This topic tells you about the key features of the VMware Tanzu Operations Manager interface.

Installation Dashboard page

The Installation Dashboard is the central Tanzu Operations Manager interface for managing your deployment. It displays the BOSH Director configuration for your IaaS and product tiles for your deployment.

The following image shows the Tanzu Operations Manager Installation Dashboard. Each section is labeled with a green number. Click the image to see it at full size.

The Tanzu Operations Manager Installation Dashboard: For a description of each labeled section, see the following list.

The following list describes each section that is labeled for the Installation Dashboard:

  • 1Import a Product: Click this button to add a new product to Tanzu Operations Manager. You can download Tanzu Operations Manager-compatible product files from the Broadcom Support portal.

    • If you configure a VMware Tanzu Network API token in the Settings section of Tanzu Operations Manager, a list of the latest versions of already imported products appears automatically.
  • 2Delete All Unused Products: Click this link to delete any unused products.

  • 3Installation Dashboard: Click this link to return to the Tanzu Operations Manager Installation Dashboard topic from other Tanzu Operations Manager topics.

  • 4Stemcell Library: Click this link to open the Stemcell Library. In the Stemcell Library you can import stemcells, stage stemcells, and review your stemcell version numbers. For more information, see Importing and Managing Stemcells.

  • 5Change Log: Click this link to view and search a log of your previous installations. For more information, see the Change Log Page section of this topic for details.

  • 6Certificates: Click this link to view certificates in your installation. For more information, see the Certificates Page section of this topic for details.

  • 7User Account Menu: Click your user name to view the menu. Use this menu to go to your Settings page, view My Account to change your email and password, or log out of the Tanzu Operations Manager Installation Dashboard. For more details about accounts, see My account of this topic for details on account information. For more information, see the Settings page section of this topic for details that are available Tanzu Operations Manager settings.

  • 8Revert: Click the revert button to return to the previous successful installation. Any pending changes you have made to the current installation settings are lost.

  • 9Review Pending Changes: Click the button to go to the Review Pending Changes page, which organizes pending changes by tile. You can activate or deactivate each tile to selectively deploy individual tiles and their dependencies. For more information, see Reviewing pending product changes.

  • 10Orange Bar: Indicates that additional configuration for the product tile is required before deployment. Click the product tile to complete its configuration.

    If an imported product is missing a required stemcell, a Missing Stemcell link appears on the tile. Click this link to open the stemcell library. For more information about stemcells, see Importing and managing stemcells.

  • 11API Documentation: Click this link to go to the Tanzu Operations Manager API documentation, which details how you can manage Tanzu Operations Manager through the API rather than with the UI. For more information about the Tanzu Operations Manager API, see Using the Tanzu Operations Manager API.

Change Log page

Go to the Change Log page by clicking the corresponding link in the dashboard header. This topic shows the Tanzu Operations Manager’s deployment history, and a record of all of its Apply Changes actions.

The following table lists the following top-level attributes for each deployment:

Label Type Description
STATUS Icon Whether the deployment succeeded or failed
DEPLOYMENT ID Text A sequentially-numbered identifier for the deployment
USER Username The user who initiated the deployment

A LOGS button for each deployment opens the deployment’s full Installation Log.

Within each deployment listing, a table details for the individual products deployed in or deleted from each installation.

The details listed for each product are as follows:

Label Type Description
PRODUCT Text The name of the product
ACTION One of the following labels: ADDED, UPDATED, DELETED, NO CHANGES, FAILED The action, if any, that the deployment took with the product.
STARTED UTC timestamp When Tanzu Operations Manager began deploying the product.
FINISHED UTC timestamp When Tanzu Operations Manager stopped deploying or attempting to deploy the product.
DURATION Time, in minutes How long Tanzu Operations Manager took to deploy or attempt to deploy the product.

A Total row, lists all product totals for the STARTED, FINISHED, AND DURATION text boxes.

The Change Log page shows up to 10 Apply Changes at a time, starting with the most recent. You can navigate additional Apply Changes records using the following buttons:

  • First Page—Click First Page to return to the most recent 10 Apply Changes records.

  • Previous Page / Next Page—Click Previous Page, or Next Page to load older or newer entries.

Certificates page

Go to the Certificates topic by clicking the corresponding link in the dashboard header. This topic shows the certificates in your Tanzu Operations Manager installation.

In Tanzu Operations Manager 3.0.28 and later

Tanzu Operations Manager 3.0.28 updates the Certificates page. Leaf certificates are now nested under the CA certificate that signs them, certificates are listed only once instead of per deployment, and a rotation status is listed for each certificate.

