-
Notifications
You must be signed in to change notification settings - Fork 140
/
opsmanager-create-bosh-client.html.md.erb
125 lines (91 loc) · 5.68 KB
/
opsmanager-create-bosh-client.html.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
---
title: Creating UAA Clients for BOSH Director
owners: Ops Manager
---
_This topic assumes you are using [BOSH CLI v2+](https://bosh.io/docs/cli-v2.html)_.
This topic describes the process of creating a UAA client for the BOSH Director.
You must create an automation client to run BOSH from a script or set up a continuous integration pipeline.
To create an automation client, do one of the following:
- [Local Authentication](#local_auth): When using Internal Authentication, use the existing admin client to manually create an automation client with the correct privileges.
- [Provision Admin Client](#saml): When setting up SAML or LDAP authentication, ensure Ops Manager provisions an admin client.
##<a id="local_auth"></a> Local Authentication
To perform this procedure, the UAAC client must be installed on the Ops Manager virtual machine (VM).
1. Open a terminal and SSH into the Ops Manager VM by following the instructions for your IaaS in the [SSH into Ops Manager](./trouble-advanced.html#ssh) topic.
1. Navigate to the Ops Manager **Installation Dashboard** and select the **BOSH Director** tile. In BOSH Director, click the **Status** tab, and record the IP address.
1. Using the `uaac target` command, target BOSH Director UAA on port `8443` using the IP address you copied, and specify the location of the root certificate. The default location is `/var/tempest/workspaces/default/root_ca_certificate`.
<pre class='terminal'>
$ uaac target https://BOSH-DIRECTOR-IP:8443 --ca-cert \
/var/tempest/workspaces/default/root_ca_certificate
Target: http<span>s</span>://10.85.16.4:8443
</pre>
Where:
- `BOSH-DIRECTOR-IP` is the IP you recorded in the **Status** tab of the BOSH Director.
<p class="note"><strong>Note</strong>: You can also curl or point your browser to the following endpoint to obtain the root certificate: <code>https://OPS-MANAGER-FQDN/api/v0/security/root_ca_certificate</code></p>
1. Log in to the BOSH Director UAA and retrieve the owner token. Perform the following step to obtain the values for `UAA-LOGIN-CLIENT-PASSWORD` and `UAA-ADMIN-CLIENT-PASSWORD`:
1. Select the **BOSH Director** tile from the Ops Manager **Installation Dashboard**.
1. Click the **Credentials** tab, and record the entries for **Uaa Login Client Credentials** and **Uaa Admin User Credentials**.
1. For each entry, click **Link to Credential** to obtain the password.
<pre class='terminal'>
$ uaac token owner get login -s UAA-LOGIN-CLIENT-PASSWORD
User name: admin
Password: UAA-ADMIN-CLIENT-PASSWORD<br/>
Successfully fetched token via owner password grant.
Target: http<span>s</span>://10.85.16.4:8443
Context: admin, from client login
</pre>
<div class="note"><strong>Note</strong>: To obtain the password for the UAA login and admin clients, you can also curl or point your browser to the following endpoints: <code>http<span>s</span>://OPS-MANAGER-FQDN/api/v0/deployed/director/credentials/uaa_login_client_credentials</code>
and <code>http<span>s</span>://OPS-MANAGER-FQDN/api/v0/deployed/director/credentials/uaa_admin_user_credentials</code>
</div>
1. Create a new UAA Client with `bosh.admin` privileges.
<pre class='terminal'>
$ uaac client add ci --authorized_grant_types client_credentials \
--authorities bosh.admin --secret CI-SECRET
scope: uaa.none
client_id: ci
resource_ids: none
authorized_grant_types: client_credentials
autoapprove:
action: none
authorities: bosh.admin
name: ci
lastmodified: 1469727130702
id: ci
</pre>
1. Set the client and secret as environment variables on the VM.
<pre class='terminal'>
$ ubuntu@ip-10-0-0-12:~$ export BOSH_CLIENT=ci
$ ubuntu@ip-10-0-0-12:~$ export BOSH_CLIENT_SECRET=CI-SECRET
</pre>
1. Set an alias for the BOSH Director environment.
<pre class='terminal'>
$ bosh alias-env MY-ENVIRONMENT-NAME -e BOSH-DIRECTOR-IP \
--ca-cert /var/tempest/workspaces/default/root_ca_certificate
</pre>
You can now use the UAA client you created to run BOSH in automated or scripted environments, such as continuous integration pipelines.
## <a id="saml"></a> Provision Admin Client
<%= vars.company_name %> does not support LDAP or SAML authentication to the BOSH Director.
Ops Manager provides an option to create UAA clients during SAML or LDAP configuration so that BOSH can be automated using scripts and tooling.
1. Select **Provision an admin client in the Bosh UAA** when configuring Ops Manager for SAML or LDAP.
2. Click the **Status** tab, and record the IP address, after deploying BOSH Director (BOSH).
3. Click the **Credentials** tab in the BOSH Director tile.
4. Click the link for the **Uaa Bosh Client Credentials** to record the client name and secret.
5. Open a terminal and SSH into the Ops Manager VM. Follow the instructions for your SSH in the [SSH into Ops Manager](trouble-advanced.html#ssh) topic.
6. Set the client and secret as environment variables on the Ops Manager VM.
```
export BOSH_CLIENT=bosh_admin_client
export BOSH_CLIENT_SECRET=UAA-BOSH-CLIENT-SECRET
```
Where:
- `UAA-BOSH-CLIENT-SECRET` is the client secret you recorded in Step 4.
For example:
<pre class='terminal'>
$ ubuntu@ip-10-0-0-12:~$ export BOSH_CLIENT=bosh_admin_client
$ ubuntu@ip-10-0-0-12:~$ export BOSH_CLIENT_SECRET=aBcDeFGhijKabdsadfdfdf
</pre>
7. Set an alias for the BOSH Director environment.
<pre class='terminal'>
$ bosh alias-env MY-ENVIRONMENT-NAME -e BOSH-DIRECTOR-IP \
--ca-cert /var/tempest/workspaces/default/root_ca_certificate
</pre>
Where:
- `BOSH-DIRECTOR-IP` is the IP you recorded in the **Status** tab of the BOSH Director.