This topic tells you how to configure VMware Tanzu Application Service for VMs (TAS for VMs) as part of deploying Ops Manager.
Before you begin this procedure, you must:
Ensure that you have successfully completed the steps to prepare your environment for Ops Manager and install and configure the BOSH Director. For more information, see the VMware Tanzu Operations Manager configuration topic for your IaaS.
If you plan to install the Ops Manager IPsec add-on, you must do so before installing any other tiles. VMware recommends installing IPsec immediately after Ops Manager and before installing the TAS for VMs Runtime tile. For more information, see Installing the IPsec Add-On for Ops Manager.
Before you can configure TAS for VMs, you must add the TAS for VMs tile to your Ops Manager Installation Dashboard.
To add the TAS for VMs tile to your Ops Manager Installation Dashboard:
If you have not already downloaded TAS for VMs, log in to VMware Tanzu Network and click VMware Tanzu Application Service for VMs.
From the Releases drop-down menu, select the release to install and choose one of the following:
.pivotal file..pivotal file. For more information, see Getting Started with Small Footprint TAS for VMs.Go to the Ops Manager Installation Dashboard.
Click Import a Product to add your tile to Ops Manager. For more information, see Adding and Deleting Products.
Click the VMware Tanzu Application Service for VMs tile in the Installation Dashboard.
Note: For Azure environments, this configuration pane is Assign Networks and does not include AZ configuration.
In the Assign AZ and Networks pane, you assign jobs to your Availability Zones (AZs) and networks.
To configure the Assign AZ and Networks pane:
Select Assign AZ and Networks.
From the Network drop-down menu, select the network where you want to run TAS for VMs.
Click Save.
In the Domains pane, you configure a wildcard DNS record for both the apps domain and system domain.
To configure the Domains pane:
Select Domains.
Enter the name of your system domain in the System domain field. The system domain defines your target when you push apps to TAS for VMs, such as your load balancer. TAS for VMs assigns system components such as UAA and Apps Manager to subdomains under this domain.
Enter the name of your apps domain in the Apps domain field. The apps domain is the default domain that apps use for their hostnames. TAS for VMs hosts each app at subdomains under this domain. You can use the Cloud Foundry Command Line Interface (cf CLI) to add or delete subdomains assigned to individual apps.
Click Save.
For additional guidance based on your installation method, see the following table:
| Installation Method | Guidance |
|---|---|
| Manual | Enter the domains you created when preparing your environment for Ops Manager. |
| Terraform | Enter the values for sys_domain and apps_domain from the Terraform output. |
Note: VMware recommends that you use the same domain name but different subdomain names for your system and app domains. Doing so allows you to use a single wildcard certificate for the domain while preventing apps from creating routes that overlap with system routes.
Note: If you choose to assign specific IP addresses in the Gorouter IPs field, ensure that these IP addresses are in the subnet that you configured for TAS for VMs in Ops Manager.
| Gorouter IPs field |
|---|
|
Note: If you have mutual TLS app identity verification enabled, app containers accept incoming communication only from the Gorouter. This deactivates TCP routing.
Under Certificates and private keys for the Gorouter, you must provide at least one certificate and private key name and certificate key pair for the Gorouter. The Gorouter is enabled to receive TLS communication by default. You can configure multiple certificates for the Gorouter.
Note: When providing custom certificates, enter them in this order: wildcard, Intermediate, CA. For more information, see Creating a .pem File for SSL Certificate Installations in the DigiCert documentation.
Click Add to add a name for the certificate chain and its private key pair. This certificate is the default used by the Gorouter. You can either provide a certificate signed by a Certificate Authority (CA) or click on the Generate RSA Certificate link to generate a certificate generated by the Ops Manager CA. For the values to use, see Providing a Certificate for Your TLS Termination Point.
Note: If you configured Ops Manager Front End without a certificate, you can use this new certificate to complete Ops Manager configuration. To configure your Ops Manager Front End certificate, see Configure Front End in Preparing to Deploy Ops Manager on GCP.
If you want to configure multiple certificates for the Gorouter, click Add and fill in the appropriate fields for each additional certificate key pair. For details about generating certificates in Ops Manager for your wildcard system domains, see Providing a Certificate for Your TLS Termination Point.
Note: Ensure that you add any certificates that you generate in this pane to your infrastructure load balancer.
(Optional) When validating client requests using mutual TLS, the Gorouter trusts multiple certificate authorities (CAs) by default. Enter your CA certificates under Certificate Authorities trusted by the Gorouter. All CA certificates should be appended together into a single collection of PEM-encoded entries.
(Optional) To deactivate HTTP/2 ingress and egress for the Gorouter, clear the Enables the HTTP/2 protocol for communicating with apps checkbox. HTTP/2 is enabled by default. For more information about HTTP/2 routing, see Supporting HTTP/2.
Under Select the range of TLS versions supported by the Gorouter, select the range of TLS versions to use in Gorouter communications. The Gorouter supports TLS v1.2 to TLS v1.3 by default. If you need to accommodate clients that use an older version of TLS, select a lower minimum version. For a list of TLS ciphers supported by the Gorouter, see TLS Cipher Suite Support in Securing Traffic into TAS for VMs.
(Optional) Under Balancing algorithm used by the Gorouter, select your load balancing algorithm for the Gorouter. VMware recommends the default option of Round robin for most use cases. Some use cases, such as those where apps have long-lived connections, may benefit from the least connection algorithm. For more information, see HTTP Routing.
Configure Logging of client IPs in the Gorouter. The Log client IPs option is set by default. To comply with the General Data Protection Regulation (GDPR), select one of these options To deactivate logging of client IP addresses:
x-forwarded-client-cert (XFCC) HTTP headers based on where TLS is terminated for the first time in your deployment. The table below indicates which option to choose based on your deployment configuration:
| Deployment Configuration | TLS Option | Additional Notes |
|---|---|---|
|
Infrastructure load balancer | The Gorouter forwards the XFCC header when included in the request. |
|
Gorouter | The Gorouter strips the XFCC header if it is included in the request and forwards the client certificate received in the TLS handshake in a new XFCC header. Breaking Change: If you select the The Gorouter does not request client certificates option in the Gorouter behavior for client certificate validation field, the XFCC header cannot be delivered to apps. |
For a description of the behavior of each configuration option, see Forward Client Certificate to Apps in HTTP Routing.
To configure Gorouter behavior for handling client certificates, select one of the following options in the Gorouter behavior for client certificate validation field:
Caution: Requests to the platform fail upon upgrade if your load balancer is configured with client certificates and the Gorouter does not have the CA. To mitigate this issue, select The Gorouter does not request client certificates.
In the TLS cipher suites for the Gorouter field, review the TLS cipher suites for TLS handshakes between the Gorouter and front end clients such as load balancers. The default value for this field is ECDHE-RSA-AES128-GCM-SHA256:TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384.
To modify the default configuration, use an ordered, colon-separated list of Golang-supported TLS cipher suites in the OpenSSL format. This field does not apply to TLS v1.3. For TLS v1.3, the Gorouter only uses a set of default ciphers, and this is not configurable.
Operators should verify that the ciphers are supported by any clients or front end components that initiate TLS handshakes with the Gorouter. For a list of TLS ciphers supported by the Gorouter, see TLS Cipher Suite Support in Securing Traffic into TAS for VMs.
Verify that every client participating in TLS handshakes with the Gorouter has at least one cipher suite in common with the Gorouter.
Note: Specify cipher suites that are supported by the versions configured under Select the range of TLS versions supported by the Gorouter. For example, TLS v1.3 does not support configuring cipher suites. If you select TLSv1.3 only, you cannot configure cipher suites for the Gorouter.
Note: AWS Classic Load Balancers do not support TAS for VMs's default cipher suites. For more information about configuring your AWS load balancers and Gorouter, see TLS Cipher Suite Support by AWS Load Balancers in Securing Traffic into TAS for VMs.
