LATEST VERSION: 1.9 - CHANGELOG
Pivotal Cloud Foundry v1.9

Configuring Pivotal Cloud Foundry SSL Termination for vSphere Deployments

Page last updated:

To use SSL termination in Pivotal Cloud Foundry (PCF), you must configure the Pivotal-deployed HAProxy load balancer or your own load balancer.

Pivotal recommends that you use HAProxy in lab and test environments only. Production environments should instead use a highly-available customer-provided load balancing solution.

Select an SSL termination method to determine the steps you must take to configure Elastic Runtime.

Using the Pivotal HAProxy Load Balancer

PCF deploys with a single instance of HAProxy for use in lab and test environments. You can use this HAProxy instance for SSL termination and load balancing to the PCF Routers. HAProxy can generate a self-signed certificate if you do not want to obtain a signed certificate from a well-known certificate authority.

Note: Certificates generated in Elastic Runtime are signed by the Operations Manager Certificate Authority. They are not technically self-signed, but they are referred to as “Self-Signed Certificates” in the Ops Manager GUI and throughout this documentation.

To use the HAProxy load balancer, you must create a wildcard A record in your DNS and configure three fields in the Elastic Runtime product tile.

  1. Create an A record in your DNS that points to the HAProxy IP address. The A record associates the System Domain and Apps Domain that you configure in the Domains section of the Elastic Runtime tile with the HAProxy IP address.

    For example, with cf.example.com as the main subdomain for your CF install and an HAProxy IP address 203.0.113.1, you must create an A record in your DNS that serves example.com and points *.cf to 203.0.113.1.

    Name Type Data Domain
    *.cf A 203.0.113.1 example.com
  2. Use the Linux host command to test your DNS entry. The host command should return your HAProxy IP address.

    Example:

    $ host cf.example.com
    cf.example.com has address 203.0.113.1
    $ host anything.example.com
    anything.cf.example.com has address 203.0.113.1
    

  3. From the PCF Ops Manager Dashboard, click on the Elastic Runtime tile.

  4. Select Networking.

  5. Leave the Router IPs field blank. HAProxy assigns the router IPs internally.

  6. Enter the IP address for HAProxy in the HAProxy IPs field.

  7. Provide your SSL certificate in the SSL Termination Certificate and Private Key field. See Providing a Certificate for your SSL Termination Point for details.

Return to the Getting Started Guide

Using Another Load Balancer

Production environments should use a highly-available customer-provided load balancing solution that does the following:

  • Provides SSL termination with wildcard DNS location
  • Provides load balancing to each of the PCF Router IPs
  • Adds appropriate x-forwarded-for and x-forwarded-proto HTTP headers

You must register static IP addresses for PCF with your load balancer and configure three fields in the Elastic Runtime product tile.

  1. Register one or more static IP address for PCF with your load balancer.

  2. Create an A record in your DNS that points to your load balancer IP address. The A record associates the System Domain and Apps Domain that you configure in the Domains section of the Elastic Runtime tile with the IP address of your load balancer.

    For example, with cf.example.com as the main subdomain for your CF install and a load balancer IP address 198.51.100.1, you must create an A record in your DNS that serves example.com and points *.cf to 198.51.100.1.

    Name Type Data Domain
    *.cf A 198.51.100.1 example.com
  3. From the PCF Ops Manager Dashboard, click on the Elastic Runtime tile.

  4. Select Networking.

  5. In the Router IPs field, enter the static IP address for PCF that you have registered with your load balancer.

  6. Leave the HAProxy IPs field blank.

  7. Provide your SSL certificate in the SSL Termination Certificate and Private Key field. See Providing a Certificate for your SSL Termination Point for details.

Note: When adding or removing PCF routers, you must update your load balancing solution configuration with the appropriate IP addresses.

Return to the Installing Pivotal Cloud Foundry Guide

Was this helpful?
What can we do to improve?
View the source for this page in GitHub