This topic describes how you can log into VMware Tanzu Operations Manager for the first time after deploying Tanzu Operations Manager. It also describes how you can configure the Tanzu Operations Manager default authentication with either SAML, LDAP, or internal authentication.
When you have a new installation of Tanzu Operations Manager, you choose the default authentication and login method.
When you log in for the first time, you go to the fully qualified domain name (FQDN) in your web browser. You configure the FQDN when you first deploy Tanzu Operations Manager. To log in, see Log In to Tanzu Operations Manager For the First Time below.
Your login method and authentication choices are:
Internal Authentication: Tanzu Operations Manager maintains and manages your user database.
SAML Identity Provider: An external identity server maintains your user database.
LDAP Server: An external identity server maintains your user database.
To log in to Tanzu Operations Manager for the first time with a new Tanzu Operations Manager deployment:
In a web browser, navigate to Tanzu Operations Manager using your FQDN. You set your FQDN when you configure Tanzu Operations Manager before deployment.
When Tanzu Operations Manager starts for the first time, choose one of the following procedures below:
To set up internal authentication that Tanzu Operations Manager maintains:
When redirected to the Internal Authentication page:
Log in to Tanzu Operations Manager with the Admin username and password you created in the previous step.
To configure Tanzu Operations Manager to log in by default using a SAML identity provider for user authentication:
Log in to your identity provider console and download the identity provider metadata XML. Optionally, if your identity provider supports metadata URL, you can copy the metadata URL instead of the XML.
Do one of the following, depending on if you use a separate identity provider for BOSH:
Enter values for the following text boxes. Failure to provide values in these text boxes results in a 500
error.
Enter your Decryption passphrase. Read the End User License Agreement, and select the check box to accept the terms.
Your Tanzu Operations Manager login page appears. Enter your username and password and click Login.
Download your SAML service provider metadata (SAML Relying Party metadata) by navigating to the following URLs:
https://OPS-MAN-FQDN:443/uaa/saml/metadata
https://BOSH-IP-ADDRESS:8443/saml/metadata
.BOSH-IP-ADDRESS
is in the Status pane of the BOSH Director tile.Import the Tanzu Operations Manager SAML provider metadata to your identity provider. If your identity provider does not support importing, provide the values below.
https://OPS-MAN-FQDN:443/uaa/saml/SSO/alias/OPS-MAN-FQDN
https://OP-MAN-FQDN:443/uaa
Import the BOSH Director SAML provider metadata to your identity provider. If the identity provider does not support an import, provide the values below.
https://BOSH-IP:8443/saml/SSO/alias/BOSH-IP
https://BOSH-IP:8443
To configure Tanzu Operations Manager to log in by default using an LDAP server for user authentication:
For Server URL, enter the URL that points to your LDAP server. With multiple LDAP servers, separate their URLs with spaces. Each URL must include one of the following protocols:
ldap://
: This specifies that the LDAP server uses an unencrypted connection.ldaps://
: This specifies that the LDAP server uses SSL for an encrypted connection and requires that the LDAP server holds a trusted certificate or that you import a trusted certificate to the JVM truststore.For LDAP Username and LDAP Password, enter the LDAP Distinguished Name (DN) and the password for binding to the LDAP Server. Example DN: cn=administrator,ou=Users,dc=example,dc=com
%= vars.company_name %> recommends that you provide LDAP credentials that grant read-only permissions on the LDAP Search Base and the LDAP Group Search Base. In addition to this, if the bind user belongs to a different search base, you must use the full DN.
VMware recommends against reusing LDAP service accounts across environments. LDAP service accounts are not subject to manual lockouts. For example, lockouts that result from users using the same account. Also, LDAP service accounts are not subject to automated deletions, since disruption to these service accounts could prevent user logins.
For User Search Base, enter the location in the LDAP directory tree from which any LDAP User search begins. The typical LDAP Search Base matches your domain name. For example, a domain named “cloud.example.com” typically uses the following LDAP User Search Base: ou=Users,dc=example,dc=com
For User Search Filter, enter a string that defines LDAP User search criteria. These search criteria allow LDAP to perform more effective and efficient searches. For example, the standard LDAP search filter cn=Smith
returns all objects with a common name equal to Smith
.
In the LDAP search filter string that you use to configure your runtime, use {0}
instead of the username. For example, use cn={0}
to return all LDAP objects with the same common name as the username.
In addition to cn
, other attributes commonly searched for and returned are mail
, uid
and, in the case of Active Directory, sAMAccountName
.
For instructions for testing and troubleshooting your LDAP search filters, see Configuring LDAP Integration.
For Group Search Base, enter the location in the LDAP directory tree from which the LDAP Group search begins. For example, a domain named cloud.example.com
typically uses the following LDAP Group Search Base: ou=Groups,dc=example,dc=com
For Group Search Filter, enter a string that defines LDAP Group search criteria. The standard value is member={0}
.
For Email Attribute, enter the attribute name in your LDAP directory that corresponds to the email address in each user record. For example, mail
.
For LDAP RBAC Admin Group Name, enter the DN of the LDAP group you want to have admin permissions in Tanzu Operations Manager.
From the drop-down menu, select how the UAA handles LDAP server referrals out to other external user stores. The UAA can:
For Server SSL Cert, paste in the root certificate from your CA certificate or your self-signed certificate.
Enter a Decryption passphrase and the Decryption passphrase confirmation. This passphrase encrypts the Tanzu Operations Manager datastore, and is not recoverable.
If you are using an HTTP proxy or HTTPS proxy, follow the instructions in Configuring Proxy Settings for the BOSH CPI.
Read the End User License Agreement, and select the check box to accept the terms.
Click Provision an admin client in the BOSH UAA. You can use this to enable BOSH automation with scripts and tooling. For more information, see Provision Admin Client in Creating UAA Clients for BOSH Director.
Click Setup Authentication.