(Optional) If you want the Gorouter to reject any HTTP (non-encrypted) traffic, select the Disable HTTP on the Gorouter checkbox. When selected, the Gorouter does not listen on port 80.
(Optional) Select the Disable insecure cookies on the Gorouter checkbox to turn on the secure flag for cookies generated by the Gorouter.
(Optional) To deactivate the addition of Zipkin tracing headers on the Gorouter, deselect the Enable Zipkin tracing headers on the Gorouter checkbox. Zipkin tracing headers are enabled by default. For more information about using Zipkin trace logging headers, see HTTP Headers for Zipkin Tracing in HTTP Routing.
(Optional) The Enable the Gorouter to write access logs locally checkbox is selected by default. VMware recommends deselecting this checkbox for high-traffic deployments, since logs may not be rotated fast enough and can fill up the disk.
By default, TAS for VMs Gorouters accept all traffic for apps deployed to an isolation segment created by the Isolation Segment tile. To configure TAS for VMs Gorouters to reject requests for apps within all isolation segments, select "Reject all" for the field titled "Gorouter isolation segment request handling". To configure TAS for VMs Gorouters to only accept requests for apps within specific isolation segments, select "Accept some" and then provide a comma-separated list of isolation segment names. For more information, see Installing Isolation Segment and Sharding Gorouters for Isolation Segments in Routing for Isolation Segments.
(Optional) By default, Gorouter support for the PROXY protocol is deactivated. To enable the PROXY protocol, select the Enable support for PROXY protocol in the Gorouter checkbox. When enabled, client-side load balancers that terminate TLS but do not support HTTP can pass along information from the originating client. Enabling this option may impact Gorouter performance. For more information about enabling the PROXY protocol in the Gorouter, see the About HTTP Header Forwarding sections in Securing Traffic into TAS for VMs.
In the Route services section, choose either Enable or Disable. Route services are a class of marketplace services that perform filtering or content transformation on app requests and responses. For more information, see Route Services and List Marketplace Services in Managing Service Instances with the cf CLI.
(Optional) If you want to limit the number of app connections to the back end, enter a value in the Maximum connections per back end field. You can use this field to prevent a poorly behaving app from all the connections and impacting other apps. No value or a value of 0 sets no limit.
To choose a value for this field, review the peak concurrent connections received by instances of the most popular apps in your deployment. You can determine the number of concurrent connections for an app from the httpStartStop event metrics emitted for each app request.
If your deployment uses App Metrics, you can also obtain this peak concurrent connection information from Network Metrics in Monitoring and Troubleshooting Apps with App Metrics. The default value is 500.
Under Keep-alive connections for the Gorouter, select Enable or Disable. Keep-alive connections are enabled by default. For more information, see Keep-Alive Connections in HTTP Routing.
(Optional) To accommodate larger uploads over connections with high latency, increase the number of seconds in the Back end request timeout and idle timeout for the Gorouter field.
(Optional) Use the Front end idle timeout for the Gorouter field to help prevent connections from your load balancer to the Gorouter from being closed prematurely. The value you enter sets the duration, in seconds, that the Gorouter maintains an idle open connection from a load balancer that supports keep-alive connections.
Set the value higher than the back end idle timeout for your load balancer to avoid the race condition where the load balancer sends a request before it discovers that the Gorouter has closed the connection. See the table below for specific guidance and exceptions to this rule:
| IaaS | Guidance |
|---|---|
| AWS | AWS ELB has a default timeout of 60 seconds, so VMware recommends a value greater than 60. |
| Azure | By default, Azure load balancer times out at 240 seconds without sending a TCP RST to clients, so VMware recommends a value lower than 240 to force the load balancer to send the TCP RST. |
| GCP | GCP has a default timeout of 600 seconds. For GCP HTTP load balancers, VMware recommends a value greater than 600. For GCP TCP load balancers, VMware recommends a value less than 600 to force the load balancer to send a TCP RST. |
| Other | Set the timeout value to be greater than that of the load balancer's back end idle timeout. |
Note: Do not set a front end idle timeout lower than six seconds.
900. (Optional) Increase the value of Load balancer unhealthy threshold to specify the amount of time, in seconds, that the Gorouter continues to accept connections before shutting down. During this period, health checks may report the Gorouter as unhealthy, which causes load balancers to failover to other Gorouters. Set this value to an amount greater than or equal to the maximum time it takes your load balancer to consider a Gorouter instance unhealthy, given repeated failed health checks.
(Optional) Modify the value of Load balancer healthy threshold. This field specifies the amount of time, in seconds, to wait until declaring the Gorouter instance started. This allows an external load balancer time to register the Gorouter instance as healthy.
(Optional) If app developers in your organization want certain HTTP headers on HTTP Requests to appear in their app logs with information from the Gorouter, specify them in the HTTP headers to log field with a comma-separated list. For example, to support app developers that deploy Spring apps to TAS for VMs, you can enter Spring-specific HTTP headers.
(Optional) If app developers in your organization want certain HTTP headers on HTTP Requests to appear in their app logs with information from the Gorouter, specify them in the HTTP headers to log field with a comma-separated list. For example, to support app developers that deploy Spring apps to TAS for VMs, you can enter Spring-specific HTTP headers.
The Max request header size in kb property allows TAS for VMs to prevent denial-of-service attacks from requests with large headers. This value is the max size for all of a request’s headers combined, including a request’s header keys, header values, and all values in the request line. A request whose headers exceed this value will receive a 431 status code. It is recommended to set this to 48kb, however, up to 1024kb is allowed for backwards compatibility. The value of this property must be between 1 and 1024. This property does not limit the size of the request body.
443 if left blank. For AWS environments that are not using an Application Load Balancer, enter 4443. Caution: The NSX-T integration only works for fresh installs of TAS for VMs. If your TAS for VMs tile is already deployed and running with Silk as its CNI, you cannot change the CNI plugin to NSX-T.
(Optional) For App network maximum transmission unit, enter an MTU value in bytes. The default value is 1454. Some configurations may require a smaller MTU value. For example, networks that use GRE tunnels may require a smaller MTU.
For Azure environments, VMware recommends entering 1400 or lower to prevent Azure from fragmenting the packets. For more information, see TCP/IP performance tuning for Azure VMs.
10.255.0.0/16. The overlay network IP range you configure must not conflict with any other IP addresses in your network. Caution: Editing this property may cause container-to-container (C2C) networking downtime and security implications the next time you re-deploy TAS for VMs.
For Overlay subnet size per Cell, enter in bits the length of the prefix for subnets allocated per Diego Cell. For example, for a /24 subnet, enter 24. The default value is 24. The minimum value you can configure is 2. The maximum value you can configure is 30. Configuring a smaller subnet allows more Diego Cells per TAS for VMs deployment, but fewer apps per Diego Cell. Conversely, configuring a larger subnet allows more apps per Diego Cell, but fewer Diego Cells per TAS for VMs deployment. The values that you configure in the Overlay subnet and Overlay subnet size per Cell fields determine the exact number of Diego Cells allowed per TAS for VMs deployment and apps allowed per Diego Cell.
Caution: Editing this property may cause C2C networking downtime and security implications the next time you re-deploy TAS for VMs.
1. For more information, see Policies in Container-to-Container Networking and Restricting App Access to Internal TAS for VMs Components.100.Caution: Deactivating this feature allows all app containers to access any other app container with no restrictions.
For Database connection timeout, set the connection timeout for clients of the policy server and Silk databases, in seconds. The default value is 120. You may need to increase this value if your deployment experiences timeout issues related to container-to-container networking.
