forked from pivotal-cf/docs-pcf-install
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathpcf-aws-manual-om-config.html.md.erb
249 lines (182 loc) · 14.3 KB
/
pcf-aws-manual-om-config.html.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
---
title: Manually Configuring Ops Manager Director for AWS
owner: Ops Manager
---
This topic describes how to configure the Pivotal Cloud Foundry Operations
Manager components that you need to run <a
href="https://network.pivotal.io/products/pivotal-cf">Pivotal Cloud Foundry</a>
(PCF) on Amazon Web Services (AWS).
<p class="note warning">
<strong>Caution</strong>: Pivotal strongly recommends installing Pivotal Cloud Foundry using AWS CloudFormation, as described in <a href="./cloudform.html">Installing Pivotal Cloud Foundry® on AWS</a>, rather than configuring AWS manually as documented here.</p>
## <a id='prerequisites'></a>Prerequisites
Ensure that you have successfully completed all steps in the [Manually
Configuring AWS for PCF](./pcf-aws-manual-config.html) topic before beginning
this procedure.
## <a id='pcfaws-om-access'></a>Step 1: Access Ops Manager ##
<p class="note"><strong>Note</strong>: Ops Manager 1.7 security features require that you log in using a fully qualified domain name to access Ops Manager.</a></p>
1. In a web browser, navigate to the fully qualified domain you created in the [Create a DNS Entry](./pcf-aws-manual-config.html#pcfaws-dns-entry) step of [Manually Configuring AWS for PCF](./pcf-aws-manual-config.html).
<p class="note"><strong>Note</strong>: On your first login attempt, an error
message that the connection is untrusted appears because you are attempting
to connect securely to a website with a self-signed certificate.
Add Ops Manager as an exception to bypass this message on subsequent
logins.</p>
1. When Ops Manager starts for the first time, you must choose one of the following:
* <strong>[Use an Identity Provider](#idp)</strong>: If you use an Identity Provider, an external identity server maintains your user database.
* <strong>[Internal Authentication](#internal)</strong>: If you use Internal Authentication, PCF maintains your user database.
<%= image_tag("select-authentication.png") %>
### <a id='idp'></a>Use an Identity Provider ###
1. Log in to your identity provider and use the information below to configure SAML Service Provider Properties:
* Service Provider Entity ID: opsman-login
* ACS URL : https:<span>//<span>OPS-MANAGER-FQDN/uaa/saml/SSO/alias/opsman-login
* Binding : HTTP Post
* SLO URL: https:<span>//<span/>OPS-MANAGER-FQDN/uaa/saml/SingleLogout/alias/opsman-login
* Binding : HTTP Redirect
* Name ID : Email Address
1. When redirected to the **Use an Identity Provider** page, you must complete the following steps:
* Retrieve the metadata URL from your Identity Provider and copy it into the **Use an Identity Provider** area.
* Create a passphrase. Ops Manager encrypts data using the passphrase that you provide.
* Read the **End User License Agreement**, and select the checkbox to accept the terms.
* Click **Setup Authentication**.
<%= image_tag("meta-url.png") %>
1. Your Identity Provider login page appears. Enter your username and password. Click **Login**.
### <a id='internal'></a>Internal Authentication ###
1. When redirected to the **Internal Authentication** page, you must complete the following steps:
* Enter a **Username**, **Password**, and **Password confirmation** to create an Admin user.
* Enter a **Decryption passphrase** and the **Decryption passphrase confirmation**. This passphrase encrypts the Ops Manager datastore, and is not recoverable.
* If you are using an **Http proxy** or **Https proxy**, follow the [PCF Director Proxy Settings](./pcf-director-proxy-settings.html) instructions.
* Read the **End User License Agreement**, and select the checkbox to accept the terms.
* Click **Setup Authentication**.
<%= image_tag("om-login.png") %>
1. Log in to Ops Manager with the Admin username and password you created in the previous step.
<%= image_tag("cf-login.png") %>
## <a id='pcfaws-om-awsconfig'></a>Step 2: AWS Config Page ##
1. Click the **Ops Manager Director** tile.
<%= image_tag("cloudform/om-tile.png") %>
1. Select **AWS Config**.
<%= image_tag("cloudform/aws-config.png") %>
1. Select **Use AWS Keys** or **Use AWS Instance Profile**.
* **Access Key ID** and **AWS Secret Key**: To retrieve your AWS key information, use the AWS Identity and Access Management (IAM) credentials that you generated. Refer to the [Manually Configuring AWS for PCF](pcf-aws-manual-config.html#pcfaws-iam-user) topic.
* **AWS IAM Instance Profile**: Enter the name of your IAM profile.
1. Complete the rest of the **AWS Management Console Config** page:
* **VPC ID**: Enter your PCF VPC ID. You can find the VPC ID on the AWS VPC Dashboard page next to the VPC name.
