Configuring BOSH Director on AWS

Page last updated:

This topic describes how to configure Ops Manager to deploy Pivotal Cloud Foundry (PCF) on Amazon Web Services (AWS).

Before beginning this procedure, ensure that you have successfully completed all of the steps in the Installing PCF on AWS Manually topic. After completing the procedures in this topic, proceed to the Deploying PAS on AWS topic to continue deploying PCF.

Step 1: Access Ops Manager

  1. In a web browser, navigate to the fully qualified domain you created in the Configure DNS Records step of Installing PCF on AWS Manually.

  2. When Ops Manager starts for the first time, you must choose one of the following:

Select authentication

Use an Identity Provider (IdP)

  1. Log in to your IdP console and download the IdP metadata XML. Optionally, if your IdP supports metadata URL, you can copy the metadata URL instead of the XML.

  2. Copy the IdP metadata XML or URL to the Ops Manager Use an Identity Provider log in page. Meta om

    Note: The same IdP metadata URL or XML is applied for the BOSH Director. If you use a separate IdP for BOSH, copy the metadata XML or URL from that IdP and enter it into the BOSH IdP Metadata text box in the Ops Manager log in page.

  3. Enter values for the fields listed below. Failure to provide values in these fields results in a 500 error.

    Note: These attributes are case-sensitive.

    • SAML admin group: Enter the name of the SAML group that contains all Ops Manager administrators.
    • SAML groups attribute: Enter the groups attribute tag name with which you configured the SAML server.
  4. Enter your Decryption passphrase. Read the End User License Agreement, and select the checkbox to accept the terms.

  5. Your Ops Manager log in page appears. Enter your username and password. Click Login.

  6. Download your SAML Service Provider metadata (SAML Relying Party metadata) by navigating to the following URLs:

    • 6a. Ops Manager SAML service provider metadata: https://OPS-MAN-FQDN:443/uaa/saml/metadata
    • 6b. BOSH Director SAML service provider metadata: https://BOSH-IP-ADDRESS:8443/saml/metadata

    Note: To retrieve your BOSH-IP-ADDRESS, navigate to the Status tab in the BOSH Director. Record the BOSH Director IP address.

  7. Configure your IdP with your SAML Service Provider metadata. Import the Ops Manager SAML provider metadata from Step 6a above to your IdP. If your IdP does not support importing, provide the values below.

    • Single sign on URL: https://OPS-MAN-FQDN:443/uaa/saml/SSO/alias/OPS-MAN-FQDN
    • Audience URI (SP Entity ID): https://OP-MAN-FQDN:443/uaa
    • Name ID: Email Address
    • SAML authentication requests are always signed
  8. Import the BOSH Director SAML provider metadata from Step 6b to your IdP. If the IdP does not support an import, provide the values below.

    • Single sign on URL: https://BOSH-IP-ADDRESS:8443/saml/SSO/alias/BOSH-IP-ADDRESS
    • Audience URI (SP Entity ID): https://BOSH-IP-ADDRESS:8443
    • Name ID: Email Address
    • SAML authentication requests are always signed
  9. Return to the BOSH Director tile and continue with the configuration steps below.

Internal Authentication

  1. When redirected to the Internal Authentication page, do the following:

    • Enter a Username, Password, and Password confirmation to create an Admin user.
    • Enter a Decryption passphrase and the Decryption passphrase confirmation. This passphrase encrypts the Ops Manager datastore, and is not recoverable.
    • If you are using an HTTP proxy or HTTPS proxy, follow the instructions in the Configuring Proxy Settings for the BOSH CPI topic.
    • Read the End User License Agreement, and select the checkbox to accept the terms.
    • Click Setup Authentication.

