Aug 09, 2016 BOSH + UAA with Signed Certificates - Part II
In the second part of configuring UAA with BOSH we'll cover changes which are needed for Health Monitor which may not be obvious from the tutorial found at http://bosh.io/docs/director-users-uaa.html.
Part I of this tutorial is here: https://www.starkandwayne.com/blog/bosh-uaa-with-signed-certificates/
Change Health Manager Authentication
In your deployment manifest you should have the
password defined similar to:
hm: director_account: user: hm_user password: hm_password
You've removed all the local accounts from BOSH so you can no longer use a
password and instead need to use
client_secret much like we did in the Shield example in Part I. We do this in two steps, the first defines a new UAA client and then we use these client credentials for the
hm:director_account properties. You can reuse the same user and password of the local account:
uaa: clients: hm_user: authorities: bosh.admin authorized-grant-types: client_credentials override: true scope: bosh.admin secret: hm_password hm: director_account: client_id: hm_user client_user: hm_password
Verify via Logs
SSH onto the microbosh director and tail
/var/vcap/sys/log/health_monitor/health_monitor.log, if you get a
401 error you likely copy/pasted the creds incorrectly, are still using
password instead of
client_secret or need another cup of coffee:
[2016-08-08T14:06:55.175865 #25522] INFO : [ALERT] Alert @ 2016-08-08 14:06:55 UTC, severity 3: Cannot get deployments from director at https://10.8.6.4:25555/deployments: 401 Not authorized: '/deployments'
Run the logs for at least a minute watching for these requests. No 401s and you should be all set, Health Monitor will once again watch over your deployments once it logs into Bosh via UAA. Enjoy!