* **Security Group ID**: Enter the **Group ID** of the Security Group you created for your PCF VMs, which you can find in the **Security Groups** tab of your EC2 Dashboard. For more information, refer to the [Manually Configuring AWS for PCF](./pcf-aws-manual-config.html#pcfaws-om-ersecgrp) topic.
* **Key Pair Name**: Enter `pcf`.
* **SSH Private Key**: Open the AWS key pair `pcf.pem` file you created in the [Manually Configuring AWS for PCF](./pcf-aws-manual-config.html) topic. Copy the contents of the `.pem` file and paste it into the **SSH Private Key** field.
* **Region**: Select the region where you deployed Ops Manager.
* **Encrypt EBS Volumes**: Select this checkbox to enable full encryption on persistent disks of all BOSH-deployed VMs except the Ops Manager VM and Director VM. See [Configuring Amazon EBS Encryption for PCF on AWS](cloudform-om-ebs-config.html) for details on using EBS encryption.
1. Click **Save**.
## <a id='pcfaws-om-dirconfig'></a>Step 3: Director Config Page ##
1. Select **Director Config**.
<%= image_tag("cloudform/director-config.png") %>
1. Enter at least two of the following NTP servers in the **NTP Servers (comma
delimited)** field, separated by a comma:
* 0.amazon.pool.ntp.org
* 1.amazon.pool.ntp.org
* 2.amazon.pool.ntp.org
* 3.amazon.pool.ntp.org
1. Select the **Enable VM Resurrector Plugin** checkbox to enable the Ops Manager Resurrector functionality and increase Elastic Runtime availability. For more information, see the [Using Ops Manager Resurrector on VMware vSphere](./resurrector.html) topic.
1. Select **Recreate all VMs** to force BOSH to recreate all VMs on the next deploy. This process does not destroy any persistent disk data.
1. Select **HM Pager Duty Plugin** to enable Health Monitor integration with PagerDuty.
* **Service Key**: Enter your API service key from PagerDuty.
* **HTTP Proxy**: Enter an HTTP proxy for use with PagerDuty.
1. Select **HM Email Plugin** to enable Health Monitor integration with email.
* **Host**: Enter your email hostname.
* **Port**: Enter your email port number.
* **Domain**: Enter your domain.
* **From**: Enter the address for the sender.
* **Recipients**: Enter comma separated addresses of intended recipients.
* **Username**: Enter the username for your email server.
* **Password**: Enter your username's password.
* **Enable TLS**: Select this checkbox to enable Transport Layer Security.
1. For **Blobstore Location**, select **S3 Compatible Blobstore** and complete the following steps:
* **S3 Endpoint**: Navigate to the [Regions and Endpoints](http://docs.aws.amazon.com/general/latest/gr/rande.html#s3_region) topic in the AWS documentation. Locate the endpoint for your region in the **Amazon Simple Storage Service (S3)** table and construct a URL using your region's endpoint. For example, if you are using the us-west-1 region the URL you create would be `https://s3-us-west-1.amazonaws.com`. Enter this URL into the **S3 Endpoint** field in Ops Manager.
* **Bucket Name**: Enter the Ops Manager bucket name that you defined in
the [Manually Configuring PCF for AWS](./pcf-aws-manual-config.html#pcfaws-s3) topic.
* **Access Key** and **Secret Key**: To retrieve your AWS key information, use the IAM credentials that you generated in the [Manually Configuring AWS for PCF](./pcf-aws-manual-config.html#pcfaws-iam-user) topic.
* Select **V2 Signature** or **V4 Signature**. If you select **V4 Signature**, enter your **Region**.
1. For **Database Location**, select **External MySQL Database** and complete the following steps:
* From the AWS Console, navigate to the RDS Dashboard.
* Select **Instances**, then click the arrow to the left of your instance and select the second icon to display the **Details** information.
* Refer to the following table to retrieve the values for the **Director Config** page:
<table border="1" class="nice" >
<tr>
<th><strong>RDS Instance Field </strong></th>
<th><strong>Ops Manager Director Field </strong></th>
</tr>
<tr>
<td>Endpoint</td>
<td><strong>Host</strong></td>
</tr>
<tr>
<td>Port</td>
<td><strong>Port</strong>, which is <code>3306</code>.</td>
</tr>
<tr>
<td>DB Name</td>
<td><strong>Database</strong>, which is <code>bosh</code>.</td>
</tr>
<tr>
<td>Username</td>
<td><strong>Username</strong></td>
</tr>
</table><br />
* For **Password**, enter the password that you defined for your MySQL database. For more information, refer to the [Manually Configuring AWS for PCF](./pcf-aws-manual-config.html#pcfaws-mysql-rds) topic.
1. **Max Threads** sets the maximum number of threads that the Ops Manager Director can run simultaneously. For AWS, the default value is 6. Leave this field blank to use this default value. Pivotal recommends that you use the default value unless doing so results in rate limiting or errors on your IaaS.
