This topic describes how you can use short-lived NATS bootstrap credentials in your VMware Tanzu Operations Manager deployment.

BOSH NATS is a service that allows the BOSH Director and BOSH Agents in deployed VMs to communicate with each other. The BOSH Director uses BOSH NATS to send commands and information to the BOSH Agent, so that the BOSH Agent can execute tasks or return information about the current state of the VM.

BOSH NATS uses TLS certificates to authenticate communication between the BOSH Director and the BOSH Agent. When VMs are created during a new deployment of Tanzu Operations Manager, BOSH gives each VM a TLS certificate through the metadata service for your IaaS, such as AWS instance user data.

However, any user with non-root access to a VM or process running in a VM can access VM metadata within your IaaS. This could allow a malicious user or process to obtain the TLS certificate for the VM and use it to communicate with the BOSH Director through BOSH NATS.

To increase the security of your Tanzu Operations Manager deployment, you can configure your VMs to use short-lived bootstrap credentials when communicating through BOSH NATS. When you configure your VMs to use short-lived bootstrap credentials, the TLS certificate that BOSH gives to a VM through the metadata service for your IaaS contains credentials that are only to be used during the bootstrap process. Before the bootstrap process finishes, the BOSH Director sends the BOSH Agent a new TLS certificate. From that point forward, BOSH NATS rejects the previous TLS certificate that is stored in the metadata service. Because no user or process can access VMs during the bootstrap process, and apps are installed after the bootstrap process is complete, using short-lived bootstrap credentials ensures that any malicious user or process that obtains the TLS certificate stored in the metadata service cannot use it to access your VMs or apps.

To learn about the stemcells that are compatible with short-lived bootstrap credentials, see Stemcell compatibility.

To configure your VMs to use short-lived bootstrap credentials when communicating through BOSH NATS, see Configure Short-Lived NATS Bootstrap credentials.

Stemcell compatibility

You can configure short-lived bootstrap credentials for VMs using the following stemcells:

  • Microsoft Windows 2019.41 and later.

  • Xenial 621.171 and later.

  • Bionic 1.36 and later.

  • Jammy 1.95 and later.

    All Jammy stemcell versions are compatible with short-lived bootstrap credentials. However, if you use Jammy 1.94 or earlier, using short-lived bootstrap credentials causes VMs with re-sized disk allocations to fail when they are re-created. To fix this issue, upgrade your stemcell to Jammy 1.95 or later.

If you configure short-lived bootstrap credentials for VMs using unsupported stemcells, the VMs become unresponsive.

Configure short-lived NATS bootstrap credentials

To configure your VMs to use short-lived bootstrap credentials when communicating through BOSH NATS:

  1. In a browser window, go to Tanzu Operations Manager Installation Dashboard.

  2. Click the BOSH Director tile.

  3. Click Director Config.

  4. Select the Enable Short Lived NATS Bootstrap Credentials check box.

  5. Click Save.

  6. Return to Tanzu Operations Manager Installation Dashboard.

  7. Click Review Pending Changes.

  8. Click Apply Changes.

This configuration affects all new deployments of Tanzu Operations Manager. If you want to configure VMs in existing Tanzu Operations Manager deployments to use short-lived bootstrap credentials, you must recreate them.

check-circle-line exclamation-circle-line close-line
Scroll to top icon