    Om login

  2. Log in to Ops Manager with the Admin username and password you created in the previous step.

    Cf login

Step 2: AWS Config Page

  1. Click the BOSH Director tile.

    Director tile aws

  2. Select AWS Config.

    Aws config

  3. Select Use AWS Keys or Use AWS Instance Profile.

    • Access Key ID and AWS Secret Key: To retrieve your AWS key information, use the AWS Identity and Access Management (IAM) credentials that you generated in the Step 3: Create an IAM User for PCF section of the Installing PCF on AWS Manually topic.
    • AWS IAM Instance Profile: Enter the name of the IAM profile you created in the Step 3: Create an IAM User for PCF section of the Installing PCF on AWS Manually topic.
  4. Complete the rest of the AWS Management Console Config page:

    • Security Group ID: Enter the Group ID of the pcf-vms-security-group you created for your PCF VMs in the Step 6: Configure a Security Group for PCF VMs section of the Installing PCF on AWS Manually topic. Locate the Group ID in the Security Groups tab of your EC2 Dashboard.
    • Key Pair Name: Enter pcf-ops-manager-key.
    • SSH Private Key: Open the AWS key pair pcf-ops-manager-keys.pem file you generated in the Step 3: Create an IAM User for PCF section of the Installing PCF on AWS Manually topic. Copy the contents of the .pem file and paste it into the SSH Private Key field.
    • Region: Select the region where you deployed Ops Manager.
    • Encrypt EBS Volumes: Select this checkbox to enable full encryption on persistent disks of all BOSH-deployed VMs except the Ops Manager VM and Director VM. See the Configuring Amazon EBS Encryption for PCF on AWS topic for details about using EBS encryption.

      Note: Enabling EBS encryption only encrypts Linux VMs. The Windows VMs deployed with Pivotal Application Service (PAS) for Windows or PAS for Windows 2012R2 are not encrypted.

  5. Click Save.

Step 3: Director Config Page

  1. Select Director Config.

    Director aws

  2. Enter at least two of the following NTP servers in the NTP Servers (comma delimited) field, separated by a comma: 0.amazon.pool.ntp.org,1.amazon.pool.ntp.org,2.amazon.pool.ntp.org,3.amazon.pool.ntp.org

    Note: The NTP server configuration only updates after VM recreation. Ensure that you select the Recreate all VMs checkbox if you modify the value of this field.

  3. Leave the JMX Provider IP Address field blank.

    Note: Starting from PCF v2.0, BOSH-reported component metrics are available in the Loggregator Firehose by default. Therefore, if you continue to use PCF JMX Bridge for consuming them outside of the Firehose, you may receive duplicate data. To prevent this, leave the JMX Provider IP Address field blank. For additional guidance, see BOSH System Metrics Available in Loggregator Firehose.

  4. Leave the Bosh HM Forwarder IP Address field blank.

    Note: Starting from PCF v2.0, BOSH-reported component metrics are available in the Loggregator Firehose by default. Therefore, if you continue to use the BOSH HM Forwarder for consuming them, you may receive duplicate data. To prevent this, leave the Bosh HM Forwarder IP Address field blank. For additional guidance, see BOSH System Metrics Available in Loggregator Firehose.

  5. Select the Enable VM Resurrector Plugin checkbox to enable the Ops Manager Resurrector functionality and increase Pivotal Application Service (PAS) availability. For more information, see the Using Ops Manager Resurrector on VMware vSphere topic.

  6. Select Enable Post Deploy Scripts to run a post-deploy script after deployment. This script allows the job to execute additional commands against a deployment.

    Note: You must enable post-deploy scripts to install PKS.

  7. Select Recreate all VMs to force BOSH to recreate all VMs on the next deploy. This process does not destroy any persistent disk data.

  8. Select Enable bosh deploy retries if you want Ops Manager to retry failed BOSH operations up to five times.

  9. Select Keep Unreachable Director VMs if you want to preserve BOSH Director VMs after a failed deployment for troubleshooting purposes.

  10. (Optional) Select HM Pager Duty Plugin to enable Health Monitor integration with PagerDuty.

    Director hm pager

    • Service Key: Enter your API service key from PagerDuty.
    • HTTP Proxy: Enter an HTTP proxy for use with PagerDuty.
  11. (Optional) Select HM Email Plugin to enable Health Monitor integration with email.

