Stark & Wayne

BOSH + UAA with Signed Certificates - Part II

In the second part of configuring UAA with BOSH we'll cover changes which are needed for Health Monitor which may not be obvious from the tutorial found at http://bosh.io/docs/director-users-uaa.html.

Part I of this tutorial is here: https://www.starkandwayne.com/blog/bosh-uaa-with-signed-certificates/

Change Health Manager Authentication

In your deployment manifest you should have the user and password defined similar to:

hm:
  director_account:
    user:  hm_user
    password: hm_password

You've removed all the local accounts from BOSH so you can no longer use a user & password and instead need to use client_id and client_secret much like we did in the Shield example in Part I. We do this in two steps, the first defines a new UAA client and then we use these client credentials for the hm:director_account properties. You can reuse the same user and password of the local account:

uaa:
  clients:
    hm_user:
      authorities: bosh.admin
      authorized-grant-types: client_credentials
      override: true
      scope: bosh.admin
      secret: hm_password

hm:
  director_account:
    client_id:   hm_user
    client_user: hm_password

Verify via Logs

SSH onto the microbosh director and tail /var/vcap/sys/log/health_monitor/health_monitor.log, if you get a 401 error you likely copy/pasted the creds incorrectly, are still using user & password instead of client_id & client_secret or need another cup of coffee:

[2016-08-08T14:06:55.175865 #25522] INFO : [ALERT] Alert @ 2016-08-08 14:06:55 UTC, severity 3: Cannot get deployments from director at https://10.8.6.4:25555/deployments: 401 Not authorized: '/deployments'

Run the logs for at least a minute watching for these requests. No 401s and you should be all set, Health Monitor will once again watch over your deployments once it logs into Bosh via UAA. Enjoy!