forked from pivotal-cf/docs-ops-guide
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathconfigure-multi-foundation.html.md.erb
113 lines (82 loc) · 5.96 KB
/
configure-multi-foundation.html.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
---
title: Configuring Multi-Foundation Support in Apps Manager
owner:
---
This topic describes how to configure multi-foundation support in Apps Manager.
## <a id="overview"></a> Overview
Configuring multi-foundation support in Apps Manager allows you to search, view, and manage orgs, spaces, apps, and service instances across multiple foundations from a single interface.
## <a id="configure"></a> Configure Multi-Foundation Support
This section describes the procedures for configuring multi-foundation support in Apps Manager.
To configure multi-foundation support in Apps Manager, do the following:
1. Configure PAS. See [Configure PAS](#pas).
1. Add redirects. See [Add Redirects in UAA](#redirects).
1. Add trusted Certificate Authorities (CAs). See [Add Trusted Certificate Authorities](#certificates).
1. (Optional) Configure the SAML Identity Provider. See [(Optional) Configure the SAML Identity Provider](#saml).
### <a id="pas"></a> Configure PAS
This section describes how to configure Pivotal Application Service (PAS) on a foundation to enable multi-foundation support in Apps Manager.
To configure multi-foundation support in Apps Manager, do the following:
1. In the PAS tile of one of your foundations, select **Apps Manager**. The following image shows the **Apps Manager** pane.
1. For **Multi-foundation Configuration (BETA)**, enter a JSON object for each additional foundation that you want to manage. Use the following format for the JSON object:
<pre>
{
"FOUNDATION_NAME": {
"ccUrl": "https://api.FOUNDATION_SYSTEM_DOMAIN.com",
"systemDomain": "FOUNDATION_SYSTEM_DOMAIN.com",
"usageServiceUrl": "https://app-usage.FOUNDATION_SYSTEM_DOMAIN.com",
"invitationsServiceUrl": "https://p-invitations.FOUNDATION_SYSTEM_DOMAIN.com",
"logoutUrl": "https://login.FOUNDATION_SYSTEM_DOMAIN.com/logout.do",
"metricsUrl": "https://metrics.FOUNDATION_SYSTEM_DOMAIN.com",
"uaaUrl": "https://login.FOUNDATION_SYSTEM_DOMAIN.com"
},
}
</pre>
Where:
- `FOUNDATION_NAME` is a name for the foundation.
- `FOUNDATION_SYSTEM_DOMAIN` is the system domain of the foundation. The system domain is listed in the PAS tile **Domains** pane.
- `metricsUrl` is an optional field. If <%= vars.product_name %> Metrics is installed on the foundation, provide the <%= vars.product_name %> Metrics URL.
### <a id="redirects"></a> Add Redirects in UAA
The Apps Manager UAA clients on each foundation you want to manage must include a redirect to the foundation on which you enabled multi-foundation support.
This allows Apps Manager to redirect to the other foundations and back when authenticating with UAA. For more information about UAA clients and configuring valid redirect URIs, see [Client.redirect-uri](../uaa/uaa-concepts.html#redirect-uri) in _UAA Concepts_.
To add redirects, do the following:
1. Install the UAA CLI. See [CloudFoundry UAA Command Line Client](https://github.com/cloudfoundry/cf-uaac) in GitHub.
1. Record the UAA admin client credentials password for a foundation you want to manage with Apps Manager:
1. In the PAS tile **Credentials** tab, for **Admin Client Credentials**, click **Link to Credentials**.
1. Record the value in the `password` field.
1. Use the following command to target UAA on the foundation:
```
uaac target uaa.FOUNDATION_SYSTEM_DOMAIN.com
```
Where `FOUNDATION_SYSTEM_DOMAIN` is the system domain of the foundation.
1. Use the following command to generate a token for the UAA admin client:
```
uaac token client get admin -s ADMIN_CLIENT_PASSWORD
```
Where `ADMIN_CLIENT_PASSWORD` is the **Admin Client Credentials** password you recorded in step 2.
1. Record the UAA redirect URIs. Use the following command to view the redirect URIs on the UAA `apps_manager_js` client:
```
uaac client get apps_manager_js
```
1. Add the URI of the foundation on which you enabled multi-foundation support to the `apps_manager_js` client:
```
uaac client update apps_manager_js --redirect_uri \
'PREVIOUS_REDIRECT_URIS,https://apps.FOUNDATION_SYSTEM_DOMAIN.com/**'
```
Where:
- `PREVIOUS_REDIRECT_URIS` is one or more redirect URIs that you recorded in the previous step. Include the previous redirect URIs in the command to ensure they are not overwritten.
- `FOUNDATION_SYSTEM_DOMAIN` is the system domain of foundation on which you enabled multi-foundation support.
1. Repeat steps 2 through 6 for each foundation you want to manage with Apps Manager.
### <a id="certificates"></a> Add Trusted Certificate Authorities
Apps Manager must be able to validate the CAs used by all foundations.
If any foundation uses a certificate for TLS termination that is not signed by a globally-trusted CA, add the CA that signed the TLS
certificate as a trusted CA on the foundation on which you enabled multi-foundation support.
For more information, see [Setting Trusted Certificates](../customizing/trusted-certificates.html).
### <a id="saml"></a> (Optional) Configure the SAML Identity Provider
Pivotal recommends that all foundations use the same external SAML identity provider. This allows Apps Manager to automatically authenticate with the identity provider.
To configure all foundations to use the same SAML identity provider, do the following for each foundation:
1. Navigate to the PAS tile **UAA** pane.
1. Verify that the foundation uses the correct provider for **Provider Name**.
For more information on UAA and identity providers, see [Identity Providers in
UAA](../uaa/identity-providers.html).
For more information on how to setup identity providers in UAA, see [Adding Existing SAML or
LDAP Users to a <%= vars.product_name %> Deployment](../opsguide/external-user-management.html).