    Director hm email

    • Host: Enter your email hostname.
    • Port: Enter your email port number.
    • Domain: Enter your domain.
    • From: Enter the address for the sender.
    • Recipients: Enter comma separated addresses of intended recipients.
    • Username: Enter the username for your email server.
    • Password: Enter your username’s password.
    • Enable TLS: Select this checkbox to enable Transport Layer Security.
  12. For CredHub Encryption Provider, you can choose whether BOSH CredHub stores its encryption key internally on the BOSH Director and CredHub VM, or in an external hardware security module (HSM). The HSM option is more secure. Before configuring an HSM encryption provider in the Director Config pane, you must follow the procedures and collect information as described in Preparing CredHub HSMs for Configuration.

    Note: After you deploy Ops Manager with an HSM encryption provider, you cannot change BOSH CredHub to store encryption keys internally.

    CredHub Encryption Provider options in the Director Config pane

    • Internal: Select this option for internal CredHub key storage. This option is selected by default and requires no additional configuration.
    • Luna HSM: Select this option to use a SafeNet Luna HSM as your permanent CredHub encryption provider, and fill in the following fields:
      1. Encryption Key Name: Any name to identify the key that the HSM uses to encrypt and decrypt the CredHub data. Changing this key name after you deploy Ops Manager could cause service downtime.
      2. Provider Partition: The partition that stores your encryption key. Changing this partition after you deploy Ops Manager could cause service downtime. For this value and the ones below, use values gathered from Preparing CredHub HSMs for Configuration.
      3. Provider Partition Password
      4. Provider Client Certificate: The certificate that validates the identity of the HSM when CredHub connects as a client.
      5. Provider Client Certificate Private Key
      6. HSM Host Address
      7. HSM Port Address: If you don’t know your port address, enter 1792.
      8. Partition Serial Number
      9. HSM Certificate: The certificate that the HSM presents to CredHub to establish a two-way mTLS connection.

  13. Select a Blobstore Location to either configure the blobstore as an internal server or an external endpoint. Because the internal server is unscalable and less secure, Pivotal recommends you configure an external blobstore.

    Note: After you deploy Ops Manager, you cannot change the blobstore location.

    Blobstore location options in the Director Config pane

    • Internal: Select this option to use an internal blobstore. Ops Manager creates a new VM for blob storage. No additional configuration is required.
    • S3 Compatible Blobstore: Select this option to use an external S3-compatible endpoint. When you have created an S3 bucket, complete the following steps:
      1. S3 Endpoint: Navigate to the Regions and Endpoints topic in the AWS documentation. Locate the endpoint for your region in the Amazon Simple Storage Service (S3) table and construct a URL using your region’s endpoint. For example, if you are using the us-west-2 region, the URL you create would be https://s3-us-west-2.amazonaws.com. Enter this URL into the S3 Endpoint field in Ops Manager.
      2. Bucket Name: Enter the name of the S3 bucket.
      3. Access Key and Secret Key: Enter the keys you generated when creating your S3 bucket.
      4. Select V2 Signature or V4 Signature. If you select V4 Signature, enter your Region.

        Note: AWS recommends using Signature Version 4. For more information about AWS S3 Signatures, see the Authenticating Requests documentation.

    • GCS Blobstore: Select this option to use an external Google Cloud Storage (GCS) endpoint. To create a GCS bucket, you will need a GCS account. Then follow the procedures in Creating Storage Buckets. When you have created a GCS bucket, complete the following steps:
      1. Bucket Name: Enter the name of your GCS bucket.
      2. Storage Class: Select the storage class for your GCS bucket. See Storage Classes in the GCP documentation for more information.
      3. Service Account Key: Follow the steps in the Set up an IAM Service Account section of Preparing to Deploy Ops Manager on GCP Manually to download a JSON file with a private key. Enter the contents of the JSON file into the field.

