This document's purpose is to outline the current credentials that Bosh creates for the director and any special considerations an operator should take to rotate them.
This document is intended for advanced usage and is not recommended to be used as instructions for credential rotation.
Generic Credential Rotation¶
In order to rotate a credential (e.g. password, certificate) remove the credential from credential store (vars-store or CredHub). The BOSH CLI (when using a vars-store) or CredHub will create a new credential when re-deploying BOSH.
This applies for the following credentials:
blobstore_director_passwordwhen using local blobstore
postgres_passwordwhen using local postgres
uaa_clients_director_to_credhubassuming UAA and CredHub are co-located on the director VM
mbus_bootstrap_passwordresults in hard shut down of director VM without running drain scripts (it is planned to prevent this by using mutual TLS). Therefore, it is important that no deployments are in progress before re-deploying the director.
Credentials with additional steps:¶
admin_password: for admin clients continue to authenticate after the director gets re-deployed and before the new admin password is passed to the clients, it is recommended to add a new admin user and password to
director.user_management.local.usersbefore removing the old password
nats_passwordis deprecated and applies only if property
nats.allow_legacy_agentsis set. Use mutual TLS instead. If
nats_passwordneeds to be rotated, all VMs deployed by the director must be recreated. After re-deploying the director and before re-deploying the VMs, the resurrector plugin of the health monitor may attempt to resurrect the VMs or may consider the deployments are in meltdown mode.
credhub_admin_client_secret: for CredHub admin clients being able to authenticate after CredHub gets re-deployed and before the new CredHub admin secret is passed to the clients, it is recommended to add a new CredHub admin user and secret to
uaa.clientsbefore removing the old secret
credhub_cli_user_password: for the CredHub CLI user being able to authenticate after CredHub gets re-deployed and before the new CredHub CLI user password is passed to the clients, it is recommended to add a new CredHub CLI user and password to
uaa.scim.usersbefore removing the old password
default_caincluding its signed certificates
mbus_bootstrap_ssl: If there are VMs deployed by the director which access the director HTTP API (e.g. the service-fabrik-broker), the concatenated old and new default CA must be provided to the VMs before re-deploying the director. This is necessary for the VMs to communicate with the director HTTP API after the director gets re-deployed with the new default CA and before the VMs get re-deployed with the new default CA.
credhub_caincluding its singed certificate
credhub_tls: If there are VMs deployed by the director which access the CredHub API, the concatenated old and new CredHub CA must be provided to the VMs before re-deploying the director. This is necessary for the VMs to communicate with the CredHub API after the director gets re-deployed with the new CredHub CA and before the VMs get re-deployed with the new CredHub CA.
Specific Credential Rotation¶
- Add new user/password to database system with access to the BOSH database
external_db_passwordwith the new credentials
- Re-deploy director
- Remove old user/password from database system