forked from pivotal-cf/docs-pcf-install
-
Notifications
You must be signed in to change notification settings - Fork 0
/
_uaa-cloudform.html.md.erb
67 lines (40 loc) · 5.27 KB
/
_uaa-cloudform.html.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
1. Select **UAA**.
1. (Optional) Under **JWT Issuer URI**, enter the URI that UAA uses as the issuer when generating tokens.
<%= image_tag('ert_uaa_jwt_uri.png') %>
1. Under **SAML Service Provider Credentials**, enter a certificate and private key to be used by UAA as a SAML Service Provider for signing outgoing SAML authentication requests. You can provide an existing certificate and private key from your trusted Certificate Authority or generate a self-signed certificate. The following domains must be associated with the certificate: `login.YOUR-SYSTEM-DOMAIN` and `*.login.YOUR-SYSTEM-DOMAIN`.
<p class="note"><strong>Note</strong>: The Pivotal Single Sign-On Service and Pivotal Spring Cloud Services tiles require the <code>*.login.YOUR-SYSTEM-DOMAIN</code>.</p>
1. If the private key specified under **Service Provider Credentials** is password-protected, enter the password under **SAML Service Provider Key Password**.
<%= image_tag("service-provider.png") %>
1. (Optional) In the **Apps Manager Access Token Lifetime**, **Apps Manager Refresh Token Lifetime**, **Cloud Foundry CLI Access Token Lifetime**, and **Cloud Foundry CLI Refresh Token Lifetime** fields, change the lifetimes of tokens granted for Apps Manager and Cloud Foundry Command Line Interface (cf CLI) login access and refresh. Most deployments use the defaults.
<%= image_tag("authsso-uaa-bottom.png") %>
1. (Optional) Customize the text prompts used for username and password from the cf CLI and Apps Manager login popup by entering values for **Customize Username Label (on login page)** and **Customize Password Label (on login page)**.
1. (Optional) The **Proxy IPs Regular Expression** field contains a pipe-delimited set of regular expressions that UAA considers to be reverse proxy IP addresses. UAA respects the `x-forwarded-for` and `x-forwarded-proto` headers coming from IP addresses that match these regular expressions. To configure UAA to respond properly to Router or HAProxy requests coming from a public IP address, append a regular expression or regular expressions to match the public IP address.
1. You can configure UAA to use the internal MySQL database provided with PCF, or you can configure an external database provider. Follow the procedures in either the [Internal Database Configuration](#uaa-internal) or the [External Database Configuration](#uaa-external) section below.
<p class="note"><strong>Note</strong>: If you are performing an upgrade, do not modify your existing internal database configuration or you may lose data. You must migrate your existing data before changing the configuration. See <a href="upgrading-pcf.html">Upgrading Pivotal Cloud Foundry</a> for additional upgrade information, and contact <a href="https://support.pivotal.io">Pivotal Support</a> for help. </p>
###<a id='uaa-internal'></a> Internal Database Configuration
1. Select **Internal MySQL**.
![UAA DB Selection](ert_uaa_internal.png)
1. Click **Save**.
1. Ensure that you complete the "Configure Internal MySQL" step later in this topic to configure high availability and automatic backups for your internal MySQL databases.
###<a id='uaa-external'></a> External Database Configuration
<p class="note"><strong>Note</strong>: The exact procedure to create databases depends upon the database provider you select for your deployment. The following procedure uses AWS RDS as an example, but UAA also supports Azure SQL Server.</p>
<p class="note warning">
<strong>Warning</strong>: Protect whichever database you use in your deployment with a password.</p>
To create your UAA database, perform the following steps:
1. Add the `ubuntu` account key pair from your IaaS deployment to your local SSH profile so you can access the Ops Manager VM. For example, in AWS, you add a key pair created in AWS:
<pre class='terminal'>$ ssh-add aws-keypair.pem</pre>
1. SSH in to your Ops Manager using the Ops Manager FQDN and the username `ubuntu`:
<pre class='terminal'>$ ssh ubuntu@OPS-MANAGER-FQDN</pre>
1. Log in to your MySQL database instance using the appropriate hostname and user login values configured in your IaaS account. For example, to log in to your AWS RDS instance, run the following MySQL command:
<pre class='terminal'>$ mysql --host=RDSHOSTNAME --user=RDSUSERNAME --password=RDSPASSWORD</pre>
1. Run the following MySQL commands to create a database for UAA:
<pre class="terminal">CREATE database uaa;</pre>
1. Type `exit` to quit the MySQL client, and `exit` again to close your connection to the Ops Manager VM.
1. Reboot the RDS instance in the AWS console.
1. From the **UAA** section in Elastic Runtime, select **External**.
<%= image_tag('ert_uaa_external.png') %>
1. For **Hostname**, enter the hostname of the database server. This is the value from the `PcfRdsAddress` key in the AWS output.
1. For **TCP Port**, enter the port of the database server. This is the value from the `PcfRdsPort` key in the AWS output.
1. For **User Account and Authentication database username**, specify the username that can access this database on the database server. This is the value from the `PcfRdsUsername` key in the AWS output.
1. For **User Account and Authentication database password**, specify a password for the provided username. This is the value from the `PcfRdsPassword` key in the AWS output.
1. Click **Save**.