  14. For Database Location, select External MySQL Database and complete the following steps: Director database

    • From the AWS Console, navigate to the RDS Dashboard.
    • Select Instances, then click the arrow to the left of your instance and select the second icon to display the Details information.
    • Refer to the following table to retrieve the values for the Director Config page:
      RDS Instance Field BOSH Director Field
      Endpoint Host
      Port Port, which is 3306.
      DB Name Database, which is bosh.
      Username Username

    • For Password, enter the password that you defined for your MySQL database when you created in the Step 19: Create a MySQL Database using AWS RDS section of the Installing PCF on AWS Manually topic.
  15. (Optional) Director Workers sets the number of workers available to execute Director tasks. This field defaults to 5.

  16. (Optional) Max Threads sets the maximum number of threads that the BOSH Director can run simultaneously. For AWS, the default value is 6. Leave this field blank to use this default value. Pivotal recommends that you use the default value unless doing so results in rate limiting or errors on your IaaS.

  17. (Optional) To add a custom URL for your BOSH Director, enter a valid hostname in Director Hostname. You can also use this field to configure a load balancer in front of your BOSH Director.

    WARNING: In Ops Manager v2.1.17 and earlier, if you change the Director Hostname after your initial deployment, VMs become unavailable. This causes PCF downtime. To restore VM availability, enable Recreate All VMs and redeploy. This issue is resolved in Ops Manager v2.1.18 and later.

  18. (Optional) Enter your list of comma-separated Excluded Recursors to declare which IP addresses and ports should not be used by the DNS server.

  19. (Optional) To disable BOSH DNS, select the Disable BOSH DNS server for troubleshooting purposes checkbox. For more information about the BOSH DNS service discovery mechanism, see BOSH DNS Service Discovery for Application Containers in the Pivotal Application Service (PAS) Release Notes.

    Breaking Change: Do not disable BOSH DNS without consulting Pivotal Support. For more information about disabling BOSH DNS, see Disabling or Opting Out of BOSH DNS in PCF in the Pivotal Knowledge Base.

  20. (Optional) To set a custom banner that users see when logging in to the Director using SSH, enter text in the Custom SSH Banner field. Disable bosh dns

  21. Click Save.

Step 4: Create Availability Zones Page

Note: Pivotal recommends at least three availability zones (AZs) for a highly available installation of PAS. The procedures in Installing PCF on AWS Manually use 3 AZs.

  1. Select Create Availability Zones. Create az

  2. To add the three AZs you specified in the Step 4: Create a VPC section of the Installing PCF on AWS Manually topic, do the following:

    1. Click Add.
    2. For Amazon Availability Zone, enter the name of the AZ.
    3. Repeat until you have entered all three AZs, in the format REGION-#a, REGION-#b, and REGION-#c. For example, us-west-2a, us-west-2b, and us-west-2c.
  3. Click Save.

Step 5: Create Networks Page

  1. Select Create Networks. Create networks

  2. (Optional) Select Enable ICMP checks to enable ICMP on your networks. Ops Manager uses ICMP checks to confirm that components within your network are reachable.

  3. Perform the following steps to add the network configuration that you created for your VPC in the Create a VPC section of Installing PCF on AWS Manually. Record your VPC CIDR if you set a CIDR other than the recommendation!

    1. Click Add Network.
    2. For Name, enter infrastructure.
    3. Create a subnet for each availability zone by clicking Add Subnet. Refer to the table below for the information required to create all three subnets:
      First
      Subnet
      VPC Subnet ID pcf-infrastructure-subnet-az0
      CIDR 10.0.16.0/28
      Reserved IP Ranges 10.0.16.0-10.0.16.4
      DNS 10.0.0.2*
      Gateway 10.0.16.1
      Availability Zones REGION-#a. For example, us-west-2a.
      Second
      Subnet
      VPC Subnet ID pcf-infrastructure-subnet-az1
      CIDR 10.0.16.16/28
      Reserved IP Ranges 10.0.16.16-10.0.16.20
      DNS 10.0.0.2*
      Gateway 10.0.16.17
      Availability Zones REGION-#b. For example, us-west-2b
      Third
      Subnet
      VPC Subnet ID pcf-infrastructure-subnet-az2
      CIDR 10.0.16.32/28
      Reserved IP Ranges 10.0.16.32-10.0.16.36
      DNS 10.0.0.2*
      Gateway 10.0.16.33
      Availability Zones REGION-#c. For example, us-west-2c

      * If you set a VPC CIDR other than recommended, enter the second IP in your VPC CIDR. For example, for a 10.0.0.0/24 VPC CIDR, enter 10.0.0.2 in each subnet.