TCP routing is deactivated by default. You should enable this feature if your DNS sends TCP traffic through a load balancer rather than directly to a TCP router. To enable TCP routing:
Note: If you have mutual TLS app identity verification enabled, app containers accept incoming communication only from the Gorouter. This deactivates TCP routing.
Note: If you configured AWS for Ops Manager manually, enter 1024-1123 which corresponds to the rules you created for pcf-tcp-elb.
| IaaS | Instructions |
|---|---|
| GCP | Specify the name of a GCP TCP load balancer in the LOAD BALANCER field of the TCP Router job in the Resource Config pane. You configure this later on in TAS for VMs. For more information, see Configure Resources. |
| AWS | Specify the name of a TCP ELB in the LOAD BALANCER field of the TCP Router job in the Resource Config pane. You configure this later on in TAS for VMs. For more information, see Configure Resources. |
| Azure | Specify the name of a Azure load balancer in the LOAD BALANCER field of the TCP Router job in the Resource Config pane. You configure this later on in TAS for VMs. For more information, see Configure Resources. |
| OpenStack and vSphere |
|
JSESSIONID. Some apps require a different cookie name. For example, Spring WebFlux requires SESSION for the cookie name. Gorouter uses these cookies to support session affinity, or sticky sessions. For more information, see Session Affinity in HTTP Routing. In the App Containers pane, you enable microservice frameworks, private Docker registries, and other services that support your apps at the container level.
To configure the App Containers pane:
Select App Containers.
The Enable custom buildpacks check box governs the ability to pass a custom buildpack URL to the -b option of the cf push command. By default, this ability is enabled, letting developers use custom buildpacks when deploying apps. Deactivate this option by deselecting the check box. For more information about custom buildpacks, see Buildpacks.
The Allow SSH access to app containers check box controls SSH access to app instances. Select the check box to permit SSH access across your deployment, and deselect it to prevent all SSH access. For more information about SSH access permissions at the space and app scope, see App SSH Overview.
Note: Ensure that your load balancer has port 2222 open to enable SSH traffic.
You can give SSH access to an app only if an admin assigns you a Space Developer role in the space where the app runs. For more information, see Manage App Space Roles in Managing User Roles with Apps Manager.
To enable SSH access for new apps by default in spaces that allow SSH, select the Enable SSH when an app is created check box. If you deselect this check box, developers can still enable SSH after pushing their apps by running cf enable-ssh APP-NAME.
(Optional) To give apps that generally stay within their CPU entitlements priority access to extra CPU during CPU bursts, activate the Enable CPU Burst Optimization check box. This check box is activated by default. When this check box is activated, apps that generally stay within their CPU entitlements have higher-priority access to extra CPU than apps that generally exceed their CPU entitlements. When this check box is deactivated, all apps have equal access to extra CPU during CPU bursts. Whether you activate or deactivate this check box, all apps are always guaranteed the amount of CPU that is within their CPU entitlements.
Choose how the Gorouter verifies app identity to enable encryption and prevent misrouting under Gorouter app identity verification:
Note: This feature does not work if the Disable SSL certificate verification for this environment check box is enabled in the Networking pane.
For more information, see Preventing Misrouting in HTTP Routing.
You can configure TAS for VMs to run app instances in Docker containers by providing a comma-separated list of their IP address ranges in the Private Docker insecure registry allow list field. For more information, see Using Docker Registries.
Select your preference for Docker images disk cleanup scheduling on Diego Cell VMs. If you choose Clean up disk space once usage fills disk, enter a value in MB for Reserved disk space for other jobs. This is the amount of space the garbage collection algorithm should keep free for other jobs. For more information about the configuration options and how to configure a reserved amount, see Configuring Diego Cell Disk Cleanup Scheduling.
The Enable containerd delegation check box governs whether or not Garden delegates container create and destroy operations to the containerd tool. By default, this option is enabled and Garden uses containerd. Deactivate this option by deselecting the check box. For more information about the containerd tool, see containerd.
Enter a number in the Max-in-flight container starts field. This number configures the maximum number of started instances across the Diego Cells in your deployment. Entering 0 sets no limit. For more information, see Set a Maximum Number of Started Containers in Configuring TAS for VMs for Upgrades.
Under NFSv3 volume services, select Enable or Disable. NFS volume services allow app developers to bind existing NFS volumes to their apps for shared file access. For more information, see Enabling Volume Services.
Note: In a fresh install, NFSv3 volume services is enabled by default. In an upgrade, NFSv3 volume services is set to the same setting as it was in the previous deployment.
(Optional) To configure LDAP for NFSv3 volume services:
cloud.example.com typically uses the following LDAP user search base: ou=Users,dc=example,dc=com.Note: UAA can only parse one certificate entered into this field. If you enter multiple certificates, UAA only uses the first one you entered and ignores the rest. You only need to include one root certificate or self-signed certificate.
(Optional) To enable SMB volume services, select the Enable SMB volume services check box. Enabling SMB volume services allows developers to bind existing SMB shares to their apps. For more information, see Enabling Volume Services.
Note: If you enable SMB volume services, you must set the SMB Broker Errand to On in the Errands pane.
(Optional) Modify the Default health check timeout. The value configured for this field is the amount of time allowed between starting up an app and the first healthy response from the app. If the health check does not receive a healthy response within the configured timeout, then the app is declared unhealthy. The default timeout is 60 seconds and the maximum configurable timeout is 600 seconds.
Caution: If you decrease the default health check timeout value below its current value, existing apps with startup times greater than the new value may fail to start up.
(Optional) To limit the number of log lines an app instance can generate per second, select Enable under App log rate limit (deprecated) and enter an integer for Maximum app log lines per second. At minimum, VMware recommends using the default limit of 100. This feature is deactivated by default. For more information, see App Log Rate Limiting.
Note: This method of limiting log output from applications is deprecated. VMware recommends using the log rate limiting quota feature which provides more granular control over application log output.
Click Save.
In the App Developer Controls pane, you configure restrictions and default settings for your apps.
To configure the App Developer Controls pane:
Select App Developer Controls.
Enter the Maximum file upload size in MB. This is the maximum size of an app upload, including the buildpack.
Enter the Maximum package size in MB. This is the maximum total size of an app’s files.
Enter the Default app memory in MB. This is the default amount of memory allocated to a newly-pushed app if no value is specified when pushing the app.
Enter the Default app memory quota per org in MB. This is the default memory limit for all apps in an org. The specified limit only applies to the first installation of TAS for VMs. After the initial installation, operators can use the cf CLI to change the default value.
For Maximum disk quota per app in MB, enter in MB the maximum amount of disk allowed per app.
Note: If you allow developers to push large apps, TAS for VMs might have trouble placing them on Diego Cells. Additionally, in the event of a system upgrade or an outage that causes a rolling deploy, larger apps might not successfully redeploy if there is insufficient disk capacity. Monitor your deployment to ensure that your Diego Cells have sufficient disk to run your apps.
Enter the Default disk quota per app in MB. This is the amount of disk allocated by default to a newly-pushed app if no value is specified when pushing the app.
Enter the Default log rate limit per app in bytes per second. This is the number of logs that a newly-pushed app is allowed to send to Loggregator if no value is specified when pushing the app. To deactivate this feature and allow app instances to send an unlimited number of logs to Loggregator, enter -1. App log rate limiting is deactivated by default. VMware recommends activating this feature to prevent app instances from overloading the Loggregator Agent with logs, so the Loggregator Agent does not drop logs for other app instances on the same Diego Cell.
Enter the Default service instance quota per org. The specified limit only applies to the first installation of TAS for VMs. After the initial installation, operators can use the cf CLI to change the default value.
Enter the Staging timeout in seconds. When you stage an app droplet with the Cloud Controller, the server times out after the number of seconds you specify in this field.
For Internal domains, enter one or more domains that apps use for internal DNS service discovery. If you specify a domain using cf push -d, other TAS for VMs apps can reach the pushed app at APP-NAME.INTERNAL-DOMAIN. This value defaults to apps.internal.
