diff --git a/lib/manageiq/appliance_console/database_configuration.rb b/lib/manageiq/appliance_console/database_configuration.rb
index d327d53a..211156c2 100644
--- a/lib/manageiq/appliance_console/database_configuration.rb
+++ b/lib/manageiq/appliance_console/database_configuration.rb
@@ -5,9 +5,13 @@
 require 'pathname'
 require 'fileutils'
 
+require_relative './manageiq_user_mixin'
+
 module ManageIQ
 module ApplianceConsole
   class DatabaseConfiguration
+    include ManageIQ::ApplianceConsole::ManageiqUserMixin
+
     attr_accessor :adapter, :host, :username, :database, :port, :region
     attr_reader :password
 
@@ -275,7 +279,10 @@ def validate_encryption_key!
 
     def do_save(settings)
       require 'yaml'
-      File.write(DB_YML, YAML.dump(settings))
+      File.open(DB_YML, "w") do |f|
+        f.write(YAML.dump(settings))
+        f.chown(manageiq_uid, manageiq_gid)
+      end
     end
 
     def initialize_from_hash(hash)
diff --git a/lib/manageiq/appliance_console/key_configuration.rb b/lib/manageiq/appliance_console/key_configuration.rb
index 15872029..65eb4e02 100644
--- a/lib/manageiq/appliance_console/key_configuration.rb
+++ b/lib/manageiq/appliance_console/key_configuration.rb
@@ -4,6 +4,8 @@
 require 'active_support/all'
 require 'manageiq-password'
 
+require_relative './manageiq_user_mixin'
+
 module ManageIQ
 module ApplianceConsole
   CERT_DIR = ENV['KEY_ROOT'] || ManageIQ::ApplianceConsole::RAILS_ROOT.join("certs")
@@ -11,6 +13,8 @@ module ApplianceConsole
   NEW_KEY_FILE = "#{KEY_FILE}.tmp".freeze
 
   class KeyConfiguration
+    include ManageIQ::ApplianceConsole::ManageiqUserMixin
+
     attr_accessor :host, :login, :password, :key_path, :action, :force
 
     def initialize(options = {})
@@ -89,7 +93,9 @@ def fetch_key?
     end
 
     def create_key
-      ManageIQ::Password.generate_symmetric(NEW_KEY_FILE) && true
+      return unless !!ManageIQ::Password.generate_symmetric(NEW_KEY_FILE)
+
+      File.chown(manageiq_uid, manageiq_gid, NEW_KEY_FILE)
     end
 
     def fetch_key
@@ -97,6 +103,7 @@ def fetch_key
       Net::SCP.start(host, login, :password => password) do |scp|
         scp.download!(key_path, NEW_KEY_FILE)
       end
+      File.chown(manageiq_uid, manageiq_gid, NEW_KEY_FILE)
       File.exist?(NEW_KEY_FILE)
     rescue => e
       say("Failed to fetch key: #{e.message}")
diff --git a/lib/manageiq/appliance_console/manageiq_user_mixin.rb b/lib/manageiq/appliance_console/manageiq_user_mixin.rb
new file mode 100644
index 00000000..1bdc0caf
--- /dev/null
+++ b/lib/manageiq/appliance_console/manageiq_user_mixin.rb
@@ -0,0 +1,15 @@
+module ManageIQ
+  module ApplianceConsole
+    module ManageiqUserMixin
+      extend ActiveSupport::Concern
+
+      def manageiq_uid
+        @manageiq_uid ||= Process::UID.from_name("manageiq")
+      end
+
+      def manageiq_gid
+        @manageiq_gid ||= Process::GID.from_name("manageiq")
+      end
+    end
+  end
+end
diff --git a/lib/manageiq/appliance_console/message_configuration.rb b/lib/manageiq/appliance_console/message_configuration.rb
index 226b82f5..d4b1b337 100644
--- a/lib/manageiq/appliance_console/message_configuration.rb
+++ b/lib/manageiq/appliance_console/message_configuration.rb
@@ -1,9 +1,13 @@
 require 'active_support/core_ext/module/delegation'
 require 'pathname'
 
+require_relative './manageiq_user_mixin'
+
 module ManageIQ
   module ApplianceConsole
     class MessageConfiguration
+      include ManageIQ::ApplianceConsole::ManageiqUserMixin
+
       attr_reader :message_keystore_username, :message_keystore_password,
                   :message_server_host, :message_server_port,
                   :miq_config_dir_path, :config_dir_path, :sample_config_dir_path,
@@ -116,7 +120,10 @@ def configure_messaging_yaml
           messaging_yaml["production"]["security.protocol"] = "PLAINTEXT"
         end
 