    4. Click Add Network.
    5. For Name, enter the name of your runtime. For example, pas.
    6. Create a subnet for each availability zone by clicking Add Subnet. See the table below for the information required to create all three subnets:
      First
      Subnet
      VPC Subnet ID pcf-pas-subnet-az0
      CIDR 10.0.4.0/24
      Reserved IP Ranges 10.0.4.0-10.0.4.4
      DNS 10.0.0.2*
      Gateway 10.0.4.1
      Availability Zones REGION-#a. For example, us-west-2a
      Second
      Subnet
      VPC Subnet ID pcf-pas-subnet-az1
      CIDR 10.0.5.0/24
      Reserved IP Ranges 10.0.5.0-10.0.5.4
      DNS 10.0.0.2*
      Gateway 10.0.5.1
      Availability Zones REGION-#b. For example, us-west-2b
      Third
      Subnet
      VPC Subnet ID pcf-pas-subnet-az2
      CIDR 10.0.6.0/24
      Reserved IP Ranges 10.0.6.0-10.0.6.4
      DNS 10.0.0.2*
      Gateway 10.0.6.1
      Availability Zones REGION-#c. For example, us-west-2c

      * If you set a VPC CIDR other than recommended, enter the second IP in your VPC CIDR. For example, for a 10.0.0.0/24 VPC CIDR, enter 10.0.0.2 in each subnet.


    7. Click Add Network.
    8. For Name, enter services.
    9. Create a subnet for each availability zone by clicking Add Subnet. Refer to the table below for the information required to create all three subnets:
      First
      Subnet
      VPC Subnet ID pcf-services-subnet-az0
      CIDR 10.0.8.0/24
      Reserved IP Ranges 10.0.8.0-10.0.8.3
      DNS 10.0.0.2*
      Gateway 10.0.8.1
      Availability Zones REGION-#a. For example, us-west-2a.
      Second
      Subnet
      VPC Subnet ID pcf-services-subnet-az1
      CIDR 10.0.9.0/24
      Reserved IP Ranges 10.0.9.0-10.0.9.3
      DNS 10.0.0.2*
      Gateway 10.0.9.1
      Availability Zones REGION-#b. For example, us-west-2b.
      Third
      Subnet
      VPC Subnet ID pcf-services-subnet-az2
      CIDR 10.0.10.0/24
      Reserved IP Ranges 10.0.10.0-10.0.10.3
      DNS 10.0.0.2*
      Gateway 10.0.10.1
      Availability Zones REGION-#c. For example, us-west-2c.

      * If you set a VPC CIDR other than recommended, enter the second IP in your VPC CIDR. For example, for a 10.0.0.0/24 VPC CIDR, enter 10.0.0.2 in each subnet.

  4. Click Save.

    Note: After you deploy Ops Manager, you add subnets with overlapping Availability Zones to expand your network. For more information about configuring additional subnets, see Expanding Your Network with Additional Subnets.

Step 6: Assign AZs and Networks

  1. Select Assign AZs and Networks. Assign az

  2. Use the dropdown to select a Singleton Availability Zone. The BOSH Director is deployed into this AZ.

  3. Use the dropdown to select infrastructure under Network. The BOSH Director is deployed into this network.

  4. Click Save.

Step 7: Security Page

  1. Select Security. Om security

  2. In Trusted Certificates, enter your custom certificate authority (CA) certificates to insert into your organization’s certificate trust chain. This feature enables all BOSH-deployed components in your deployment to trust custom root certificates.