Enable the Allow space developers to manage network policies check box to permit developers to manage their own network policies for their apps.
Click Save.
Setting appropriate ASGs is critical for a secure deployment. To acknowledge that you are responsible for setting the appropriate ASGs after the TAS for VMs deployment completes:
X.For more information about ASGs, see App Security Groups. For more information about setting ASGs, see Restricting App Access to Internal TAS for VMs Components.
In the Authentication and Enterprise SSO pane, you configure your user store access.
To configure the Authentication and Enterprise SSO pane:
Select Authentication and Enterprise SSO.
To authenticate user sign-ons, your deployment can use one of three types of user database: the UAA server’s internal user store, an external SAML identity provider, or an external LDAP server.
Click Save.
In the UAA pane, you configure the User Account and Authentication server.
To configure the UAA pane:
Select UAA.
Under UAA database location, select one of these options:
Caution: Protect whichever database you use in your deployment with a password.
Note: For GCP installations, VMware recommends using an external database on Google Cloud SQL.
(Optional) If you selected Other external database, complete these fields as follows. Each field includes additional guidance for specific IaaSes and installation methods.
Note: The CA certificate field only works if your external database hostname matches a name specified in the certificate. This is not true with GCP CloudSQL.
(Optional) Under JWT issuer URI, enter the URI that UAA uses as the issuer when generating tokens.
Under SAML service provider credentials, enter a certificate and private key to be used by UAA as a SAML service provider for signing outgoing SAML authentication requests. You can provide an existing certificate and private key from your trusted Certificate Authority or generate a certificate. The domain *.login.SYSTEM-DOMAIN must be associated with the certificate, where SYSTEM-DOMAIN is the System domain you configured in the Domains pane.
Note: The Ops Manager Single Sign-On Service and Ops Manager Spring Cloud Services tiles require the *.login.SYSTEM-DOMAIN.
If the private key specified under SAML service provider credentials is password-protected, enter the password under SAML service provider key password.
(Optional) To override the default value, enter a custom SAML Entity ID in the SAML Entity ID override field. By default, the SAML Entity ID is http://login.SYSTEM-DOMAIN, where SYSTEM-DOMAIN is the System domain you configured in the Domains pane.
For Signature algorithm, choose an algorithm from the dropdown to use for signed requests and assertions. The default value is SHA256.
(Optional) In the Apps Manager access token lifetime, Cloud Foundry CLI access token lifetime, and Cloud Foundry CLI refresh token lifetime fields, change the lifetimes of tokens granted for Apps Manager and cf CLI login access and refresh. Most deployments use the defaults.
(Optional) In the Global login session maximum timeout and Global login session idle timeout fields, change the maximum number of seconds before a global login times out. These fields apply to:
(Optional) Customize the text prompts used for username and password from the cf CLI and Apps Manager login popup by entering values for Username label and Password label.
(Optional) The Proxy IPs regular expression field contains a pipe-separated set of regular expressions that UAA considers to be reverse proxy IP addresses. UAA respects the x-forwarded-for and x-forwarded-proto headers coming from IP addresses that match these regular expressions. To configure UAA to respond properly to Gorouter or HAProxy requests coming from a public IP address, append a regular expression or regular expressions to match the public IP address.
(Optional) Deactivate the Client basic auth compatibility mode checkbox to require URL encoding for UAA client basic authentication credentials. By default, the checkbox is enabled and URL encoding is not required. This represents the default behavior of UAA prior to UAA v74.0.0. URL encoding is defined by RFC6749. For more information, see RFC6749.
Note: To require URL encoding for certain UAA clients without deactivating compatibility mode, use the X-CF-ENCODED-CREDENTIALS=true HTTP header.
Caution: If you deactivate the Client basic auth compatibility mode checkbox, URL encoding is required for all UAA client apps in your deployment. To avoid breaking changes, ensure that all client apps support URL encoding before you deactivate the checkbox.
(Optional) If you are using Single Sign-On for VMware Tanzu Application Service and you want to honor the CORS policy for custom identity zones, clear the Enforce system zone CORS policy across all identity zones checkbox. This checkbox is enabled by default. If you use Single Sign-On, UAA creates custom identity zones. If you leave this checkbox selected, UAA ignores the CORS policy for custom identity zones and applies the system default identity zone CORS policy to all zones.
Caution: If you clear the Enforce system zone CORS policy across all identity zones checkbox, apps that are integrated with Single Sign-On might experience downtime because the default CORS policy of the custom identity zones is more restrictive. To prevent downtime, you must explicitly set the CORS policy of the custom identity zones according to the needs of your apps. For more information, see the Managing Service Plan Configurations in the Single Sign-On documentation.
Click Save.
In the CredHub pane, you configure the CredHub server.
To configure the CredHub pane:
Select CredHub.
Under CredHub database location, select the location of your CredHub database. TAS for VMs includes this CredHub database for services to store their service instance credentials.
3306.rds_addressrds_portrds_usernamerds_password(Optional) Under KMS plugin providers, specify one or more Key Management Service (KMS) providers:
Under Internal encryption provider keys, specify one or more keys to use for encrypting and decrypting the values stored in the CredHub database.
Note: For information about using additional keys for key rotation, see Rotating Runtime CredHub Encryption Keys.
(Optional) To configure CredHub to use an HSM, configure these fields:
1792.If your deployment uses any Ops Manager services that support storing service instance credentials in CredHub and you want to enable this feature, enable the Secure service instance credentials check box. For more information about using CredHub for securing service instance credentials, see Securing Service Instance Credentials with Runtime CredHub.
Click Save.
Go to the Resource Config pane.
Under the Job column of the CredHub row, ensure that the number of instances is set to 2. This is the minimum instance count required for high availability.
To configure UAA so it recognizes a proxy, complete the following fields:
http_proxy for all http requests across VMs.https_proxy for all http requests across VMsClick Save.
In the Databases pane, you can configure TAS for VMs to use an internal MySQL database provided with Ops Manager, or you can configure an external database provider for the databases required by TAS for VMs.
Note: If you are performing an upgrade, do not modify your existing internal database configuration, or you might lose data. You must migrate your existing data first before changing the configuration. For additional upgrade information, see Upgrading Ops Manager.
Note: For GCP installations, VMware recommends selecting External and using Google Cloud SQL. Only use internal MySQL for non-production or test installations on GCP.
To configure internal databases for your deployment:
Under System databases location, select Internal databases - MySQL - Percona XtraDB Cluster.
Click Save.
To configure high availability for your internal MySQL databases, see Configure Internal MySQL.
To configure external databases for your deployment:
Ensure that you have a database instance with the following databases created. The steps vary depending on your database type. For an example procedure, see Creating Databases for TAS for VMs.
accountapp_usage_serviceautoscaleccdbcredhubdiegolocketnetworkpolicyservernfsvolumenotificationsroutingsilkuaaIn the TAS for VMs tile, select Databases.
Under System databases location, select External databases.
Note: If you configure external databases, you cannot configure an internal database in the UAA pane.
For Hostname, enter the hostname of the database server.
The Enable hostname validation check box is selected by default. When Enable hostname validation is selected and you enable TLS for your external databases, TAS for VMs verifies the hostname of the external database for communication between TAS for VMs and the external database.
Caution: If your deployment uses a GCP or Azure external database for TAS for VMs that is TLS-enabled, you must deselect the Enable hostname validation check box. For more information, see Deactivate Hostname Validation for External Databases on GCP and Azure in Upgrade Preparation Checklist for Ops Manager 3.0.
Note: The Enable hostname validation checkbox does not affect communcation between TAS for VMs components and external CredHub databases. To activate or deactivate hostname validation for the CredHub external database, see Configure CredHub.
For TCP port, enter the port of the database server.
