forked from pivotal-cf/docs-ops-guide
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathcredential-rotation.html.md.erb
75 lines (39 loc) · 2.46 KB
/
credential-rotation.html.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
---
title: Rotating Runtime CredHub Encryption Keys
owner:
---
This topic discusses how to rotate runtime CredHub encryption keys. Encryption keys are values that CredHub uses to obscure stored secrets. When an operator marks an additional key as primary, CredHub can rotate in that additional key as the encryption key.
During this credential rotation process, the initial encryption key is used to access the hidden value, That value is then stored again by the additional encryption key.
<p class="note warning"><strong>WARNING:</strong> If you remove an encryption key and click <strong>Apply Changes</strong> before the rotation completes, the deployment breaks. If this happens, you can no longer access data stored with the deleted key.</p>
## <a id="rotate"></a> Rotate PAS Encryption Keys
To rotate PAS encryption keys, do the following:
1. Navigate to the **Ops Manager Installation Dashboard**.
1. Click the **Pivotal Application Service** tile.
1. Select the **CredHub** tab.
1. In the **Encryption Keys** section, click **Add**.
<%= image_tag("add-key.png") %>
1. For **Name**, enter the name of your new encryption key.
1. For **Key**, enter your new encryption key.
1. Select the **Primary** check box.
1. Click **Save**.
1. Navigate to the **Ops Manager Installation Dashboard**.
1. Click **Review Pending Changes**, then **Apply Changes**.
## <a id="verify"></a> Verify PAS Encryption Key Rotation
Follow the steps below to verify that the rotation completes.
1. Click the **Pivotal Application Service** tile.
1. Select the **Status** tab.
1. Within the **CredHub** job, locate **Index 0**.
<%= image_tag("logs-list.png") %>
1. Within the **Logs** column, click the correlating download icon.
1. Select the **Logs** tab.
1. Click the corresponding link to the retrieve the downloaded log file.
1. Unzip the log file.
1. Unzip the larger of the two nested directories.
1. Ops Manager generates a compressed file for each CredHub VM that exists on your deployment. Unzip each of these compressed files.
1. Open the `credhub` directory.
1. Open the `credhub.log` file. If the PAS credential rotation completed successfully, the CredHub log contains the following string: `Successfully rotated NUMBER-OF-CREDENTIALS items`
1. Remove the old encryption key.
1. Click the trashcan icon that corresponds to the old encryption key.
1. Click **Save**.
1. Navigate to the **Ops Manager Installation Dashboard**.
1. Click **Review Pending Changes**, then **Apply Changes**.