This topic describes how your VMware Tanzu Operations Manager deployment stores its credentials, and how you can access them.
To retrieve credentials from CredHub using the Tanzu Operations Manager API:
Follow the procedures in Using the Tanzu Operations Manager API to authenticate and access the Tanzu Operations Manager API.
Use the Tanzu Operations Manager API to retrieve a list of deployed products:
curl "https://OPS-MANAGER-FQDN/api/v0/deployed/products" \
-X GET \
-H "Authorization: Bearer UAA-ACCESS-TOKEN"
Where UAA-ACCESS-TOKEN
is the access token recorded in the previous step.
In the response to the above request, locate the guid
for the product from which you want to retrieve credentials. For example, if you want to retrieve TAS for VMs credentials, find the installation_name
starting with cf-
and copy its guid
.
Run the following curl
command to list the names of the credentials stored in CredHub for the product you selected. If you already know the name of the credential, you can skip this step.
curl "https://OPS-MANAGER-FQDN/api/v0/deployed/products/PRODUCT-GUID/variables" \
-X GET \
-H "Authorization: Bearer UAA-ACCESS-TOKEN"
Where PRODUCT-GUID
is the value of guid
from the previous step.
Run the following command to view the credential:
curl "https://OPS-MANAGER-FQDN/api/v0/deployed/products/PRODUCT-GUID/variables?name=VARIABLE-NAME" \
-X GET \
-H "Authorization: Bearer UAA-ACCESS-TOKEN"
Where VARIABLE-NAME
is the name of the credential you want to retrieve.
To retrieve credentials stored in the Tanzu Operations Manager database and not CredHub, use the Tanzu Operations Manager UI or API as outlined in the procedures below.
From Tanzu Operations Manager, select the product tile for which you want to retrieve credentials.
Click the Credentials tab.
Locate the credential that you need and click Link to Credential.
Follow the procedures in Using the Tanzu Operations Manager API to authenticate and access the Tanzu Operations Manager API.
Use the Tanzu Operations Manager API to retrieve a list of deployed products:
curl "https://OPS-MANAGER-FQDN/api/v0/deployed/products" \
-X GET \
-H "Authorization: Bearer UAA-ACCESS-TOKEN"
Where UAA-ACCESS-TOKEN
is the access token recorded in the previous step.
In the response to the above request, locate the guid
for the product from which you want to retrieve credentials. For example, if you want to retrieve TAS for VMs credentials, find the installation_name
starting with cf-
and copy its guid
.
Run the following command to list references for the credentials stored in Tanzu Operations Manager for the product you selected. If you already know the reference for the credential, you can skip this step.
curl "https://OPS-MANAGER-FQDN/api/v0/deployed/products/PRODUCT-GUID/credentials" \
-X GET \
-H "Authorization: Bearer UAA-ACCESS-TOKEN"
Where PRODUCT-GUID
is the value of guid
from the previous step.
Run the following command to view the credential:
curl "https://OPS-MANAGER-FQDN/api/v0/deployed/products/PRODUCT-GUID/credentials/CREDENTIAL-REFERENCE" \
-X GET \
-H "Authorization: Bearer UAA-ACCESS-TOKEN"
Where CREDENTIAL-REFERENCE
is the name of the credential you want to retrieve.
In a web browser, navigate to https://OPS-MANAGER-FQDN
and log in, where OPS-MANAGER-FQDN
is the Fully Qualified Domain Name of your Tanzu Operations Manager.
In Tanzu Operations Manager, navigate to My Account in the dropdown under your username. You can access this at https://OPS-MANAGER-FQDN/uaa/profile
.
Navigate to Change Password. You can access this at https://OPS-MANAGER-FQDN/uaa/change_password
.
Enter your current password and a new password.
You must have the existing passphrase to update the decryption passphrase.
In a web browser, navigate to https://OPS-MANAGER-FQDN
and log in, where OPS-MANAGER-FQDN
is the Fully Qualified Domain Name of your Tanzu Operations Manager.
In Tanzu Operations Manager, navigate to Settings in the dropdown under your username. You can access this at https://OPS-MANAGER-FQDN/encryption_passphrase/edit
.
In the Decryption Passphrase
pane, enter your current decryption passphrase and a new decryption passphrase.
Click Update.
If you use an S3 compatible blobstore, you can rotate your blobstore credentials from the Director Config pane of the BOSH Director tile. After entering new credentials and clicking Review Pending Changes, then Apply Changes, BOSH recreates the VMs in your deployment to apply the new credentials.
In a web browser, navigate to https://OPS-MANAGER-FQDN
and log in, where OPS-MANAGER-FQDN
is the Fully Qualified Domain Name of your Tanzu Operations Manager.
In the Installation Dashboard, click the BOSH Director tile.
In the Director Config pane, select the Recreate VMs deployed by the BOSH Director check box.
Under Blobstore Location, select S3 Compatible Blobstore
For Access Key, enter a new access key.
For Secret Key, enter a new secret key.
Click Review Pending Changes, then Apply Changes.
Clear the Recreate VMs deployed by the BOSH Director check box.