Migrating existing credentials to CredHub

You can migrate non-configurable secrets from Tanzu Operations Manager into CredHub.

CredHub uses BOSH credential types, which can have different names than Tanzu Operations Manager credential types.

The following table lists the Tanzu Operations Manager credential types you can migrate to CredHub and the corresponding CredHub credential types:

Tanzu Operations Manager Credential Type	CredHub Credential Type	Supported Tanzu Operations Manager Version
`secret`	`password`	1.11.1
`simple_credential`	`user`	1.12 Alpha 1
`salted_credential`	`user`	1.12 Beta 1
`rsa_pkey_credential`	`rsa`	1.12 Alpha 1

See Property and template references for more information about credential types.

Important CredHub does not retain the credential salt codes when you migrate salted_credentials.

Migrating using the JavaScript process

You can write a JavaScript migration to move existing non-configurable secrets into CredHub. After a successful migration, Tanzu Operations Manager deletes the credentials from the installation.yml file.

Use the following example to write your JavaScript migration. Save the JavaScript file to the PRODUCT/migrations/v1 directory of your .pivotal tile, following the naming conventions in the Update Values or Property Names using JavaScript topic.
```
exports.migrate = function(input) {
  input.variable_migrations.push({
    from: input.properties['.PROPERTY-REFERENCE.EXAMPLE-SECRET'],
    to_variable: 'SECRET-VARIABLE'
  });
  return input;
};
```
Replace the example text as follows:
- PROPERTY-REFERENCE: Replace with the property reference that corresponds to the metadata file, such as properties. See Tile Upgrades for more information about migrating properties.
- EXAMPLE-SECRET: Replace with the name of the key.
- SECRET-VARIABLE: Create a variable name for the migrated secret.
Remove the property blueprint for the secret and replace it with a CredHub variable.
- In your metadata, remove the block that includes the credential. For example, remove the block that includes -name: EXAMPLE-SECRET and type: secret:
```
property_blueprints:
  - name: EXAMPLE-SECRET
    type: secret
  - name: generated_uuid
    type: uuid
  - name: configured_secret
    type: secret
    configurable: true
    optional: true
  - name: configured_simple_credentials
    type: simple_credentials
    configurable: true
    optional: true
```
- In the handcraft.yml file, add a variables section and include the variable name and type:
```
variables:
  - name: SECRET-VARIABLE
    type: password
```
Note While the property blueprint refers to the type as secret, BOSH refers to the type as password. See the CredHub credential types table at the beginning of this topic for more information about credential types.
In your manifest snippet, replace the existing secret value with the new triple-parenthesis syntax.
- Remove the existing secret from the manifest snippet:
```
secret: (( .PROPERTY-REFERENCE.SECRET-VARIABLE.SECRET-VALUE ))
```
- Add the new CredHub variable to the manifest snippet:
```
secret: ((( SECRET-VARIABLE )))
```
Run a test deploy of your tile.
Use an API endpoint to confirm that the credential is stored in the variable.

For more information about the endpoint, see Fetching variable names and values.