3306.Each component that requires a relational database has two corresponding fields: one for the database username and one for the database password. For each set of fields, specify a unique username that can access this specific database on the database server and a password for the provided username.
Note: Ensure that the networkpolicyserver database user has the ALL PRIVILEGES permission.
Note: If you are configuring an external database on GCP or Azure and want to use this database for CredHub, ignore the CredHub database username and CredHub database password fields. Enter the credentials in the CredHub configuration pane instead.
(Optional) To enable TLS for your external databases, paste your CA certificate in the Database CA certificate field.
Note: TLS is not currently supported for databases that do not include a matching hostname in their server certificate, such as Azure and GCP, unless you deactivate hostname verification in TAS for VMs. You can deactivate hostname verification for external GCP and Azure databases by deselecting the Enable hostname validation checkbox described above and selecting the Disable hostname verification checkbox in the CredHub pane. For more information, see Connection Options for External Applications in the GCP documentation. To configure the Disable hostname verification checkbox, see Configure CredHub.
Click Save.
In the Internal MySQL pane, you configure the internal MySQL clusters for TAS for VMs. Only configure this section if you selected Internal databases - MySQL - Percona XtraDB Cluster in the Databases pane.
To configure the Internal MySQL pane:
Select Internal MySQL.
In the Replication canary time period field, specify how frequently the canary checks for replication failure. Leave the default of 30 seconds or modify the value based on the needs of your deployment. Lower numbers cause the canary to run more frequently, which means that the canary reacts more quickly to replication failure but adds load to the database.
In the Replication canary read delay field, specify how long the canary waits, in seconds, before verifying that data is replicating across each MySQL node. Leave the default of 20 seconds or modify the value based on the needs of your deployment. Clusters under heavy load can experience a small replication lag as write-sets are committed across the nodes.
In the Email address field, enter the email address where the MySQL service sends alerts when the cluster experiences a replication issue or when a node is not allowed to auto-rejoin the cluster.
The Allow command history checkbox is enabled by default. To prohibit the creation of command line history files on the MySQL nodes, deselect this checkbox.
To allow admin and read-only admin users to connect from any remote host, enable the Allow remote admin access checkbox. When the checkbox is deselected, admins must bosh ssh into each MySQL VM to connect as the MySQL super user.
Note: Network configuration and ASG restrictions may still limit a client's ability to establish a connection with the databases.
In the Cluster probe timeout field, enter the maximum amount of time, in seconds, that a new node searches for existing cluster nodes. If left blank, the default value is 10 seconds.
In the Maximum connections field, enter the maximum number of connections allowed to the database. The default value is 3500.
To log audit events for internal MySQL, select Enable under Server activity logging.
connect and query, which tracks who connects to the system and what queries are processed. For more information about which events the Percona MySQL server can log, see Audit Log Plugin in the Percona documentation.Note: Internal MySQL audit logs are not forwarded to the syslog server because they can contain personally identifying information (PII) and secrets.
You can use the download-logs script to retrieve the logs, which each MySQL cluster node VM stores in /var/vcap/store/mysql_audit_logs/. For more information, see Script to download MySQL logs for TAS for VMs or Tile HA Clusters in the VMware Tanzu Knowledge Base.
In the Load balancer healthy threshold field, enter the amount of time, in seconds, to wait until reporting that the MySQL Proxy instance has started. This allows an external load balancer time to register the instance as healthy. The default value is 0 seconds.
In the Load balancer unhealthy threshold field, enter the amount of time, in seconds, that the MySQL Proxy continues to accept connections before shutting down. During this period, the health check reports the MySQL Proxy instance as unhealthy to cause load balancers to fail over to other proxies. You must enter a value greater than or equal to the maximum time it takes your load balancer to consider a proxy instance unhealthy, given repeated failed health checks. The default value is 30 seconds.
To enable MySQL Proxy to listen on port 3336, select the Enable inactive MySQL port checkbox. When you run MySQL in high availability mode, this feature allows you to connect to a MySQL node that is not currently serving traffic so that you can run auditing and reporting queries without affecting performance.
Click Save.
For more information about how to monitor the node health of your MySQL Proxy instances, see Using the MySQL Proxy.
In File Storage, you determine where you want to place the file storage for your Cloud Controller.
To configure the File Storage pane:
Select File Storage.
To set the maximum number of recent valid packages that your app can store, not including the package for the current droplet, enter a value in the Maximum valid packages per app field. VMware recommends leaving the default value of 2. However, you can lower the value if you have strict storage requirements and want to use less disk space.
To set the maximum number of recent valid droplets that your app can store, not including the package for the current droplet, enter a value in the Maximum staged droplets per app field. VMware recommends leaving the default value of 2. However, you can lower the value if you have strict storage requirements and want to use less disk space.
Under File storage backup level, select what you want to back up from your blobstores:
For more information about the advantages and disadvantages of excluding droplets and packages, see File Storage Backup Level.
For Cloud Controller filesystem, see Configuring File Storage for TAS for VMs.
In the System Logging pane, you can configure system logging in TAS for VMs to forward log messages from TAS for VMs component VMs to an external service. VMware recommends forwarding logs to an external service for use in troubleshooting. If you do not fill these fields, platform logs are not forwarded but remain available on the component VMs and for download through Ops Manager.
Note: This procedure explains how to configure system logging for TAS for VMs component VMs. To forward logs from Ops Manager tiles to an external service, you must also configure system logging in each tile. For more information about configuring system logging, see the documentation for the given tiles.
To configure the System Logging pane:
Select System Logging.
For Address, enter the hostname or IP address of the syslog server.
For Port, enter the port of the syslog server. The default port for a syslog server is 514.
Note: The host must be reachable from the TAS for VMs network and accept UDP or TCP connections. Ensure the syslog server listens on external interfaces.
For Transport protocol, select a transport protocol for log forwarding.
For Encrypt syslog using TLS?, select Yes to use TLS encryption when forwarding logs to a remote server.
Select the Enable Cloud Controller security event logging checkbox to include security events in the log stream. This feature logs all API requests, including the endpoint, user, source IP address, and request result, in the Common Event Format (CEF).
Enable the Use TCP for file forwarding local transport checkbox to transmit logs over TCP. This prevents log truncation, but may cause performance issues.
The Do not forward debug logs checkbox is enabled by default. To forward DEBUG syslog messages to an external service, deactivate the checkbox.
Note: Some TAS for VMs components generate a high volume of DEBUG syslog messages. Enabling the Do not forward debug logs checkbox prevents TAS for VMs components from forwarding the DEBUG syslog messages to external services. However, TAS for VMs still writes the messages to the local disk.
For Custom rsyslog configuration, enter a custom syslog rule. For more information about adding custom syslog rules, see Customizing Platform Log Forwarding.
For Timestamp format for component logs, select one of the following:
Breaking Change: If you change the timestamp format for logs, you might need to update any external monitoring configuration. For more information, see Timestamp Format for Component Logs Replaces Timestamp Format for Diego Logs in TAS for VMs Breaking Changes.
