To use SSL termination in Ops Manager, you must configure the HAProxy load balancer or your own load balancer.
VMware recommends that you use HAProxy in lab and test environments only. Production environments should instead use a highly-available customer-provided load balancing solution.
Choose an SSL termination method to determine the steps you must take to configure VMware Tanzu Application Service for VMs (TAS for VMs).
Ops Manager deploys with a single instance of HAProxy for use in lab and test environments. You can use this HAProxy instance for SSL termination and load balancing to the TAS for VMs Gorouters. HAProxy can generate a self-signed certificate if you do not want to obtain a signed certificate from a well-known certificate authority (CA).
Note: Certificates generated in TAS for VMs are signed by the Ops Manager Certificate Authority. They are not technically self-signed, but they are referred to as "self-signed certificates" in the Ops Manager UI and throughout this documentation.
To use the HAProxy load balancer:
Create an A record in your DNS that points to the HAProxy IP address. The A record associates the System domain and Apps domain that you configure in the Domains pane of the TAS for VMs tile with the HAProxy IP address.
For example, with .example.com as the main subdomain for your Ops Manager installation and an HAProxy IP address 203.0.113.1, you must create an A record in your DNS that serves example.com and points *.platform_name_lc to 203.0.113.1.
| Name | Type | Data | Domain |
|---|---|---|---|
| *. | A | 203.0.113.1 | example.com |
Test your DNS entry by running:
host
This command should return your HAProxy IP address.
Navigate to the Ops Manager Installation Dashboard.
Click the TAS for VMs tile.
Select Networking.
Leave the Gorouter IPs field blank. HAProxy assigns the Gorouter IPs internally.
Enter the IP address for HAProxy in the HAProxy IPs field.
Provide your SSL certificate in the Certificates and private keys for the Gorouter and HAProxy fields. For more information, see Providing a Certificate for Your TLS Termination Point.
Production environments must use a highly-available customer-provided load balancing solution that:
x-forwarded-for and x-forwarded-proto HTTP headersTo use your own load balancer:
Register one or more static IP address for Ops Manager with your load balancer.
Create an A record in your DNS that points to your load balancer IP address. The A record associates the System domain and Apps domain that you configure in the Domains pane of the TAS for VMs tile with the IP address of your load balancer.
For example, with .example.com as the main subdomain for your Ops Manager installation and a load balancer IP address 198.51.100.1, you must create an A record in your DNS that serves example.com and points *. to 198.51.100.1.
| Name | Type | Data | Domain |
|---|---|---|---|
| *. | A | 198.51.100.1 | example.com |
Go to the Ops Manager Installation Dashboard.
Click the TAS for VMs tile.
Select Networking.
In the Gorouter IPs field, enter the static IP address for Ops Manager that you have registered with your load balancer.
Leave the HAProxy IPs field blank.
Provide your SSL certificate in the Certificates and private keys for the Gorouter and HAProxy fields. For more information, see Providing a Certificate for Your TLS Termination Point.
Note: When adding or removing TAS for VMs Gorouters, you must update your load balancing solution configuration with the appropriate IP addresses.
