forked from pivotal-cf/docs-pcf-install
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy path_uaa-terraform-gcp.html.md.erb
59 lines (38 loc) · 4.82 KB
/
_uaa-terraform-gcp.html.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
1. Select **UAA**.
1. (Optional) Under **JWT Issuer URI**, enter the URI that UAA uses as the issuer when generating tokens.
<%= image_tag('ert_uaa_jwt_uri.png') %>
1. Under **SAML Service Provider Credentials**, enter a certificate and private key to be used by UAA as a SAML Service Provider for signing outgoing SAML authentication requests. You can provide an existing certificate and private key from your trusted Certificate Authority or generate a self-signed certificate. The following domain must be associated with the certificate: `*.login.YOUR-SYSTEM-DOMAIN`.
<p class="note"><strong>Note</strong>: The Pivotal Single Sign-On Service and Pivotal Spring Cloud Services tiles require the <code>*.login.YOUR-SYSTEM-DOMAIN</code>.
</p>
1. If the private key specified under **Service Provider Credentials** is password-protected, enter the password under **SAML Service Provider Key Password**.
<%= image_tag("service-provider.png") %>
1. For **Signature Algorithm**, choose an algorithm from the dropdown menu to use for signed requests and assertions. The default value is `SHA256`.
1. (Optional) In the **Apps Manager Access Token Lifetime**, **Apps Manager Refresh Token Lifetime**, **Cloud Foundry CLI Access Token Lifetime**, and **Cloud Foundry CLI Refresh Token Lifetime** fields, change the lifetimes of tokens granted for Apps Manager and Cloud Foundry Command Line Interface (cf CLI) login access and refresh. Most deployments use the defaults.
<%= image_tag("authsso-uaa-bottom.png") %>
1. (Optional) In the **Global Login Session Max Timeout** and **Global Login Session Idle Timeout** fields, change the maximum number of seconds before a global login times out. These fields apply to the following:
* **Default zone sessions**: Sessions in Apps Manager, PCF Metrics, and other web UIs that use the UAA default zones
* **Identity zone sessions**: Sessions in apps that use a UAA identity zone, such as a Single Sign-On service plan
1. (Optional) Customize the text prompts used for username and password from the cf CLI and Apps Manager login popup by entering values for **Customize Username Label (on login page)** and **Customize Password Label (on login page)**.
1. (Optional) The **Proxy IPs Regular Expression** field contains a pipe-delimited set of regular expressions that UAA considers to be reverse proxy IP addresses. UAA respects the `x-forwarded-for` and `x-forwarded-proto` headers coming from IP addresses that match these regular expressions. To configure UAA to respond properly to Gorouter or HAProxy requests coming from a public IP address, append a regular expression or regular expressions to match the public IP address.
1. You can configure UAA to use an internal MySQL database provided with PCF, or you can configure an external database provider. Follow the procedures in either the [Internal Database Configuration](#uaa-internal) or the [External Database Configuration](#uaa-external) section below.
<p class="note"><strong>Note</strong>: For GCP installations, Pivotal recommends selecting <strong>External</strong> and using Google Cloud SQL.
</p>
<p class="note"><strong>Note</strong>: If you are performing an upgrade, do not modify your existing internal database configuration or you may lose data. You must migrate your existing data before changing the configuration. See <a href="upgrading-pcf.html">Upgrading Pivotal Cloud Foundry</a> for additional upgrade information, and contact <a href="https://support.pivotal.io">Pivotal Support</a> for help.
</p>
###<a id='uaa-internal'></a> Internal Database Configuration
If you chose to not deploy a Google Cloud SQL database with Terraform, follow these steps.
When you configure the UAA to use an internal MySQL database, it uses the type of database selected in the **Databases** pane, which can be one of two options. See [Migrate to Internal Percona MySQL](../opsguide/internal-databases.html#migrate) for details.</p>
1. Select **Internal MySQL**.
1. Click **Save**.
1. Ensure that you complete the [Configure Internal MySQL](#internal-db) step later in this topic to configure high availability for your internal MySQL databases.
###<a id='uaa-external'></a> External Database Configuration
If you chose to deploy a Google Cloud SQL database with Terraform, follow these steps.
1. From the **UAA** section in Pivotal Application Service (PAS), select **External**.
<%= image_tag('ert_uaa_external.png') %>
1. Complete the fields as follows:
* **Hostname**: Enter the value of `sql_db_ip` from your Terraform output.
* **TCP Port**: Enter `3306`.
* **User Account and Authentication database username**: Enter the value of `pas_sql_username` from your Terraform output.
* **User Account and Authentication database password**: Enter the value of `pas_sql_password` from your Terraform output.
1. Click **Save**.