The Certificates page shows information in the following columns: Certificate name, Deployments, Propagation, Rotation Status, Expiration Date, Rotation Procedure, Location, Configurable, and Auto Rotation.

The following describes the information listed on the Certificates page:

  • Type: a certificate authority (CA) or leaf certificate.

  • Certificate name: the name of the certificate.

  • Deployments: the number of deployments that use the certificate. This links to a page listing the deployments associated with the certificate and whether they’ve been deployed or not.

  • Propagation: the propagation progress of a certificate after it has been regenerated. The first number is how many deployments are using the updated version of the certificate. The second number is the total number of deployments associated with the certificate. For instance, “1 of 5” would indicate that only 1 deployment is using the new certificate out of 5 deployments total.

  • Rotation Status: the next step necessary to rotate the certificate. See Rotation Status definitions.

  • Expiration Date: the date that the certificate expires.

  • Rotation Procedure: a link to documentation about how to rotate the certificate.

  • Location: whether CredHub or Tanzu Operations Manager stores and manages the certificate.

  • Configurable: whether you can configure the certificate. If a certificate is configurable, you can generate your own and paste it into Tanzu Operations Manager configuration panes.

  • Auto Rotation: whether the certificate is automatically rotated by Tanzu Operations Manager. Rotation of these certificates are advanced during Apply Changes without the need to make API calls to rotate them. For more information, see Automatic rotation of BOSH DNS certificates.

Rotation Status definitions

The Rotation Status column indicates what is the next action needed to rotate a certificate. The potential rotation statuses include:

  • Needs propagation: New versions of the certificate are available and need to be deployed. To deploy the certificate, initiate an Apply Changes on all tiles associated with the certificate, selecting the “Upgrade all service instances” errand for any that are service tiles. For any non-tile deployments associated with the certificate, use bosh deploy. For auto-rotated certificates, a stemcell upgrade is required to complete propagation of the new certificate versions.

  • Ready to regenerate CA: The CA certificate is ready to be regenerated with the recommended procedure.

  • Ready to activate new CA: The new version of the CA certificate is ready to be activated with the recommended procedure.

  • Ready to regenerate leaf: For CA certificates, the certificate is ready to regenerate all its child certificates to be signed by the new CA. For leaf certificates, the certificate is ready to be regenerated.

  • Ready to regenerate configurable leaf: The certificate is ready to either be regenerated using its CA, or ready to be updated with a new external certificate. When using an externally created certificate, ensure that the certificate which signs the configurable leaf is trusted. For example, the leaf certificate is signed by a globally trusted CA, or the signing CA is added in the BOSH Director tile > Security tab > Trusted Certificates field.

  • Ready to delete old CA: The new CA certificate and its leafs have been deployed, and the certificate is ready to delete the old version.

  • Rotate parent CA: The signing CA certificate is expiring soon. Rather than rotate the current certificate directly, you should rotate its CA certificate. Rotating the CA certificate rotates the current certificate as part of its rotation procedure.

  • Unknown state - contact support: Tanzu Operations Manager is unable to determine the next step of the rotation. This can mean that the certificate is in a state that generates safety violations when rotated. Contacting support and including a support bundle, which contains information such as the output of maestro topology, is the best course of action.

Certificate propagation status page

Each certificate on the Certificates page contains a link in the Deployments column that leads to a propagation status page for that certificate. This page lists information about which tiles and deployments need to be redeployed to distribute new versions of the certificate.

Individual BOSH deployments (such as service instances or TKGI clusters) are nested under the tile that creates those deployments. BOSH deployments that are created outside of Tanzu Operations Manager are nested under ‘Non-Tile Deployments’.

The Certificates propagation page shows information in the following columns: Deployment, and Propagation Status.

The following describes the information listed on the page:

  • Deployment: The name of the BOSH deployment that uses the certificate.

  • Propagation Status: The status of the latest version of the certificate for the corresponding deployment. “Incomplete” means that the deployment needs to be redeployed to propagate new versions of the certificate. “Complete” means that the deployment uses the latest version of the certificate, and that no action is required.

In Tanzu Operations Manager 3.0.27 and lower

The following image shows the top section of the Certificates page:

The Certificates page shows information in the following columns: Certificate name, Tile Name, Location, Type, Configurable, Expiration Date, and Rotation Procedure.

The Certificates page includes the certificates that the Tanzu Operations Manager API attempts to rotate. This includes both certificates that the Tanzu Operations Manager API can rotate and certificates that you must rotate manually.

For information about how to rotate these certificates, see Overview of Certificate Rotation.

The following describes the information listed on the Certificates page:

  • Certificate name: the name of the certificate.

