Quick Start PAS Configuration

Page last updated:

This topic describes how to minimally configure Pivotal Application Service (PAS) for evaluation or testing purposes. It does not include optional configurations such as external databases or external file storage.

For production deployments, Pivotal recommends following the instructions in the Configuring PAS topic.


Before beginning this procedure, ensure that you have successfully completed the steps to prepare your environment for PCF and install and configure the BOSH Director.

Add PAS to Ops Manager

To add PAS to Ops Manager, do the following:

  1. If you have not already downloaded PAS, log in to Pivotal Network, and click the PAS tile.

  2. From the Releases drop-down, select the release to install and choose one of the following:

    1. Click PAS to download the PAS .pivotal file.
    2. Click PCF Small Footprint Runtime to download the Small Footprint Runtime .pivotal file. For more information, see Getting Started with Small Footprint Runtime.
  3. Navigate to the Pivotal Cloud Foundry Operations Manager Installation Dashboard.

  4. Click Import a Product to add your tile to Ops Manager. For more information, refer to the Adding and Deleting Products topic.

  5. Click the PAS tile in the Installation Dashboard.

Configure PAS

To install PAS with minimal configuration, do the following:

  1. Do the procedure in the Assign AZs and Networks section of Configuring PAS.
  2. Do the procedure in the Configure Domains section of Configuring PAS.
  3. Click the Networking pane.

  4. Under Certificates and Private Key for HAProxy and Router, you must provide at least one Certificate and Private Key name and certificate key pair for HAProxy and Gorouter. HAProxy and Gorouter are enabled to receive TLS communication by default. You can configure multiple certificates for HAProxy and Gorouter.

    Note: When providing custom certificates, enter them in the following order: wildcard, Intermediate, CA. For more information, see Creating a .pem File for SSL Certificate Installations in the DigiCert documentation.

    1. Click the Add button to add a name for the certificate chain and its private key pair. This certificate is the default used by Gorouter and HAProxy. You can either provide a certificate signed by a Certificate Authority (CA) or click on the Generate RSA Certificate link to generate a self-signed certificate in Ops Manager.

      Note: If you configured Ops Manager Front End without a certificate, you can use this new certificate to complete Ops Manager configuration. To configure your Ops Manager Front End certificate, see Configure Front End in Preparing to Deploy Ops Manager on GCP Manually.

      Note: Ensure that you add any certificates that you generate in this pane to your infrastructure load balancer.

  5. If you are not using SSL encryption or if you are using self-signed certificates, select the Disable SSL certificate verification for this environment checkbox. Enabling this checkbox also disables SSL verification for route services and disables mutual TLS app identity verification.

    Note: For production deployments, Pivotal does not recommend disabling SSL certificate verification.

  6. Disable HAProxy forwards requests to Router over TLS. By default, PAS does not deploy HAProxy.

  7. Click the Application Security Groups pane.

    Setting appropriate ASGs is critical for a secure deployment. To acknowledge that once the PAS deployment completes, it is your responsibility to set the appropriate ASGs:

  1. Select Application Security Groups.

  2. In the Type “X” to acknowledge this requirement field, enter X.

  3. Click Save.

For more information about ASGs, see App Security Groups. For more information about setting ASGs, see Restricting App Access to Internal PAS Components.

  1. Under SAML Service Provider Credentials, enter a certificate and private key to be used by UAA as a SAML Service Provider for signing outgoing SAML authentication requests. You can provide an existing certificate and private key from your trusted Certificate Authority or generate a self-signed certificate. The following domain must be associated with the certificate: *.login.YOUR-SYSTEM-DOMAIN.

    Note: The Pivotal Single Sign-On Service and Pivotal Spring Cloud Services tiles require the *.login.YOUR-SYSTEM-DOMAIN.

  2. If the private key specified under Service Provider Credentials is password-protected, enter the password under SAML Service Provider Key Password.
  3. In the CredHub pane, Under Encryption Keys, specify one or more keys to use for encrypting and decrypting the values stored in the CredHub database.
    • Name. This is the name of the encryption key.
    • Provider. This is the provider of the encryption key. If you have configured an HSM provider and HSM servers above, select HSM. Otherwise, select Internal.
    • Key. This key is used for encrypting all data. The key must be at least 20 characters long.
      • Primary. This checkbox is used for marking the key you specified above as the primary encryption key. You must mark one key as Primary. Do not mark more than one key as Primary.
  4. In the E-mail address field, enter the email address where the MySQL service sends alerts when the cluster experiences a replication issue or when a node is not allowed to auto-rejoin the cluster.
  5. In the Resource Config pane, you must associate load balancers with the VMs in your deployment to enable traffic. See Configure Load Balancing for PAS.

Complete the PAS Installation

To complete the PAS installation, do the following:

  1. Click the Installation Dashboard link to return to the Installation Dashboard.

  2. Click Review Pending Changes, then Apply Changes.