Quick Start PAS Configuration

Page last updated:

This topic describes how to minimally configure Pivotal Application Service (PAS) for evaluation or testing purposes. It does not include optional configurations such as external databases or external file storage.

For production deployments, Pivotal recommends following the instructions in Configuring PAS.


Before beginning this procedure, ensure that you have successfully completed the steps to prepare your environment for Pivotal Platform and install and configure the BOSH Director.

Add PAS to Pivotal Ops Manager

To add PAS to Ops Manager:

  1. If you have not already downloaded PAS, log in to Pivotal Network, and click the PAS tile.

  2. From the Releases dropdown, select the release to install and choose one of the following:

    1. Click PAS to download the PAS .pivotal file.
    2. Click Pivotal Platform Small Footprint Runtime to download the Small Footprint Runtime .pivotal file. For more information, see Getting Started with Small Footprint PAS.
  3. Navigate to the Ops Manager Installation Dashboard.

  4. Click Import a Product to add your tile to Ops Manager. For more information, see Adding and Deleting Products.

  5. Click the PAS tile in the Installation Dashboard.

Configure PAS

To install PAS with minimal configuration:

  1. Do the procedure in the Assign AZs and Networks section of the Configuring PAS topic.

  2. Do the procedure in the Configure Domains section of the Configuring PAS topic.

  3. Go to the Networking pane.

  4. Under Certificates and private keys for HAProxy and Router, you must provide at least one certificate and private key name and certificate key pair for HAProxy and the Gorouter. HAProxy and the Gorouter are enabled to receive TLS communication by default. You can configure multiple certificates for HAProxy and the Gorouter.

    Note: When providing custom certificates, enter them in the following order: wildcard, Intermediate, CA. For more information, see Creating a .pem File for SSL Certificate Installations in the DigiCert documentation.

    1. Click Add to add a name for the certificate chain and its private key pair. This certificate is the default used by the Gorouter and HAProxy. You can either provide a certificate signed by a Certificate Authority (CA) or click on the Generate RSA Certificate link to generate a self-signed certificate in Ops Manager.

      Note: If you configured Ops Manager Front End without a certificate, you can use this new certificate to complete Ops Manager configuration. To configure your Ops Manager Front End certificate, see the Configure Front End of the Preparing to Deploy Ops Manager on GCP Manually topic.

      Note: Ensure that you add any certificates that you generate in this pane to your infrastructure load balancer.

  5. If you are not using SSL encryption or if you are using self-signed certificates, select the Disable SSL certificate verification for this environment checkbox. Enabling this checkbox also disables SSL verification for route services and disables mutual TLS app identity verification.

    Note: For production deployments, Pivotal does not recommend disabling SSL certificate verification.

  6. Disable HAProxy forwards requests to Router over TLS. By default, PAS does not deploy HAProxy.

  7. Setting appropriate ASGs is critical for a secure deployment. To acknowledge that once the PAS deployment completes, it is your responsibility to set the appropriate ASGs:

    1. Select App Security Groups.
    2. In the Type “X” to acknowledge this requirement field, enter X.
    3. Click Save.
      For more information about ASGs, see App Security Groups. For more information about setting ASGs, see Restricting App Access to Internal PAS Components.

  8. Under SAML service provider credentials, enter a certificate and private key to be used by UAA as a SAML service provider for signing outgoing SAML authentication requests. You can provide an existing certificate and private key from your trusted Certificate Authority or generate a self-signed certificate. The following domain must be associated with the certificate: *.login.YOUR-SYSTEM-DOMAIN.

    Note: The Pivotal Single Sign-On Service and Pivotal Spring Cloud Services tiles require the *.login.YOUR-SYSTEM-DOMAIN.

  9. Go to the UAA pane.

  10. If the private key specified under SAML service provider credentials is password-protected, enter the password under SAML service provider key password.

  11. Go to the CredHub pane.

  12. Under Internal encryption provider keys, specify one or more keys to use for encrypting and decrypting the values stored in the CredHub database.

    • Name: This is the name of the encryption key.
    • Key: This key is used for encrypting all data. The key must be at least 20 characters long.
    • Primary: This checkbox is used for marking the key you specified above as the primary encryption key. You must mark one key as Primary. Do not mark more than one key as Primary.
  13. Go to the Internal MySQL pane.

  14. In the Email address field, enter the email address where the MySQL service sends alerts when the cluster experiences a replication issue or when a node is not allowed to auto-rejoin the cluster.

  15. Go to the Resource Config pane.

  16. In the Resource Config pane, you must associate load balancers with the VMs in your deployment to enable traffic. For more information, see Configure Load Balancing for PAS.

Complete the PAS Installation

To complete the PAS installation:

  1. Click the Installation Dashboard link to return to the Installation Dashboard.

  2. Click Review Pending Changes, then Apply Changes.