Configure how TAS for VMs emits app logs and app metrics for ingestion in your deployment. The options include:
| Option: | Configuration Procedure: |
|---|---|
| Use existing Firehose app log and metrics integrations |
|
| Preserve existing Firehose integrations for app metrics, but use an alternate method for app log ingestion |
Caution: Do not use this option if your deployment depends on partner log integrations.
|
| Deactivate all Firehose integrations and use alternate methods for both app log and app metric ingestion |
Caution: Do not use this option if your deployment depends on any of these:
|
Field Descriptions:
The following table provides more details on field values:
| Field Name | Description |
|---|---|
| Enable V1 Firehose | Enabled by default. When enabled, app logs and app metrics flow to the Loggregator V1 Firehose. |
| Enable V2 Firehose | Enabled by default. When enabled, app logs and app metrics flow to the Loggregator V2 Firehose. If you deselect the checkbox To deactivate the V2 Firehose, you must also deactivate the V1 Firehose. |
| Enable Log Cache syslog ingestion | Enabled by default. When enabled, syslog agents send app logs and app metrics to Log Cache and Log Cache ingests app logs and app metrics using syslog. |
| Default loggregator drain metadata | Enabled by default. When enabled, TAS for VMs sends all metadata in app and aggregate syslog drains. Deactivating this option can reduce logging to external databases by up to 50 percent. |
| Disable logs in Firehose | Deselected by default. Prevents the Firehose from emitting app logs but still allows the Firehose to emit app metrics. Deactivating logs in Firehose helps reduce the load on TAS for VMs by allowing you to scale down Doppler and Traffic Controller VMs. |
| Aggregate log and metric drain destinations | Aggregate drains forward all app logs on your foundation to the endpoints that you provide in this field. Enter a comma-separated list of syslog endpoints for aggregate log drains. Specify the endpoints in the format: syslog://HOSTNAME:PORT. To use TLS for sending logs, specify syslog-tls://HOSTNAME:PORT or https://HOSTNAME:PORT. In TAS for VMs v2.10, aggregate drains no longer forward metrics by default. You can choose to forward app metrics and TAS for VMs component VM metrics by adding ?include-metrics-deprecated=true to the endpoints. For example, syslog://myhost:514?include-metrics-deprecated=true. |
To send BOSH system metrics to your logging endpoint more or less frequently, change the value for System metrics scrape interval. The default value is 1m, which sends BOSH system metrics to your logging endpoint once per minute. To send metrics more or less frequently, change the value. For example, enter 2m to send metrics every two minutes or 10s to send metrics every ten seconds. The minimum recommended value is five seconds.
Click Save.
To configure Ops Manager for system logging, see Settings Page in Using the Ops Manager Interface.
In the Custom Branding pane, you can customize the appearance of the TAS for VMs login portal and Apps Manager. In the Apps Manager pane, you can configure the functionality of Apps Manager, as well as how it displays the pages for your apps in the Marketplace.
To configure the Custom Branding and Apps Manager panes:
Select Custom Branding.
Configure the fields in the Custom Branding pane. For more information about the Custom Branding configuration settings, see Custom-Branding Apps Manager.
Click Save.
Select Apps Manager.
Select the Enable invitations checkbox to enable invitations in Apps Manager. Space Managers can invite new users for a given space, Org Managers can invite new users for a given org, and Admins can invite new users across all orgs and spaces. For more information, see Invite New Users in Managing User Roles with Apps Manager.
Enable the Display Marketplace service plan prices checkbox to display the prices for your services plans in the Marketplace.
Under Configure how developers access documentation, tools and pluggins when unable to connect to the internet, select the Enable access to offline tools checkbox to allow users to download documentation and cf CLI packages in air-gapped environments. When this option is enabled, the cf CLI installer is included in the Apps Manager BOSH release and updates each time you apply changes in Ops Manager.
Under Choose which CF CLI packages to include, select either CF CLI V7 or CF CLI V8.
Enter the Supported currencies as JSON to appear in the Marketplace. Use the format { "CURRENCY-CODE": "SYMBOL" }. This defaults to { "usd": "$", "eur": "€" }.
Enter a Product name and Marketplace name to configure page names.
Enter a Marketplace URL to point the Marketplace link in Apps Manager to your own marketplace.
In Secondary navigation links, enter link text and URLs to configure secondary navigation links in the Apps Manager and Marketplace pages. You may configure up to 10 links in the Apps Manager secondary navigation.
(Optional) In Apps Manager buildpack, enter the name of the buildpack you want to use to deploy the Apps Manager app. This buildpack must be for static content. If you do not specify a buildpack, TAS for VMs uses the detection process to determine a single buildpack to use. For more information about the detection process, see Buildpack Detection in How Buildpacks Work.
(Optional) In Search Server buildpack, enter the name of the buildpack you want to use to deploy the Search Server app. This must be a node-based buildpack. If you do not specify a buildpack, TAS for VMs uses the detection process to determine a single buildpack to use. For more information about the detection process, see Buildpack Detection in How Buildpacks Work.
(Optional) In Invitations buildpack, enter the name of the buildpack you want to use to deploy the Invitations app. This must be a node-based buildpack. If you do not specify a buildpack, TAS for VMs uses the detection process to determine a single buildpack to use. For more information about the detection process, see Buildpack Detection in How Buildpacks Work.
The Apps Manager memory usage field sets the memory limit with which to deploy the Apps Manager app. Use this field to increase the memory limit if the app fails to start with an out of memory error. Enter the value in MB. To use the default value of 128 MB, leave this field blank.
The Search Server memory usage field sets the memory limit with which to deploy the Search Server app. Use this field to increase the memory limit if the app fails to start with an out of memory error. Enter the value in MB. To use the default value of 256 MB, leave this field blank.
The Invitations memory usage field sets the memory limit with which to deploy the Invitations app. Use this field to increase the memory limit if the app fails to start with an out of memory error. Enter the value in MB. To use the default value of 256 MB, leave this field blank.
The Apps Manager polling interval field provides a temporary fix if Apps Manager usage degrades Cloud Controller response times. In this case, you can use this field to reduce the load on the Cloud Controller and ensure Apps Manager remains available while you troubleshoot the Cloud Controller. VMware recommends that you do not keep this field modified as a long-term fix because it can degrade Apps Manager performance. Optionally, you can:
Note: If you enter a value between 0 and 30, the field is automatically set to 30.
0. This stops Apps Manager from refreshing data automatically, but users can update displayed data by reloading Apps Manager manually.The App details polling interval field provides an additional way to reduce the load on the Cloud Controller when the Apps Manager polling interval field is not sufficient. This field controls the rate at which Apps Manager polls for data when a user views the Overview page of an app. VMware recommends that you do not keep this field modified as a long-term fix because it can degrade Apps Manager performance. Optionally, you can:
Note: If you enter a value between 0 and 30, the field is automatically set to 10.
0. This stops Apps Manager from refreshing data automatically, but users can update displayed data by reloading Apps Manager manually.To enable multi-foundation support for Apps Manager, enter a JSON object containing all the foundations you want Apps Manager to manage in Multi-foundation configuration (beta). Enabling multi-foundation support allows you to manage orgs, spaces, apps, and service instances from multiple TAS for VMs foundations from a single Apps Manager interface. For more information, see Configuring Multi-Foundation Support in Apps Manager.
For Redirect URIs, enter a comma-separated list of the URI for each additional foundation on which you enabled multi-foundation support.
Click Save.
In the Email Notifications pane, you can enable end-user self-registration. TAS for VMs uses SMTP to send invitations and confirmations to Apps Manager users. If you do not need this service, leave this pane blank and deactivate the Notifications and Notifications UI errands in the Errands pane.
To configure the Email Notifications pane:
Select Email Notifications.
For From email, enter the email address from which email notifications are sent.
For SMTP server address, enter the SMTP address of the server that sends emails.
For SMTP server port, enter the port of the SMTP server that sends email notifications.
Note: For GCP, you must use port 2525. Ports 25 and 587 are not allowed on GCP Compute Engine.
For SMTP server credentials, enter the username and password for the SMTP server that sends email notifications.
Enable the SMTP enable automatic STARTTLS checkbox if you want your SMTP server to automatically create a secure TLS connection when sending emails.
Verify your authentication requirements with your email admin and use the SMTP authentication mechanism dropdown to select None, Plain, or CRAMMD5. If you have no SMTP authentication requirements, select None.
If you selected CRAMMD5 as your authentication mechanism, enter a secret in the SMTP CRAMMD5 secret field.
Click Save.
