Setting Up Your Jumpbox for BBR

Page last updated:

Warning: Pivotal Cloud Foundry (PCF) v2.4 is no longer supported because it has reached the End of General Support (EOGS) phase as defined by the Support Lifecycle Policy. To stay up to date with the latest software and security updates, upgrade to a supported version.

This topic describes how to set up your jumpbox for BOSH Backup and Restore (BBR).

To use BBR to back up and restore your Pivotal Cloud Foundry (PCF) deployment, you must first set up a jumpbox to run BBR from. The Ops Manager VM might be suitable.

Step 1: Configure your Jumpbox

Configure your jumpbox to meet the following requirements:

  • Your jumpbox must have sufficient space for the backup. A PCF backup requires at least 1.5 GB.
  • Your jumpbox must exist on the same network as the VMs in your PCF deployment because BBR connects to the VMs at their private IP addresses. BBR does not support SSH gateways.
  • Because BBR copies the backed-up data from the VMs to the jumpbox, you should have minimal network latency between them to reduce transfer times.

Consult the following table for more information about the network access permissions required by BBR.

VM Default Port Description
BOSH Director 25555 BBR interacts with the BOSH Director API.
Deployed Instances 22 BBR uses SSH to orchestrate the backup on the instances.
BOSH Director UAA 8443 BBR interacts with the UAA API for authentication, if necessary.

Step 2: Transfer BBR Binary to Your Jumpbox

Perform the following steps to transfer the bbr binary to your jumpbox:

  1. Download the latest BOSH Backup and Restore release from Pivotal Network.

  2. Extract the bbr binary file from the BBR release.

  3. To add executable permissions to the bbr binary file run the following command:

    chmod a+x bbr

    For example:

    $ chmod a+x bbr

  4. To securely copy the BBR binary to your jumpbox, run the following command:



    • LOCAL-PATH-TO-JUMPBOX-PRIVATE-KEY is the local path to your private key file for the jumpbox host.
    • LOCAL-PATH-TO-BINARY-FILE is the local path for the binary file.
    • JUMPBOX-USER is your jumpbox username.
    • JUMPBOX-ADDRESS is the IP address of your jumpbox.

Step 3: Ensure BOSH Director Certificate Availability

If the certificate chain on your local machine cannot verify the Certificate Authority (CA) certificate for the BOSH Director, you must have the path to the root CA certificate to run BBR commands.

If you have configured the Ops Manager VM as your jumpbox, the path to the root CA certificate is /var/tempest/workspaces/default/root_ca_certificate.

If you have configured another machine as your jumpbox, use the Ops Manager API to download the CA certificate.

  1. To download the CA certificate using the Ops Manager API, run the following command:

    curl -k "https://OPS-MAN-FQDN/api/v0/security/root_ca_certificate" \
    -H "Authorization: Bearer UAA-ACCESS-TOKEN" \
    | jq --raw-output '.root_ca_certificate_pem' > PATH-TO-BOSH-SERVER-CERTIFICATE


    • OPS-MAN-FQDN is the fully-qualified domain name (FQDN) for your Ops Manager deployment.
    • UAA-ACCESS-TOKEN is your UAA access token. For more information, see Access the API.
    • PATH-TO-BOSH-SERVER-CERTIFICATE is file path location where you want the certificate to be written.

    The open source jq utility is available to download.

    Note: See the Using the Ops Manager API topic to obtain a UAA-ACCESS-TOKEN using the UAA CLI.