    To enter multiple certificates, paste your certificates one after the other. For example, format your certificates like the following:

    -----BEGIN CERTIFICATE-----
    ABCDEFGH12345678ABCDEFGH12345678ABCDEFGH12345678AB
    EFGH12345678ABCDEFGH12345678ABCDEFGH12345678ABCDEF
    GH12345678ABCDEFGH12345678ABCDEFGH12345678...
    ------END CERTIFICATE------
    -----BEGIN CERTIFICATE-----
    BCDEFGH12345678ABCDEFGH12345678ABCDEFGH12345678ABB
    EFGH12345678ABCDEFGH12345678ABCDEFGH12345678ABCDEF
    GH12345678ABCDEFGH12345678ABCDEFGH12345678...
    ------END CERTIFICATE------
    -----BEGIN CERTIFICATE-----
    CDEFGH12345678ABCDEFGH12345678ABCDEFGH12345678ABBB
    EFGH12345678ABCDEFGH12345678ABCDEFGH12345678ABCDEF
    GH12345678ABCDEFGH12345678ABCDEFGH12345678...
    ------END CERTIFICATE------

    Note: If you want to use Docker Registries for running app instances in Docker containers, enter the certificate for your private Docker Registry in this field. See Using Docker Registries for more information on running app instances in PAS using Docker Registries.

  3. Choose Generate passwords or Use default BOSH password. Pivotal recommends that you use the Generate passwords option for greater security.

  4. Click Save. To view your saved Director password, click the Credentials tab.

Step 8: Syslog Page

  1. Select Syslog. Syslog bosh

  2. (Optional) To send BOSH Director system logs to a remote server, select Yes.

  3. In the Address field, enter the IP address or DNS name for the remote server.

  4. In the Port field, enter the port number that the remote server listens on.

  5. In the Transport Protocol dropdown menu, select TCP, UDP, or RELP. This selection determines which transport protocol is used to send the logs to the remote server.

  6. (Optional) Pivotal strongly recommends that you enable TLS encryption when forwarding logs as they may contain sensitive information. For example, these logs may contain cloud provider credentials. To enable TLS, perform the following steps.

    • In the Permitted Peer field, enter either the name or SHA1 fingerprint of the remote peer.
    • In the SSL Certificate field, enter the SSL certificate for the remote server.
  7. Click Save.

Step 9: Resource Config Page

  1. Select Resource Config. Resource config new

  2. Adjust any values as necessary for your deployment. Under the Instances, Persistent Disk Type, and VM Type fields, choose Automatic from the dropdown to allocate the recommended resources for the job. If the Persistent Disk Type field reads None, the job does not require persistent disk space.

    Note: Pivotal recommends provisioning a BOSH Director VM with at least 8 GB memory.

    Note: If you set a field to Automatic and the recommended resource allocation changes in a future version, Ops Manager automatically uses the new recommended allocation.

    Note: If you install PAS for Windows, provision your Master Compilation Job with at least 128 GB of disk space.

  3. (Optional) Enter your AWS target group name in the Load Balancers column for each job. Prepend the name with alb:. For example, enter alb:target-group-name. To create an Application Load Balancer (ALB) and target group, follow the procedures in Getting Started with Application Load Balancers in the AWS documentation. Then navigate to Target Groups in the EC2 Dashboard menu to find your target group Name.

    Note: To configure an ALB, you must have the following AWS IAM permissions.

    "elasticloadbalancing:DescribeLoadBalancers",
    "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
    "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
    "elasticloadbalancing:DescribeTargetGroups",
    "elasticloadbalancing:RegisterTargets"

  4. Click Save.

Step 10: Complete the BOSH Director Installation

  1. Return to the Installation Dashboard.

  2. Click Apply Changes.

  3. BOSH Director begins to install. The Changes Applied window displays when the installation process successfully completes.

    Vpc step16

  4. Proceed to the Deploying PAS on AWS topic to continue deploying PCF.