-        File.write(messaging_yaml_path, messaging_yaml.to_yaml)
+        File.open(messaging_yaml_path, "w") do |f|
+          f.write(messaging_yaml.to_yaml)
+          f.chown(manageiq_uid, manageiq_gid)
+        end
       end
 
       def remove_installed_files
diff --git a/spec/key_configuration_spec.rb b/spec/key_configuration_spec.rb
index 9e6caf72..a345f4e2 100644
--- a/spec/key_configuration_spec.rb
+++ b/spec/key_configuration_spec.rb
@@ -1,4 +1,9 @@
 describe ManageIQ::ApplianceConsole::KeyConfiguration do
+  before do
+    allow(Process::UID).to receive(:from_name).with("manageiq").and_return(Process.uid)
+    allow(Process::GID).to receive(:from_name).with("manageiq").and_return(Process.gid)
+  end
+
   context "#ask_questions" do
     subject { Class.new(described_class).tap { |c| c.include(ManageIQ::ApplianceConsole::Prompts) }.new }
 
@@ -63,6 +68,7 @@
           expect(Net::SCP).to receive(:start).with(host, "root", :password => password)
           expect(FileUtils).to receive(:mv).with(/v2_key\.tmp/, /v2_key$/, :force=>true).and_return(true)
           expect(FileUtils).to receive(:chmod).with(0o400, /v2_key/).and_return(["v2_key"])
+          expect(File).to receive(:chown).with(Process.uid, Process.gid, /v2_key\.tmp/)
           expect(subject.activate).to be_truthy
         end
 
@@ -72,6 +78,7 @@
           expect(ManageIQ::Password).to receive(:generate_symmetric).and_return(154)
           expect(FileUtils).to receive(:mv).with(/v2_key\.tmp/, /v2_key$/, :force=>true).and_return(true)
           expect(FileUtils).to receive(:chmod).with(0o400, /v2_key/).and_return(["v2_key"])
+          expect(File).to receive(:chown).with(Process.uid, Process.gid, /v2_key\.tmp/).and_return(0)
           expect(subject.activate).to be_truthy
         end
       end
@@ -86,6 +93,7 @@
           expect(Net::SCP).to receive(:start).with(host, "root", :password => password).and_yield(scp).and_return(true)
           expect(FileUtils).to receive(:mv).with(/v2_key\.tmp/, /v2_key$/, :force=>true).and_return(true)
           expect(FileUtils).to receive(:chmod).with(0o400, /v2_key/).and_return(["v2_key"])
+          expect(File).to receive(:chown).with(Process.uid, Process.gid, /v2_key\.tmp/)
           expect(subject.activate).to be_truthy
         end
 
diff --git a/spec/message_configuration_client_spec.rb b/spec/message_configuration_client_spec.rb
index 00c4b34c..6997a597 100644
--- a/spec/message_configuration_client_spec.rb
+++ b/spec/message_configuration_client_spec.rb
@@ -27,6 +27,9 @@
 
     FileUtils.mkdir_p("#{@tmp_base_dir}/config")
     FileUtils.mkdir_p("#{@tmp_base_dir}/config-sample")
+
+    allow(Process::UID).to receive(:from_name).with("manageiq").and_return(Process.uid)
+    allow(Process::GID).to receive(:from_name).with("manageiq").and_return(Process.gid)
   end
 
   after do
@@ -268,7 +271,7 @@
 
     shared_examples "messaging yaml file" do
       it "creates the messaging yaml file" do
-        expect(subject.send(:configure_messaging_yaml)).to be_positive
+        subject.send(:configure_messaging_yaml)
         expect(subject.messaging_yaml_path).to exist
       end
 
@@ -280,7 +283,12 @@
       end
 
       it "correctly populates the messaging yaml file" do
-        expect(File).to receive(:write).with(subject.messaging_yaml_path, content)
+        allow(File).to receive(:open).and_call_original
+
+        file_stub = double("File")
+        expect(File).to receive(:open).with(subject.messaging_yaml_path, "w").and_yield(file_stub)
+        expect(file_stub).to receive(:write).with(content)
+        expect(file_stub).to receive(:chown).with(Process.uid, Process.gid)
         expect(subject.send(:configure_messaging_yaml)).to be_nil
       end
     end