In the UAA pane, you configure the User Account and Authentication (UAA) server.

To configure the UAA pane:

  1. Click UAA.

  2. Under UAA database location, select one of these options:

    • Tanzu Application Service database: Use the same database server that other TAS for VMs components use. This system database is configured in the Databases pane, and it can be either internal or external.
    • External database: Use a separate, dedicated database server for UAA. For GCP installations, VMware recommends using an external database on Google Cloud SQL.

    Caution Protect whichever database you use in your deployment with a password.

  3. (Optional) If you selected External database, complete these fields as follows.

    • For Hostname, enter the hostname of the database server.
    • For TCP port, enter the port of the database server.
      • AWS Terraform: Enter the value of rds_port in the Terraform output.
      • GCP and GCP Terraform: Enter 3306.
    • For Username, specify a unique user name that can access this database on the database server.
      • AWS Terraform: Enter the value of rds_username from your Terraform output.
      • GCP Terraform: Enter the value of tas_sql_username from your Terraform output.
    • For Password, specify a password for the provided user name.
      • AWS Terraform: Enter the value of rds_password from your Terraform output.
      • GCP Terraform: Enter the value of tas_sql_password from your Terraform output.
    • For Username, specify a unique user name that can access this specific database on the database server.
    • For Password, specify a password for the provided username.
    • For CA certificate, enter a certificate to use for encrypting traffic to and from the database.

    Important The CA certificate text box only works if your external database host name matches a name specified in the certificate. This is not true with GCP CloudSQL.

  4. (Optional) Under JWT issuer URI, enter the URI that UAA uses as the issuer when generating tokens.

  5. Under SAML service provider credentials, enter a certificate and private key to be used by UAA as a SAML service provider for signing outgoing SAML authentication requests. You can provide an existing certificate and private key from your trusted Certificate Authority or generate a certificate. The domain *.login.SYSTEM-DOMAIN must be associated with the certificate, where SYSTEM-DOMAIN is the System domain you configured in the Domains pane.

    Important The Operations Manager Single Sign-On Service and Operations Manager Spring Cloud Services tiles require the *.login.SYSTEM-DOMAIN.

  6. Under SAML service provider credentials, enter a certificate and private key to be used by UAA as a SAML service provider for signing outgoing SAML authentication requests. You can provide an existing certificate and private key from your trusted Certificate Authority or generate a certificate. The domain *.login.SYSTEM-DOMAIN must be associated with the certificate, where SYSTEM-DOMAIN is the System domain you configured in the Domains pane.

    Important The Operations Manager Single Sign-On Service and Operations Manager Spring Cloud Services tiles require the *.login.SYSTEM-DOMAIN.

  7. If the private key specified under SAML service provider credentials is password-protected, enter the password under Private key password.

  8. (Optional) To override the default value, enter a custom SAML Entity ID in the SAML Entity ID override text box. By default, the SAML Entity ID is http://login.SYSTEM-DOMAIN, where SYSTEM-DOMAIN is the System domain you configured in the Domains pane.

  9. For Signature algorithm, choose an algorithm from the drop-down menu to use for signed requests and assertions. The default value is SHA256.

  10. (Optional) In the Apps Manager access token lifetime, Cloud Foundry CLI access token lifetime, and Cloud Foundry CLI refresh token lifetime text boxes, change the lifetimes of tokens granted for Apps Manager and cf CLI login access and refresh. Most deployments use the defaults.

  11. (Optional) In the Global login session maximum timeout and Global login session idle timeout text boxes, change the maximum number of seconds before a global login times out. These text boxes apply to:

    • Default zone sessions: Sessions in Apps Manager, Operations Manager Metrics, and other web UIs that use the UAA default zones.
    • Identity zone sessions: Sessions in apps that use a UAA identity zone, such as a Operations Manager Single Sign-On service plan.

  12. (Optional) Customize the text prompts used for the user name and password from the cf CLI and Apps Manager login pop-up by entering values for Username label and Password label.

  13. (Optional) The Proxy IPs regular expression field text box contains a pipe-separated set of regular expressions that UAA considers to be reverse proxy IP addresses. UAA respects the x-forwarded-for and x-forwarded-proto headers coming from IP addresses that match these regular expressions. To configure UAA to respond properly to Gorouter or HAProxy requests coming from a public IP address, append a regular expression or regular expressions to match the public IP address.

  14. (Optional) Deselect the Client basic auth compatibility mode check box to require URL encoding for UAA client basic authentication credentials. By default, the check box is selected and URL encoding is not required. This represents the default behavior of UAA before UAA v74.0.0. URL encoding is defined by RFC6749. For more information, see RFC6749. To require URL encoding for certain UAA clients without deactivating compatibility mode, use the X-CF-ENCODED-CREDENTIALS=true HTTP header.

    Caution If you deselect the Client basic auth compatibility mode check box, URL encoding is required for all UAA client apps in your deployment. To avoid breaking changes, ensure that all client apps support URL encoding before you deselect the check box.

  15. (Optional) If you are using Single Sign-On for VMware Tanzu Application Service and you want to honor the CORS policy for custom identity zones, deselect the Enforce system zone CORS policy across all identity zones check box. This check box is selected by default. If you use Single Sign-On, UAA creates custom identity zones. If you leave this check box selected, UAA ignores the CORS policy for custom identity zones and applies the system default identity zone CORS policy to all zones.

    CautionIf you deselect the Enforce system zone CORS policy across all identity zones check box, apps that are integrated with Single Sign-On might experience downtime because the default CORS policy of the custom identity zones is more restrictive. To prevent downtime, you must explicitly set the CORS policy of the custom identity zones according to the needs of your apps. For more information, see the Managing Service Plan Configurations in the Single Sign-On documentation.

  16. (Optional) To override the default UAA internal user password policies, see Configuring UAA password policy.

  17. Click Save.

check-circle-line exclamation-circle-line close-line
Scroll to top icon