1. Click **Save**.
## <a id='az'></a>Step 4: Create Availability Zones Page ##
1. Select **Create Availability Zones**.
<%= image_tag("cloudform/create-az.png") %>
1. Use the following steps to create one or more Availability Zones for your applications to use:
* Click **Add**.
* For **Amazon Availability Zone**, enter the name of the AWS AZ that contains the
private subnet CIDR (10.0.16.0/20) for your VPC, such as `us-east-1b`. Find the **Availability Zone** name on the **Summary** tab of the VPC Subnets page. For more information, refer to the [Manually
Configuring PCF for AWS](./pcf-aws-manual-config.html#pcfaws-vpc) topic.
<%= image_tag("pcfaws/om_az_step4.png") %>
1. Click **Save**.
## <a id='pcfaws-om-networks'></a>Step 5: Create Networks Page ##
1. Select **Create Networks**.
<%= image_tag("cloudform/create-networks.png") %>
1. Select **Enable ICMP checks** to enable ICMP on your networks. Ops Manager uses ICMP checks to confirm that components within your network are reachable.
1. Use the following steps to create one or more Ops Manager networks:
* Click **Add Network**.
* Enter a unique **Name** for the network.
* Click **Add Subnet** to create one or more subnets for the network.
* Enter your private subnet ID in **VPC Subnet ID**. This ID displays on the **Subnets** page of the **VPC Dashboard**.
* For **CIDR**, enter `10.0.16.0/20`. Ops Manager will deploy VMs to this CIDR block.
<p class="note"><strong>Note</strong>: You can assign a single CIDR block to
a VPC. The allowed block size is between a /28 netmask and /16 netmask.</p>
* For **Reserved IP Ranges**, enter `10.0.16.1-10.0.16.9` to exclude Amazon IPs used at the bottom of the private range. Ops Manager will not deploy VMs to any IP in this range.
* Enter `10.0.0.2` for **DNS** and `10.0.16.1` for **Gateway**.
* Select which **Availability Zones** to use with the network.
1. Click **Save**.
1. A verification error displays because the PCF Security Group blocks ICMP. You can ignore this error.
<%= image_tag("pcfaws/network-error.png") %>
## <a id="assign-azs"></a>Step 6: Assign AZs and Networks ##
1. Select **Assign AZs and Networks**.
<%= image_tag("cloudform/assign-az.png") %>
1. Use the drop-down menu to select a **Singleton Availability Zone**. The Ops Manager Director installs in this Availability Zone.
1. Use the drop-down menu to select a **Network** for your Ops Manager Director.
1. Click **Save**.
## <a id='security'></a>Step 7: Security Page ##
1. Select **Security**.
<%= image_tag("../images/om-security-aws.png") %>
1. In **Trusted Certificates**, enter a custom certificate authority (CA) certificate to insert into your organization's certificate trust chain. This feature enables all BOSH-deployed components in your deployment to trust a custom root certificate. If you want to use Docker Trusted Registries for running app instances in Docker containers, use this field to enter your certificate for your private Docker Trusted Registry. See the [Using Docker Trusted Registries](../opsguide/docker-registry.html) topic for more information.
1. Choose **Generate passwords** or **Use default BOSH password**. Pivotal recommends that you use the **Generate passwords** option for greater security.
1. Click **Save**. To view your saved Director password, click the **Credentials** tab.
## <a id='pcfaws-om-rscestem'></a>Step 8: Resource Config Page ##
1. Select **Resource Config**.
1. Adjust any values as necessary for your deployment. Under the **Instances**, **Persistent Disk Type**, and **VM Type** fields,
choose **Automatic** from the drop-down menu to allocate the recommended resources for the job. If the **Persistent Disk Type** field reads **None**, the job does not require persistent disk space.
<p class="note"><strong>Note</strong>: If you set a field to <strong>Automatic</strong> and the recommended resource allocation changes in a future version, Ops Manager automatically uses the new recommended allocation.</p>
1. Click **Save**.
<%= image_tag("pcfaws/om_resource_config.png") %>
## <a id='pcfaws-om-complete'></a>Step 9: Complete the Ops Manager Director Installation ##
1. Return to the **Installation Dashboard**.
1. Click **Apply Changes**. An ICMP error message appears.
<%= image_tag("pcfaws/install-error.png") %>
1. Click **Ignore errors and start the install**.
1. Ops Manager Director begins to install. The **Changes Applied** window displays when the installation process successfully completes.
<%= image_tag("aws/vpc-step16.png") %>
## <a id='config-er-aws'></a> Step 10: Configure Elastic Runtime for AWS
After you complete this procedure, follow the instructions in the [Configuring
Elastic Runtime for AWS](./pcf-aws-manual-er-config.html) topic.