forked from mfine30/docs-mysql
-
Notifications
You must be signed in to change notification settings - Fork 0
/
credential-rotation.html.md.erb
114 lines (90 loc) · 6.12 KB
/
credential-rotation.html.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
---
title: Rotating MySQL for PCF Credentials
owner: MySQL
---
<strong><%= modified_date %></strong>
This topic describes how to rotate credentials for MySQL for Pivotal Cloud Foundry (MySQL for PCF). If you are also using Elastic Runtime MySQL, review the notes in this procedure in order to rotate credentials for both products.
##<a id='prereqs'></a>Prerequisites
To perform the steps below, you need to obtain the following:
1. Your root CA certificate in a `.crt` file. To retrieve the root CA certificate of your deployment, run the following command:
<p class="note"><strong>Note</strong>: The Ops Manager API returns the certificate in JSON format with <code>\n</code> for every new line. Remove all occurrences of <code>\n</code> when you copy the certificate into a <code>.crt</code> file.</p>
<pre class="terminal">
$ curl "<span>https</span>://YOUR-OPSMAN-IP-ADDRESS/api/v0/security/root_ca_certificate"
</pre>
1. Your MySQL for PCF root password. To retrieve your MySQL for PCF root password, navigate to the Ops Manager Installation Dashboard and select <strong>MySQL for Pivotal Cloud Foundry > Credentials</strong>. Your MySQL for PCF root password is called `Mysql Admin Password`.
<%= image_tag("p-mysql-cred.png") %>
<p class="note"><strong>Note</strong>: If you use Elastic Runtime MySQL, you also need your Elastic Runtime MySQL root password. To retrieve your Elastic Runtime MySQL root password, navigate to the Ops Manager <strong>Installation Dashboard</strong> and select <strong>MySQL > Credentials</strong>. Your Elastic Runtime MySQL root password is called <code>Mysql Admin Credentials</code>.</p>
##<a id="rotate"></a>Rotate Your MySQL for PCF Credentials
1. Install the User Account and Authentication (UAA) Command Line Interface (UAAC).
<pre class="terminal">$ gem install cf-uaac</pre>
1. Make sure `uaac` gem is installed.
<pre class="terminal">$ which uaac
/Users/pivotal/.gem/ruby/2.3.0/bin/uaac
</pre>
1. Target your Ops Manager UAA and provide the path to your root CA certificate.
<pre class="terminal">
$ uaac target <span>https</span>://YOUR-OPSMAN-FQDN/uaa/ --ca-cert YOUR-ROOT-CA.crt
Target: <span>https<span>://YOUR-OPSMAN-FQDN/uaa/
</pre>
1. Get your token with `uaac token owner get`.
* Enter `opsman` for `Client ID`.
* Press enter for `Client secret` to leave it blank.
* Use the user name and password you used above to log into the Ops Manager web interface for `User name` and `Password`.
<pre class="terminal">
$ uaac token owner get
Client ID: opsman
Client secret:
User name: admin
Password: *********
Successfully fetched token via owner password grant.
Target: <span>https</span>://YOUR-OPSMAN-FQDN/uaa
Context: admin, from client opsman
</pre>
1. Run the following command to display the users and applications authorized by the UAA server, and the permissions granted to each user and application.
<pre class="terminal">$ uaac context
[1]<span>*</span><span>*</span>[<span>https</span>://YOUR-OPSMAN-FQDN/uaa]
skip\_ssl\_validation: true
ca\_cert: /Users/pivotal/.ssh/YOUR-ROOT-CA.crt
[0]*[admin]
user\_id: 75acfdfa-9449-4497-a093-ce40ded250ac
client\_id: opsman
access\_token: LONG\_ACCESS\_TOKEN\_STRING
token\_type: bearer
refresh\_token: LONG\_REFRESH\_TOKEN\_STRING
expires\_in: 43199
scope: clients.read opsman.user uaa.admin scim.read opsman.admin clients.write scim.write
jti: 8419c793d377429aa40eea07fb6e7686
</pre>
1. Create a file called `uaac-token` that contains only the <code>LONG\_ACCESS\_TOKEN\_STRING</code> from the output above.
1. Use `curl` to make a request to the Ops Manager API. Authenticate with the contents of the `uaac-token` file and pipe the response into `installation_settings_current.json`.
<pre class="terminal">
$ curl -skH "Authorization: Bearer $(cat uaac-token)" <span>https:</span>//YOUR-OPSMAN-FQDN/api/installation_settings > installation\_settings\_current.json
</pre>
1. Check to see that the MySQL for PCF [root password](#prereqs) is in the current installation settings file:
<pre class="terminal">
$ grep -c YOUR-MYSQL-FOR-PCF-ROOT-PASSWORD installation\_settings\_current.json
</pre>
<p class="note"><strong>Note</strong>: If you use Elastic Runtime MySQL, you should also run the following command: <code>$ grep -c YOUR-ERT-MYSQL-ROOT-PASSWORD installation\_settings\_current.json</code></p>
1. Remove the root password from the installation settings file.
<pre class="terminal">
$ sed -e's/"value":{"identity":"root","password":"[^"]*"},\\("identifier":"mysql\_admin\\)/\1/g' installation\_settings\_current.json > installation\_settings\_updated.json
</pre>
1. Validate that the root password has been removed from the `installation_settings_updated.json` file.
<pre class="terminal">
$ grep -c YOUR-MYSQL-FOR-PCF-ROOT-PASSWORD installation\_settings\_updated.json
0
</pre>
<p class="note"><strong>Note</strong>: If you use Elastic Runtime MySQL, you should also run the following command: <code>$ grep -c YOUR-ERT-MYSQL-ROOT-PASSWORD installation\_settings\_updated.json</code></p>
1. Upload the updated installation settings.
<pre class="terminal">
$ curl -skX POST -H "Authorization: Bearer $(cat uaac-token)" "<span>https</span>://YOUR-OPSMAN-FQDN/uaa/api/installation\_settings" -F 'installation[file]=@installation\_settings\_updated.json'
{}
</pre>
1. Navigate to the Ops Manager **Installation Dashboard** and click **Apply Changes**.
1. Once the installation has completed, validate that the MySQL for PCF root password has been changed. Retrieve the new [password](#prereqs) from <strong>MySQL > Credentials</strong>. Use the IP address for the **MySQL Proxy** located in the **Status** tab.
<pre class="terminal">$ mysql -uroot -p -h <%=vars.example_ip_2%>
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
[...]
</pre>
<p class="note"><strong>Note</strong>: If you use Elastic Runtime MySQL, you should also validate that the Elastic Runtime MySQL root password has been changed. Retrieve the new password from <strong>Elastic Runtime > Credentials</strong>. Use the IP address for the **MySQL Proxy**, located in the **Status** tab.</p>