On-Demand Services SDK v0.19

Creating an On-Demand Service Tile

This documents the process for deploying an on-demand broker (ODB) with a service in a single tile, on a AWS installation of Ops Manager 1.8. We have built a reference Kafka tile.


Before ODB, Ops Manager controlled the IP allocation of the private networks. So when using the ODB in a tile, you will need at least two private networks:

  • a network where Ops Manager will deploy the on-demand broker VM
  • a different network where the on-demand broker will deploy service instance VMs

The network for service instances should be flagged as a Service Network in Ops Manager.

Deploying Ops Manager to AWS

  1. Follow the default Ops Manager deployment docs, but with these modifications:
    1. Create a self-signed wildcard SSL certificate for a domain you control: This will usually be *, and upload it (along with the associated private key) to AWS. Instructions here.
    2. Download the CloudFormation JSON and save it in the Ops Manager directory.
    3. Run the CloudFormation stack, saving any pertinent inputs (e.g BOSH DB credentials) you type into the web console into the Ops Manager directory for safe keeping (e.g. in info.txt).
    4. Launch an instance of the AMI. If possible, use an elastic IP so that we can always keep the same DNS record even if we recreate the VM. Failing that, auto-assign a public IP.
    5. Create a DNS record for pcf.WILDCARD-CERTIFICATE-DOMAIN. To use the earlier example, the record will be for It should point to the public IP of the Ops Manager VM.
  2. Keep following the docs to log into Ops Manager (save the credentials).
  3. Configure the Ops Manager director (BOSH) tile.
  4. Click “Apply Changes”, and steal the BOSH init manifest for future reference. scp -i private_key.pem ubuntu@opsmanIP:/var/tempest/workspaces/default/deployments/bosh.yml bosh.yml


  1. The ELBs created by CloudFormation are both for CF, not Ops Manager. One of them will be configured with your wildcard certificate. This takes the place of HAProxy in AWS PCF deployments, and is therefore not used until you deploy the ERT tile.

  2. To target the bosh director from the Ops Manager VM: bosh --ca-cert /var/tempest/workspaces/default/root_ca_certificate target

Build a Tile

Follow the default build your own Product tile documentation, enhance the handcraft.yml with the accessors listed below. To access the $self accessors, the service-broker flag must be true in the handcraft.

Note: If you are publishing a tile to be consumed by Ops Manager 1.8.x or 1.9.x, you will need to build your tile using releases with SHA1 internal checksums. On Demand Broker releases are published using SHA2 internal checksums. You can convert these releases to use SHA1 internal checksums using the BOSH CLI command sha1ify-release.

Non-Exhaustive Accessors Reference


Used to provide fields relating to the BOSH director installation present.

Accessor Description
$director.hostname The director’s hostname or IP address
$director.ca_public_key The director’s root ca certificate. Related: how to configure SSL certificates for the ODB.

For example

  url: https://(( $director.hostname )):25555
  root_ca_cert: (( $director.ca_public_key ))


Used to provide fields that belong to the specific tile (in this case, the broker tile).

Accessor Description
$self.uaa_client_name UAA client name, that can authenticate with the BOSH director
$self.uaa_client_secret UAA client secret, that can authenticate with the BOSH director
$self.service_network Service network configured for the on-demand instances

The service network has to be created manually. Create a subnet on AWS and then add it to the director. In the director tile, under Create Networks > ADD network > fill in the subnet/vpc details.

$self accessors are enabled by setting service_broker: true at the top level of handcraft.yml. Please note that, at the time of writing this, setting service_broker: true will cause a redeployment of the BOSH director when installing or uninstalling the tile.

For example

      url: https://(( $director.hostname )):8443
      client_id: (( $self.uaa_client_name ))
      client_secret: (( $self.uaa_client_secret ))


Used to provide fields from the Elastic Runtime Tile (i.e. Cloud Foundry) present in the Ops Manager installation.

Accessor Description Flag to skip SSL certificate verification for connections to the CF API The application domain configured in the CF installation The system domain configured in the CF installation Username of a CF user in the cloud_controller.admin group, to be used by services Password of a CF user in the cloud_controller.admin group, to be used by services

For example

disable_ssl_cert_verification: (( ))
  url: https://api.(( ))
    url: https://uaa.(( ))
      username: (( ))
      password: (( ))


For more accessors you can see the ops-manager-example product

Public IP address for on-demand service instance groups

Ops Manager 1.9 RC1+ provides a VM extension called public_ip in the BOSH Director’s cloud config. This can be used in the on-demand service broker’s manifest to give instance groups a public IP address. This IP is only used for outgoing traffic to the internet from VMs with the public_ip extension. All internal traffic / incoming connections need to go over the private IP.

Here is an example showing how to allow operators to assign a public IP address to an on-demand service instance group in the tile handcraft:

- name: example_form
  - reference: .broker.example_vm_extensions
    label: VM options
    description: List of VM options for Service Instances

- name: broker
  - name: broker
    release: on-demand-service-broker
    manifest: |
        - name: example-plan
          - name: example-instance-group
            vm_extensions: (( .broker.example_vm_extensions.value ))
  - name: example_vm_extensions
    type: multi_select_options
    configurable: true
    optional: true
    - name: "public_ip"
      label: "Internet Connected VMs (on supported IaaS providers)"

Floating stemcells

Ops Manager provides a feature called Floating Stemcells that allows PCF to quickly propagate a patched stemcell to all VMs in the deployment that have the same compatible stemcell. Both the broker deployment and the service instances deployed by the On-Demand Broker can make use of this feature. Enabling this feature can help ensure that all of your service instances are patched to the latest stemcell.

In order for the service instances to be installed automatically with the latest stemcell, you will need to make sure the upgrade-all-service-instances errand is ticked.

Here is an example of how to implement floating stemcells in handcraft.yml:

  - name: broker
    manifest: |
        - name: release-name
          version: 1.0.0
          jobs: [job_server]
          os: ubuntu-trusty
          version: (( $self.stemcell_version ))

Here is an example of how to configure the stemcell_criteria in binaries.yml:

name: example-on-demand-service
product_version: 1.0.0
  os: ubuntu-trusty
  version: '3312'
  enable_patch_security_updates: true

Please note, configuring this value to false will disable this feature.

On-Demand Broker errands

In the reference Kafka tile we have demonstrated how the errands in the on-demand broker release can be used.

The errands should be specified in the following order, as shown in the example Kafka tile:


  • register-broker
  • upgrade-all-service-instances


  • delete-all-service-instances-and-deregister-broker

These errands are documented in the operating section.

Secure Binding Credentials

Runtime CredHub can securely store service instance credentials. To include this feature in your tile, make some changes to the tile metadata, as described below:

  1. Add secure_binding_credentials to the top-level properties block in the on-demand broker manifest. For example:

      enabled: true
          client_id: CREDHUB_CLIENT_ID # client ID used by broker when communicating with CredHub
          client_secret: CREDHUB_CLIENT_SECRET # client secret used by broker when communicating with CredHub
          ca_cert: UAA_CA_CERT
  2. To let users enable and disable this feature in the Ops Manager UI, add an element to the property_blueprints section of your tile’s handcraft.yml, and add a selector that templates in the appropriate manifest snippet.

For an example, see the example-kafka-on-demand-tile:

To use the secure binding credentials feature you must use Pivotal Cloud Foundry (PCF) 2.0 or later.

Create a pull request or raise an issue on the source for this page in GitHub