  • Tile Name: the product name with its unique identifier.

  • Location: whether CredHub or Tanzu Operations Manager stores and manages the certificate.

  • Type: a certificate authority (CA) or leaf certificate.

  • Configurable: whether or not you can configure the certificate. If a certificate is configurable, you can generate your own and paste it into Tanzu Operations Manager configuration panes.

  • Expiration Date: the date that the certificate expires.

  • Rotation Procedure: a link to documentation about how to rotate the certificate.

Settings page

Go to the Settings topic by clicking on your user name and click Settings. On the screen that appears, click Change Decryption Passprase.

Admin drop-down menu options: Settings, My Account, Log Out

The following sections describes the configuration topics.

If you modify these settings, it does not require you to return to the Installation Dashboard and click Apply Changes. These settings apply to the Tanzu Operations Manager VM. The BOSH Director does not apply them to your deployment.

Change decryption passphrase

To reset your decryption passphrase, enter the details as follows, and click Change Decryption Passphrase.

  • Current Decryption Passphrase
  • New Decryption Passphrase
  • Confirm New Decryption Passphrase

Enter Current Decryption Passphrase and "New Decryption Passphrase.

Internal authentication settings

You can use the Internal Authentication Settings topic to view and update the settings for your internal authentication method.

This pane includes the following text boxes:

  • Current Decryption Passphrase: Update the decryption passphrase for your internal authentication method.

  • Admin Username: Update the user name for the admin user.

  • Admin Password and Admin Password Confirmation: Update the password for the admin user.

SAML settings

To change your Identity Provider (IdP) to SAML, configure the following text boxes:

  • Current Decryption Passphrase: Enter your decryption passphrase.

  • SAML IDP Metadata: Enter the full URL or XML SAML IdP metadata.

  • BOSH IDP Metadata: (Optional) Enter the full URL or XML BOSH IdP metadata. If left blank, the default is the same metadata as the preceding text box.

  • SAML Admin Group: Enter the name of the SAML group that contains all of the Tanzu Operations Manager administrators. This text box is case-sensitive.

  • Groups Attribute: Enter the groups attribute tag name with which you configured the SAML server. This text box is case-sensitive.

  • Provision an admin client in the Bosh UAA: Enable to provision an admin client in the BOSH UAA. For more information, see Provision Admin Client.

LDAP settings

Use this topic to change your IdP to LDAP.

For more information about changing your IdP to SAML or LDAP, view the following instructions for your IaaS configuration:

OIDC settings

To change your Identity Provider (IdP) to OIDC, configure the following text boxes:

  1. In your OIDC provider, create a new client for Tanzu Operations Manager to use for authentication.

    • For “Grant Type”, select “Authorization Code”.
    • Register https://OPS-MAN-FQDN/uaa/login/callback/oidc as a valid redirect_uri for the client.
    • If you plan to use OIDC authentication for the BOSH CLI, register https://BOSH-FQDN-OR-IP:8443/uaa/login/callback/oidc as a valid redirect_uri for the client. If you intend to use the BOSH FQDN, you must configure that later in the BOSH Director configuration.
  2. For Discovery URL, enter your OIDC service provider discovery URL.

  3. For Client ID, enter the “Client ID” created in Step 1.

  4. For Client Secret, enter the “Client Secret” created in Step 1.

  5. For Scopes, enter the scopes to request from the OIDC provider as a comma-separated list. You must include the following scopes.

    • The openid scope
    • A scope that allows access to the group claim
    • Standard email and profile scopes, if you plan to use the claims listed in the next step to populate common fields in UAA
  6. Enter the claims used to populate the UAA user store with data from the OIDC provider.

    • Enter the External Groups Claim to populate associated groups for the user in UAA. Enter the OIDC provider’s token claim that contains the groups to which the user belongs. Only the provided OIDC Admin Group Name and the default group names of opsman.full_control, opsman.restricted_control, opsman.full_view and opsman.restricted_view are mapped to UAA groups.
    • (Optional) Enter the Username Claim to populate the username field in UAA. Tanzu Operations Manager uses this to show the current logged-in user.
  7. For OIDC Admin Group Name, enter the OIDC provider group name that corresponds to users who receive admin access. Users in this OIDC group are granted the opsman.admin scope in UAA.

SSL certificate

You can use the SSL Certificate pane to configure Tanzu Operations Manager to use a custom SSL certificate for all Tanzu Operations Manager traffic both through the UI and API.

This pane includes the following text boxes:

  • Certificate: Enter a custom certificate.
  • Private Key: Enter the private key for the certificate.

If you leave the text boxes blank, Tanzu Operations Manager uses an auto-generated self-signed certificate rather than your own custom certificate and private key.

