/deployed/products/PRODUCT-GUID/credentials" \
-X GET \
-H "Authorization: Bearer UAA-ACCESS-TOKEN"
```
Where PRODUCT-GUID is the value of guid from the previous step.

Run the following command to view the credential:

curl "https://OPS-MANAGER-FQDN/api/v0/deployed/products/PRODUCT-GUID/credentials/CREDENTIAL-REFERENCE" \
-X GET \
-H "Authorization: Bearer UAA-ACCESS-TOKEN"

Where CREDENTIAL-REFERENCE is the name of the credential you want to retrieve.

Changing Ops Manager Credentials

Ops Manager Password

In a web browser, navigate to https://OPS-MANAGER-FQDN and log in, where OPS-MANAGER-FQDN is the Fully Qualified Domain Name of your Ops Manager.
In Ops Manager, navigate to My Account in the dropdown under your username. You can access this at https://OPS-MANAGER-FQDN/uaa/profile.
Navigate to Change Password. You can access this at https://OPS-MANAGER-FQDN/uaa/change_password.
Enter your current password and a new password.

Ops Manager Decryption Passphrase

You must have the existing passphrase to update the decryption passphrase.

In a web browser, navigate to https://OPS-MANAGER-FQDN and log in, where OPS-MANAGER-FQDN is the Fully Qualified Domain Name of your Ops Manager.
In Ops Manager, navigate to Settings in the dropdown under your username. You can access this at https://OPS-MANAGER-FQDN/encryption_passphrase/edit.
In the Decryption Passphrase pane, enter your current decryption passphrase and a new decryption passphrase.
Click Update.

S3 Compatible Blobstore Credentials

If you use an S3 compatible blobstore, you can rotate your blobstore credentials from the Director Config pane of the BOSH Director tile. After entering new credentials and clicking Review Pending Changes, then Apply Changes, BOSH recreates the VMs in your deployment to apply the new credentials.

In a web browser, navigate to https://OPS-MANAGER-FQDN and log in, where OPS-MANAGER-FQDN is the Fully Qualified Domain Name of your Ops Manager.
In the Installation Dashboard, click the BOSH Director tile.
In the Director Config pane, select the Recreate VMs deployed by the BOSH Director checkbox.
Under Blobstore Location, select S3 Compatible Blobstore
For Access Key, enter a new access key.
For Secret Key, enter a new secret key.
Click Review Pending Changes, then Apply Changes.
Clear the Recreate VMs deployed by the BOSH Director checkbox.