VMware Tanzu Application Service Compliance

As per the recommended reference architecture, Tanzu Application Service (TAS for VMs) is deployed behind an organization-managed load balancer. Deployers with a requirement to manage TCP session communications timeout settings must do so at the network level, via the Load Balancer management interface.

Native Cloud Foundry management API traffic and any cloud native application traffic, both operate at level 7, over HTTP(S).

HTTP is stateless and user sessions are based on HTTP session headers, and the use of OAuth 2 tokens.

The OAuth 2 token lifetimes issued by UAA for use with Apps Manager, the CF CLI, and any application SSO can be configured to tailor the user login sessions appropriately.

For more information about HTTP routing and sessions in TAS for VMs see HTTP Routing.

For more information about customizing the Apps Manager and the cf CLI token lifetime see the Configure UAA section of Deploying Elastic Runtime on AWS.

Control Description

The information system terminates the network connection associated with a communications session at the end of the session or after [Assignment: organization-defined time period] of inactivity.

Supplemental Guidance

This control applies to both internal and external networks. Terminating network connections associated with communications sessions include, for example, de-allocating associated TCP/IP address/port pairs at the operating system level, or de-allocating networking assignments at the application level if multiple application sessions are using a single, operating system-level network connection. Time periods of inactivity may be established by organizations and include, for example, time periods by type of network access or for specific network accesses.