Click Add Certificate.

SSL Certificate page with text boxes for Certificate and Private Key. Both are required.

If you have previously added a custom certificate and want to replace it with a self-signed certificate, click Revert to self-signed certificate.

VMware Tanzu Network settings

Enter your VMware Tanzu Network API token and click Add Token to connect your Installation Dashboard to VMware Tanzu Network.

Proxy settings

If you are using a proxy to connect to Tanzu Operations Manager, update your Proxy Settings by providing a HTTP proxy, HTTPS proxy, or No proxy.

Custom banner

Create a custom text banner to communicate important messages to operators. For UI Banner, enter the text you want to be shown on each page of the Tanzu Operations Manager UI. For SSH Banner, enter the text that appears when an operator logs in to Tanzu Operations Manager.

Export installation settings

Exports the current installation with all of its assets. When you export an installation, the exported file contains references to the base VM images, necessary packages, and configuration settings.

Syslog

Viewable by administrators only. Configure a custom syslog server for Tanzu Operations Manager. When you click Yes and fill the following text boxes, Tanzu Operations Manager produces and sends all syslog entries from the Tanzu Operations Manager VM to the configured syslog endpoint. Tanzu Operations Manager also sends BOSH Director access events to the syslog endpoint.

Tanzu Operations Manager syslog entries are sent in RFC 3164 format.

To configure a custom syslog endpoint for Tanzu Operations Manager logs:

  1. Select Syslog.

  2. (Optional) Select Yes to send Tanzu Operations Manager system logs to a remote server.

  3. In Address, enter the IP address or DNS name for the remote server.

  4. In Port, enter the port number that the remote server listens on.

  5. In the Transport Protocol drop-down menu, select TCP or UDP. This selection determines which transport protocol is used to send the logs to the remote server.

  6. (Optional) Select the Enable TLS check box to send encrypted logs to remote server with TLS. After you select the check box:

    1. In Permitted Peer, enter either the name or SHA1 fingerprint of the remote peer.
    2. In SSL Certificate, enter the SSL certificate for the remote server.

    Note VMware strongly recommends that you enable TLS encryption when you are forwarding logs. Logs can contain sensitive information, such as cloud provider credentials.

  7. (Optional) In Queue Size, enter an integer. This value specifies the number of log messages held in the buffer. The default value is 100,000.

  8. (Optional) Select the Forward Debug Logs check box to forward the logs to an external source. This option is deselected by default. If you select it, you may generate a large amount of log data.

  9. (Optional) In Custom rsyslog Configuration, enter the configuration details for rsyslog. This text box requires the rainerscript syntax.

  10. Click Save.

Pruning settings

Pruning settings are available in Tanzu Operations Manager 3.0.18+LTS-T and later.

You configure the pruning of Change Logs that are created each time you Apply Changes.

If pruning is activated, Change Logs that are older than the configured date are pruned once per day. The most recent Change Log and the most recent successful Change Log for a tile are not pruned even if they are older than the configured date.

Advanced options

  • Download Activity Data: Downloads a directory that contains the configuration file for the installation, the deployment history, and version information.

  • Download Root CA Cert: Use this to download for the root CA certificate of your deployment as an alternative to curling the Tanzu Operations Manager API.

  • Download Core Consumption Data: Use this option to download the historical core consumption as CSV, instead of using cURL to access the Tanzu Operations Manager API. The CSV download contains an hourly reading of the chargeable cores that are consumed by each product, in the following form:

    timestamp,product_identifier,physical_cores,logical_cores
    

    Products which do not support core counting do not appear in the CSV download.

  • View Diagnostic Report: Displays various types of information about the configuration of your deployment.

  • Delete This Installation: Deletes your Tanzu Operations Manager installation permanently.

My Account page

To change your email and password, go to the My Account page by clicking on your user name located at the upper right corner of the screen and selecting My Account. The Account Settings topic includes the following information and links:

  • Profile: The current email address and obscured password are shown.
  • Third Party Access: Any third-party applications authorized for use are listed here.

And buttons: * Change Email * Change Password

Account Setting page showing Profile and Third Party Access. There are buttons for Change Email and Change Password.

Support page

Click Support in the footer of the Installation Dashboard in Tanzu Operations Manager to access the support topic.

The Support topic allows you to download a ZIP file that includes Tanzu Operations Manager logs, deployed manifests and configurations, and BOSH deployment diagnostics.

The contents of the ZIP file help Support quickly address any issues in your deployment.

You can also access Broadcom Support to search for Knowledge base article and other documentation.

check-circle-line exclamation-circle-line close-line
Scroll to top icon