Quick Start PAS Configuration

Page last updated:

This topic describes how to minimally configure Pivotal Application Service (PAS) for evaluation or testing purposes. It does not include optional configurations such as external databases or external file storage.

For production deployments, Pivotal recommends following the procedure in Configuring PAS.

Prerequisites

Before beginning this procedure, ensure that you have successfully completed the steps to prepare your environment for Pivotal Platform and install and configure the BOSH Director.

Add PAS to Pivotal Operations Manager

To add PAS to Ops Manager:

  1. If you have not already downloaded PAS, log in to Pivotal Network and click Pivotal Application Service.

  2. From the Releases dropdown, select the release to install and choose one of the following:

    1. Click Pivotal Application Service to download the PAS .pivotal file.
    2. Click Small Footprint PAS to download the Small Footprint PAS .pivotal file. For more information, see Getting Started with Small Footprint PAS.
  3. Navigate to the Ops Manager Installation Dashboard.

  4. Click Import a Product to add your tile to Ops Manager. For more information, see Adding and Deleting Products.

  5. Click the PAS tile.

Configure PAS

To install PAS with minimal configuration:

  1. Follow the procedure in Assign AZs and Networks in Configuring PAS.

  2. Follow the procedure in Configure Domains in Configuring PAS.

  3. Select Networking.

  4. Under Certificates and private keys for the Gorouter and HAProxy, you must provide at least one certificate and private key name and certificate key pair for the Gorouter and HAProxy. The Gorouter and HAProxyu are enabled to receive TLS communication by default. You can configure multiple certificates for the Gorouter and HAProxy.

    Note: When providing custom certificates, enter them in this order: wildcard, Intermediate, CA. For more information, see Creating a .pem File for SSL Certificate Installations in the DigiCert documentation.

    1. Click Add to add a name for the certificate chain and its private key pair. This certificate is the default used by the Gorouter and HAProxy. You can either provide a certificate signed by a Certificate Authority (CA) or click Generate RSA Certificate to generate a self-signed certificate in Ops Manager.

      Note: If you configured Ops Manager Front End without a certificate, you can use this new certificate to complete your Ops Manager configuration. To configure your Ops Manager Front End certificate, see Configure Front End in Preparing to Deploy Ops Manager on GCP Manually.

      Note: Ensure that you add any certificates that you generate in this pane to your infrastructure load balancer.

  5. If you are not using SSL encryption or if you are using self-signed certificates, select the Disable SSL certificate verification for this environment checkbox. Selecting this checkbox also disables SSL verification for route services and disables mutual TLS app identity verification.

    Note: For production deployments, Pivotal does not recommend disabling SSL certificate verification.

  6. Disable the HAProxy forwards all requests to the Gorouter over TLS checkbox. By default, PAS does not deploy HAProxy.

  7. Setting appropriate ASGs is critical for a secure deployment. To acknowledge that you are responsible for setting the appropriate ASGs after the PAS deployment completes:

    1. Select App Security Groups.
    2. In the Type “X” to acknowledge this requirement field, enter X.
    3. Click Save.

      For more information about ASGs, see App Security Groups. For more information about setting ASGs, see Restricting App Access to Internal PAS Components.
  8. Under SAML service provider credentials, enter a certificate and private key for the User Account and Authentication (UAA) server to use as a SAML service provider for signing outgoing SAML authentication requests. You can provide an existing certificate and private key from your trusted CA or generate a self-signed certificate. The domain *.login.SYSTEM-DOMAIN must be associated with the certificate, where SYSTEM-DOMAIN is the system domain you configured in the Domains pane.

    Note: The Pivotal Single Sign-On Service and Pivotal Spring Cloud Services tiles require the *.login.SYSTEM-DOMAIN.

  9. Select UAA.

  10. If the private key specified under SAML service provider credentials is password-protected, enter the password under SAML service provider key password.

  11. Select CredHub.

  12. Under Internal encryption provider keys, specify one or more keys to use for encrypting and decrypting the values stored in the CredHub database:

    • Name: This is the name of the encryption key.
    • Key: This key is used for encrypting all data. The key must be at least 20 characters long.
    • Primary: This checkbox is used for marking the key you specified above as the primary encryption key. You must mark one key as Primary. Do not mark more than one key as Primary.
  13. Go to the Internal MySQL pane.

  14. In the Email address field, enter the email address where the MySQL service sends alerts when the cluster experiences a replication issue or when a node is not allowed to auto-rejoin the cluster.

  15. Select Resource Config.

  16. In the Resource Config pane, you must associate load balancers with the VMs in your deployment to enable traffic. For more information, see Configure Load Balancing for PAS.

Complete the PAS Installation

To complete the PAS installation:

  1. Click the Installation Dashboard link to return to the Ops Manager Installation Dashboard.

  2. Click Review Pending Changes, then Apply Changes.