forked from pivotal-cf/docs-pcf-install
-
Notifications
You must be signed in to change notification settings - Fork 0
/
_uaa-cloudform.html.md.erb
77 lines (47 loc) · 6.13 KB
/
_uaa-cloudform.html.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
1. Select **UAA**.
1. (Optional) Under **JWT Issuer URI**, enter the URI that UAA uses as the issuer when generating tokens.
<%= image_tag('ert_uaa_jwt_uri.png') %>
1. Under **SAML Service Provider Credentials**, enter a certificate and private key to be used by UAA as a SAML Service Provider for signing outgoing SAML authentication requests. You can provide an existing certificate and private key from your trusted Certificate Authority or generate a self-signed certificate. The following domain must be associated with the certificate: `*.login.YOUR-SYSTEM-DOMAIN`.
<p class="note"><strong>Note</strong>: The Pivotal Single Sign-On Service and Pivotal Spring Cloud Services tiles require the <code>*.login.YOUR-SYSTEM-DOMAIN</code>.</p>
1. If the private key specified under **Service Provider Credentials** is password-protected, enter the password under **SAML Service Provider Key Password**.
<%= image_tag("service-provider.png") %>
1. For **Signature Algorithm**, choose an algorithm from the dropdown menu to use for signed requests and assertions. The default value is `SHA256`.
1. (Optional) In the **Apps Manager Access Token Lifetime**, **Apps Manager Refresh Token Lifetime**, **Cloud Foundry CLI Access Token Lifetime**, and **Cloud Foundry CLI Refresh Token Lifetime** fields, change the lifetimes of tokens granted for Apps Manager and Cloud Foundry Command Line Interface (cf CLI) login access and refresh. Most deployments use the defaults.
<%= image_tag("authsso-uaa-bottom.png") %>
1. (Optional) In the **Global Login Session Max Timeout** and **Global Login Session Idle Timeout** fields, change the maximum number of seconds before a global login times out. These fields apply to the following:
* **Default zone sessions**: Sessions in Apps Manager, PCF Metrics, and other web UIs that use the UAA default zones
* **Identity zone sessions**: Sessions in apps that use a UAA identity zone, such as a Single Sign-On service plan
1. (Optional) Customize the text prompts used for username and password from the cf CLI and Apps Manager login popup by entering values for **Customize Username Label (on login page)** and **Customize Password Label (on login page)**.
1. (Optional) The **Proxy IPs Regular Expression** field contains a pipe-delimited set of regular expressions that UAA considers to be reverse proxy IP addresses. UAA respects the `x-forwarded-for` and `x-forwarded-proto` headers coming from IP addresses that match these regular expressions. To configure UAA to respond properly to Gorouter or HAProxy requests coming from a public IP address, append a regular expression or regular expressions to match the public IP address.
1. You can configure UAA to use an internal MySQL database provided with PCF, or you can configure an external database provider. Follow the procedures in either the [Internal Database Configuration](#uaa-internal) or the [External Database Configuration](#uaa-external) section below.
<p class="note"><strong>Note</strong>: If you are performing an upgrade, do not modify your existing internal database configuration or you may lose data. You must migrate your existing data before changing the configuration. See <a href="upgrading-pcf.html">Upgrading Pivotal Cloud Foundry</a> for additional upgrade information, and contact <a href="https://support.pivotal.io">Pivotal Support</a> for help. </p>
###<a id='uaa-internal'></a> Internal Database Configuration
When you configure the UAA to use an internal MySQL database, it uses the type of database selected in the **Databases** pane, which can be one of two options. See [Migrate to TLS Communication](../opsguide/scaling-down-mysql.html#migrate) for details.</p>
1. Select **Internal MySQL**.
1. Click **Save**.
1. Ensure that you complete the [Configure Internal MySQL](#internal-db) step later in this topic to configure high availability for your internal MySQL databases.
###<a id='uaa-external'></a> External Database Configuration
<p class="note"><strong>Note</strong>: The exact procedure to create databases depends upon the database provider you select for your deployment. The following procedure uses AWS RDS as an example, but UAA also supports Azure SQL Server.
</p>
<p class="note warning">
<strong>Warning</strong>: Protect whichever database you use in your deployment with a password.
</p>
To create your UAA database, perform the following steps:
1. Add the `ubuntu` account key pair from your IaaS deployment to your local SSH profile so you can access the Ops Manager VM. This is the value of the `ops_manager_ssh_private_key` from the Terraform output.
<pre class='terminal'>$ ssh-add aws-keypair.pem</pre>
1. SSH in to your Ops Manager using the Ops Manager FQDN and the username `ubuntu`:
<pre class='terminal'>$ ssh ubuntu@OPS-MANAGER-FQDN</pre>
1. Log in to your MySQL database instance using the appropriate hostname and user login values configured in your IaaS account. For example, to log in to your AWS RDS instance, run the following MySQL command:
<pre class='terminal'>$ mysql --host=RDSHOSTNAME --user=RDSUSERNAME --password=RDSPASSWORD</pre>
1. Run the following MySQL commands to create a database for UAA:
<pre class="terminal">CREATE database uaa;</pre>
1. Type `exit` to quit the MySQL client, and `exit` again to close your connection to the Ops Manager VM.
1. Reboot the RDS instance in the AWS console.
1. From the **UAA** section in Pivotal Application Service (PAS), select **External**.
<%= image_tag('ert_uaa_external.png') %>
1. For **Hostname**, enter the hostname of the database server. This is the value from the `rds_address` key in the Terraform output.
1. For **TCP Port**, enter the port of the database server. This is the value from the `rds_port` key in the Terraform output.
1. For **User Account and Authentication database username**, specify the username that can access this database on the database server. This is the value from the `rds_username` key in the Terraform output.
1. For **User Account and Authentication database password**, specify a password for the provided username. This is the value from the `rds_password` key in the Terraform output.
1. Click **Save**.