Note: If you do not configure the SMTP settings using this form, the admin must create orgs and users using the cf CLI. For more information, see Creating and Managing Users with the cf CLI.
In the App Autoscaler pane, you configure the App Autoscaler service. To use App Autoscaler, you must create an instance of the service and bind it to an app. To create an instance of App Autoscaler and bind it to an app, see Set Up App Autoscaler in Scaling an App Using App Autoscaler.
To configure the App Autoscaler pane:
Select App Autoscaler.
For Autoscaler instance count, enter the number of instances of the App Autoscaler service you want to deploy. The default value is 3. For high availability, set this number to 3 or higher. Larger environments might require more instances than the default number. We recommend one App Autoscaler instance for every 10 apps using App Autoscaler.
For Autoscaler API instance count, enter the number of instances of the App Autoscaler API you want to deploy. The default value is 1. Larger environments may require more instances than the default number.
For Metric collection interval, enter how many seconds of data collection you want App Autoscaler to evaluate when making scaling decisions. The minimum interval is 60 seconds, and the maximum interval is 3600 seconds. The default value is 120. Increase this number if the metrics you use in your scaling rules are emitted less frequently than the existing metric collection interval.
For Scaling interval, enter in seconds how frequently App Autoscaler evaluates an app for scaling. The minimum interval is 15 seconds, and the maximum interval is 120 seconds. The default value is 35.
To enable verbose logging for App Autoscaler, select the Enable verbose logging checkbox. Verbose logging is deactivated by default. Activate this checkbox to see more detailed logs. Verbose logs show specific reasons why App Autoscaler scaled the app, including information about minimum and maximum instance limits, App Autoscaler’s status. For more information about App Autoscaler logs, see App Autoscaler Events and Notifications in Scaling an App Using App Autoscaler.
If you do not want the Autoscaler API to reuse HTTP connections, select the Disable API connection pooling checkbox. This may be necessary if your front end idle timeout for the Gorouter is set to a low value, such as 1 second. For more information, see Configuring Front End Idle Timeout for Gorouter.
To enable email notifications of Autoscaler events, select the Enable email notifications checkbox. For more information about managing email notifications, see App Autoscaler Events and Notifications in Scaling an App Using App Autoscaler.
Click Save.
In the Cloud Controller pane, you configure the Cloud Controller.
To configure the Cloud Controller pane:
Select Cloud Controller.
Enter your Cloud Controller database encryption key if all of the following are true:
Cloud Foundry API rate limiting prevents API consumers from overwhelming the platform API servers. Limits are imposed on a per-user or per-client basis and reset on an hourly interval.
To deactivate Cloud Foundry API rate limiting, select Disable under Cloud Foundry API rate limiting. To enable Cloud Foundry API rate limiting:
2000.100.(Optional) Enter in seconds your Database connection validation timeout. By default, the setting is 3600 seconds or 60 minutes. You can enter -1 to cause Cloud Controller to make an additional query to the database whenever connections are checked out from the pool. Choosing -1 has performance implications.
(Optional) Enter in seconds your Database read timeout. By default, the setting is 3600 seconds or 60 minutes.
(Optional) Enter in days the Age of audit events pruned from Cloud Controller database.
(Optional) Enter in days the Age of completed tasks pruned from Cloud Controller database.
(Optional) Rotate the Cloud Controller database (CCDB) encryption key using the Encryption key ledger field. For more information, see Rotating the Cloud Controller Database Encryption Key.
Click Save.
In the Smoke Tests pane, you configure the org and space where smoke tests are run. In the org and space you configure in the Smoke Tests pane, the Smoke Tests errand pushes an app to a Ops Manager org to run basic functionality tests against the TAS for VMs tile after an installation or update. In the Errands pane, you can choose whether or not to run the Smoke Tests errand.
To configure the Smoke Tests pane:
Select Smoke Tests.
If you have a shared apps domain, select A temporary space within the system org, which creates a temporary space within the system org for running smoke tests and deletes the space afterwards. Otherwise, select A specified org and space and complete the fields to configure where TAS for VMs pushes an app to run smoke tests:
Click Save.
The Advanced Features pane includes new functionality that may have certain constraints. Although these features are fully supported, VMware recommends caution when using them in production environments.
If your apps do not use the full allocation of disk space and memory set in the Resource Config tab, you might want use this feature. These fields control the amount to overcommit disk and memory resources to each Diego Cell VM.
For example, you might want to use the overcommit if your apps use a small amount of disk and memory capacity compared to the amounts set in the Resource Config settings for Diego Cell.
Note: Due to the risk of app failure and the deployment-specific nature of disk and memory use, VMware has no recommendation for how much, if any, memory or disk space to overcommit.
To enable overcommit:
Select Advanced Features.
Enter in MB the total desired amount of Diego Cell memory in the Diego Cell memory capacity field. See the Diego Cell row in the Resource Config tab for the current Diego Cell memory capacity settings that this field overrides.
Enter in MB the total desired amount of Diego Cell disk capacity in the Diego Cell disk capacity field. See the Diego Cell row in the Resource Config tab for the current Diego Cell disk capacity settings that this field overrides.
Click Save.
Note: Entries made to each of these two fields set the total amount of resources allocated, not the overage.
If your apps require a longer period of time to finish in-flight jobs and gracefully shut down, you can increase the graceful shutdown period. By default, this graceful shutdown period is set to 10 seconds.
When TAS for VMs requests a shutdown of an app, the processes in the container have a period of time to gracefully shut down before the processes are forcefully terminated. For more information, see Shutdown in App Container Lifecycle.
If you significantly increase the value of the graceful shutdown period, platform upgrades and updates might become slower. This is because each Diego Cell uses the graceful shutdown period when it is cleaning up evacuated app instances and waits for each app to gracefully shut down.
VMware recommends using isolation segments to separate apps that have different shutdown requirements to ensure Diego Cell update times are reliable. For more information, see Installing Isolation Segment.
Note: You must ensure that App graceful shutdown period has the same value in all environments that have deployed apps. This is to avoid unexpected behavior.
To increase the app graceful shutdown period:
Select Advanced Features.
Enter an integer in the App graceful shutdown period field. This value is the period of time in seconds the platform should wait for an app instance to exit after it is signaled to gracefully shut down. The default and minimum value is 10.
Click Save.
Some private networks require extra configuration so that internal file storage (WebDAV) can communicate with other TAS for VMs processes.
The Non-RFC-1918 private network allow list field is provided for deployments that use a non-RFC 1918 private network. This is typically a private network other than 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16.
Most TAS for VMs deployments do not require any modifications to this field.
To add your private network to the allow list:
Select Advanced Features.
Append a new allow rule to the existing contents of the Non-RFC-1918 private network allow list field. Include the word allow, the network CIDR range to allow, and a semi-colon (;) at the end. For example:
allow 172.99.0.0/24;
Click Save.
The CF CLI connection timeout field allows you to override the default five-second timeout of the Cloud Foundry Command Line Interface (cf CLI) used within your TAS for VMs deployment. This timeout affects the cf CLI command used to push TAS for VMs errand apps such as Notifications, Autoscaler, and Apps Manager.
Set the value of this field to a higher value, in seconds, if you are experiencing domain name resolution timeouts when pushing errands in TAS for VMs.
To modify the value of the CF CLI connection timeout:
Select Advanced Features.
Enter a value, in seconds, to the CF CLI connection timeout field.
Click Save.
You can enable TLS for clients of the internal system database. This feature is in beta, and the checkbox is deselected by default. For more information about the internal system database, see Managing Internal Databases.
To enable TLS for clients of the internal system database:
Select Advanced Features.
Select the Enable TLS for internal system database (beta) checkbox.
Click Save.
You can configure the maximum number of concurrent database connections that Diego and container networking components can have.
To configure the maximum number of concurrent database connections:
Select Advanced Features.
