Installing Prisma Cloud for VMware Tanzu

Install and configure Prisma Cloud for VMware Tanzu. After the install is complete, Prisma Cloud Defender will be running in your environment.

Note: If you’re upgrading from a previous release, you must first uninstall any previous versions of PCF Defender. The new 20-09 tile has been rearchitected. The old tile created a dedicated VM in the TAS environment with a Defender installed, and supported blobstore scanning only. The new tile installs Defender on every Diego cell in the TAS environment, with expanded support for app scanning, host scanning, and runtime defense.

Prerequisites: Prisma Cloud Console is already installed and running in your environment. If you’re using Prisma Cloud Enterprise Edition, Console is delivered as SaaS service, so you’re all set. If you’re using Prisma Cloud Compute Edition, you’ve got a number of options. You could install Console on a stand-alone virtual machine with Onebox or as a pod in Tanzu Kubernetes Grid.

Import Prisma Cloud for VMware Tanzu

  1. In Prisma Cloud Console, go to Manage > System > Downloads, and download the tile.

  2. In the Ops Manager Installation Dashboard, click Import a Product, and select the tile you just downloaded.

  3. Retrieve the install command from Prisma Cloud Console. It’s used to configure the tile.

    1. Go to Manage > Defenders > Deploy > Single Defender.

    2. Choose the DNS name or IP address the PCF Defender will use to connect to Console. If a suitable option is not available, go to Manage > Defenders > Names, and add a DNS name or IP address to the SAN table.

    3. Set the Defender type to PCF Defender.

    4. Copy the install command and set it aside.
  4. Go to the PCF Ops Manager Installation Dashboard.

  5. Add the Prisma Cloud tile to your staging area. Click the + button next to the version of the tile you want to install.

Install and Configure the Tile

By default Prisma Cloud performs strict validation of your Cloud Controller’s (CC) TLS certificate. Strict validation verifies the name, signer, and validity date of the CC’s certificate. If you’re using self-signed certificates, this check will fail. To add your custom certificates to trusted cert list, you need to add the custom CA’s cert on the VM where the Prisma Cloud tile runs. For more details about how to do this, see Tanzu trusted certificates.

You can optionally disable strict validation. Even with strict validation disabled, the sesssion is still encrypted. Skip strict validation when:

  • You’re using self-signed certificates.
  • You’re using certificates signed by a CA that isn’t in your cert store.
  • When there’s a mismatch between the address you’re using to connect to the CC and the common name (CN) or subject alternative name (SAN) in the CC’s certificate.
  1. Click the newly added Prisma Cloud for PCF tile.

  2. In Prisma Cloud Component Configuration, paste the install command you copied from Prisma Cloud Console, then click Save.

  3. To skip strict validation of your Cloud Controller’s (CC) TLS certificate, enable Skip Cloud Controller TLS validation.

  4. If you have Prisma Cloud Compute Edition (self-hosted Console):

    1. In Credentials, select your preferred authentication method: Basic Authentication or Certificate-based Authentication. Your role must be Defender Manager or higher.

    2. For Basic Authentication, enter your Prisma Cloud Console credentials, then click Save.

    3. For certificate-based authentication, paste the certificate and private key used for authentication in PEM format, then click Save. For certificate-based authentication, the root CA used to sign the certificate used for authentication must be entered under Manage > Authentication > System Certificates > Advanced Certificate Configuration.
  5. If you have Prisma Cloud Enterprise Edition (SaaS Console):

    1. In Credentials, enter your Prisma Cloud Console credentials, then click Save. Your role must be Defender Manager or higher. Certificate-based authentication is not supported with Prisma Cloud Enterprise Edition.
  6. Install the Prisma Cloud tile. Return to the Ops Manager Installation Dashboard, click Review Pending Changes, select both Prisma Cloud for PCF and Pivotal Application Service, then click Apply changes.

    Note: Pivotal Application Service must be staged when installing the Prisma Cloud tile.

Validate your Installation

After the changes are applied, validate that Prisma Cloud Defenders are running in your environment.

  1. Log into Prisma Cloud Console.

  2. Go to Manage > Defenders > Manage.

  3. In the table of deployed Defenders, you should see a Defender of type PCF, one per Diego cell.

    Tas defenders deployed

Note: Prisma Cloud reports the agentID in the Host field. To correlate an agentID to a Diego cell IP address, and determine exactly which host runs a Defender, login to an Diego cell, and inspect */var/vcap/instance/dns/records.json*. This file shows how the agentID maps to a host IP address.

Note: If a PCF Defender disconnects from Console for more than one day, all data it collected is purged from Console. The Defender is also removed from the table in **Manage > Defenders > Manage**. The period of time that data from a disconneted Defender is retained (by default, one day) can be configured in **Manage > Defenders > Manage > Defenders > Advanced Settings**.