Enter a value in each field beginning with Maximum number of open connections… for a given component. The placeholder values for each field are the default values.
Click Save.
When there are not enough connections available, such as during a time of heavy load, components may experience degraded performance and sometimes failure. To resolve or prevent this, you can increase and fine-tune database connection limits for the component.
Caution: Decreasing the value of this field for a component may affect the amount of time it takes for it to respond to requests.
You can deactivate rolling app deployments. For more information, see Rolling App Deployments.
To deactivate rolling app deployments:
Select Advanced Features.
Select the Disable rolling app deployments checkbox.
Click Save.
By default, Log Cache keeps 100,000 envelopes per source. An envelope wraps an event and adds metadata. For sources that produce more than 100,000 envelopes, this default may not provide a long enough duration for you to specify a time period for a historical query.
To set the maximum number of envelopes stored per source above the default:
Select Advanced Features.
Enter the Maximum number of envelopes stored in Log Cache per source.
Click Save.
By default, Usage Service deletes granular data after 365 days.
To configure this retention period:
Select Advanced Features.
Enter the number of days of granular data you want to retain in the Usage service cutoff age field.
Click Save.
To avoid performance or data migration issues, VMware recommends that you do not retain data for longer than 365 days. Configuring this field does not affect monthly summary records.
For more information, see Usage Data Retention in Reporting App, Task, and Service Instance Usage.
Note: The Metric Registrar is bundled with TAS for VMs, and you configure it in the TAS for VMs tile. You do not install and configure Metric Registrar as a separate product tile.
In the Metric Registrar pane, you configure the Metric Registrar. Metric Registrar allows the conversion of structured logs into metrics. It also scrapes metrics endpoints and forwards the metrics to Loggregator. If enabled, VMware recommends also enabling the Metric Registrar Smoke Test errand.
The Metric Registrar is enabled by default.
To deactivate the Metric Registrar:
Select Metric Registrar.
Clear the Enable Metric Registrar checkbox.
Click Save.
The scraping interval defines how often the Metric Registrar polls custom metric endpoints. The default is 35 seconds.
To edit the Metric Registrar scraping interval:
Select Metric Registrar.
Edit the Endpoint scraping interval field.
Click Save.
To prevent the Metric Registrar from consuming the value of a metric or event tag, you can add the tag to the Blocked tags field. For example, if you tag your metrics with a customer_id, you may want to add customer_id to the list of blocked tags.
By default, the following tags are blocked to prevent interference with other products like App Metrics that use and rely on such tags.
deploymentjobindexidTo prevent the Metric Registrar from consuming the value of a metric or event tag:
Select Metric Registrar.
Add the desired tags to the Blocked tags field in a comma-separated list.
Click Save.
Errands are scripts that Ops Manager runs automatically when it installs or uninstalls a product, such as a new version of TAS for VMs. There are two types of errands: post-deploy errands run after the product is installed, and pre-delete errands run before the product in uninstalled.
By default, Ops Manager always runs all errands.
In the Errands pane, you can change these run rules. For each errand, you can select On to run it always or Off to never run it.
For more information about how Ops Manager manages errands, see Managing Errands in Ops Manager.
Note: Several errands, such as App Autoscaler and Notifications, deploy apps that provide services for your deployment. When one of these apps is running, selecting Off for the corresponding errand on a subsequent installation does not stop the app.
Smoke Test Errand verifies that your deployment can:
Caution: If both the V2 and V1 Firehoses are deactivated, then deactivate the Smoke Test Errand. Otherwise, the deploy fails.
Usage Service Errand deploys the Usage Service app, which Apps Manager depends on.
Offline Docs Errand deploys an offline documentation app that can be used in air-gapped environments.
Apps Manager Errand deploys Apps Manager, a dashboard for managing apps, services, orgs, users, and spaces. Until you deploy Apps Manager, you must perform these functions through the cf CLI. After Apps Manager has been deployed, VMware recommends setting this errand to Off for subsequent TAS for VMs deployments. For more information about Apps Manager, see Getting Started with Apps Manager.
Notifications Errand deploys an API for sending email notifications to your TAS for VMs platform users.
Note: The Notifications app requires that you configure SMTP with a username and password, even if you set the value of SMTP Authentication Mechanism to none. To configure SMTP with a username and password, see Configure Email Notifications.
Notifications UI Errand deploys a dashboard for users to manage notification subscriptions.
App Autoscaler Errand pushes the App Autoscaler app, which enables you to configure your apps to automatically scale in response to changes in their usage load. For more information, see Scaling an App Using App Autoscaler.
App Autoscaler Smoke Test Errand runs smoke tests against App Autoscaler.
NFS Broker Errand pushes the NFS Broker app, which supports NFS Volume Services for TAS for VMs. For more information, see Enable NFS Volume Services in Enabling Volume Services.
The Metric Registrar Smoke Test Errand verifies that the Metric Registrar can access custom metrics that an app emits and convert them into Loggregator metrics.
Note: The Metric Registrar Smoke Test errand runs only if the Metric Registrar is deployed. For more information about configuring the Metric Registrar, see Metric Registrar and Custom App Metrics.
SMB Broker Application Errand pushes the SMB Broker app, which supports SMB Volume Services for TAS for VMs. For more information, see Enable SMB Volume Services in Enabling Volume Services.
Rotate CC Database Key translates sensitive data in the Cloud Controller database to the currently specified Primary key. You specify this key in the Encryption key ledger field of the Cloud Controller pane.
In the Resource Config pane, you must associate load balancers with the VMs in your deployment to enable traffic. For more information, see Configure Load Balancing for TAS for VMs.
Note: The Resource Config pane has fewer VMs if you are installing Small Footprint TAS for VMs. For more information, see Getting Started with Small Footprint TAS for VMs.
Note: Small Footprint TAS for VMs does not default to a highly available configuration. It defaults to the minimum configuration. To make Small Footprint TAS for VMs highly available, scale the Compute, Router, and Database VMs to 3 instances and scale the Control VM to 2 instances.
TAS for VMs defaults to a highly available resource configuration. However, you may need to perform additional procedures to make your deployment highly available. For more information, see High Availability in TAS for VMs and Scaling TAS for VMs.
If you do not want a highly available resource configuration, you must scale down your instances manually by navigating to the Resource Config section and using the dropdowns under Instances for each job.
By default, TAS for VMs also uses an internal filestore and internal databases. If you configure TAS for VMs to use external resources, you can deactivate the corresponding system-provided resources in Ops Manager to reduce costs and administrative overhead.
To deactivate specific VMs in Ops Manager:
Select Resource Config.
If you configured TAS for VMs to use an external S3-compatible filestore, enter 0 in Instances in the File Storage field.
If you selected External when configuring the UAA, System, and CredHub databases, edit these fields:
0 in Instances.0 in Instances.0 in Instances.If you deactivated TCP routing, enter 0 Instances in the TCP Router field.
Click Save.
This step is only required if your Ops Manager deployment does not already have the stemcell version TAS for VMs requires. For more information about importing stemcells, see Importing and Managing Stemcells.
To download the stemcell version TAS for VMs requires:
Go to the Stemcell product page on VMware Tanzu Network. You may have to log in.
Download the appropriate stemcell version targeted for your IaaS.
In the Ops Manager Installation Dashboard, navigate to Stemcell Library.
Click Import Stemcell to import the downloaded stemcell .tgz file.
When prompted, enable the Ops Manager product checkbox to stage your stemcell.
Click Apply Stemcell to Products.
To complete your installation of TAS for VMs:
Click the Installation Dashboard link to return to the Ops Manager Installation Dashboard.
Click Review Pending Changes, then Apply Changes. The install process generally takes a minimum of 90 minutes to complete. The Changes Applied window is shown when the installation process completes successfully. Click Close or Return to Installation Dashboard (default selection)
