Configure the Node.js agent for Pivotal Cloud Foundry (now VMware Tanzu)

  • Updated

You can access a variety of Pivotal Cloud Foundry (PCF) integrations for your applications using the default Node.js buildpack.

To use the buildpack on its own as a low-level integration, you can create a user-provided service and bind it to your application. With the service broker, you can define multiple service plans and generate service instances you can bind to your applications.

Use the Contrast Pivotal tile to automate the BOSH deployment and configuration of the Contrast service broker.


The Contrast PCF integration does not download the Node.js agent and modify your application startup. You must still download and #install-node-js-agent-manually.

You can configure the agent through the Contrast Pivotal tile provided with the integration, or you can use automatic configuration through user-provided services.

To install the Node.js agent in a PCF environment, your application must use one of these buildpacks:

  • For tile support:Cloud Foundry NodeJS Buildpack version 1.6.52 and later

  • For user-provided service support:Cloud Foundry NodeJS Buildpack version 1.6.56 and later

    If you are using a buildpack that does not include Contrast Security framework support, you can add it. To do this, you must make changes to your forked buildpack. If you're using the offline version of the buildpack, you cannot override the version of the agent currently in use by an application. The buildpack bundles the dependencies.

The Contrast Security agent framework downloads the latest Contrast agent and creates a configuration file. The buildpack detect script prints tags to standard output.

The detect script confirms the existence of a single, bound Contrast service. A Contrast service exists if the VCAP_SERVICES payload contains a service name, label or tag with contrast-security as a substring.

To bind Contrast with a user-provided service, you must have a name or tag with contrast-security in it. The credential payload must also contain the standard YAML properties.

This example creates a user-provided service and binds it to an application:

cf create-user-provided-service contrast-security-service -p "teamserver_url, username, api_key, service_key"
cf bind-service spring-music contrast-security-service
cf restage spring-music
The teamserver_url should be only protocol and hostname. Do not include /Contrast/ or /Contrast/api.

Add the Contrast service broker

Use the Contrast service broker to easily bind services to an application in Pivotal Cloud Foundry (PCF), and use the Contrast Node.js agent.

To set up PCF, contact Support. Once you have a service broker source code:

  1. Deploy the service broker application:

    cf push contrast-security-service-broker
  2. You should now see the service broker now appears in PCF. The service broker doesn't offer any plans by default. Configure plans with CONTRAST_SERVICE_PLANS environment variable. You can also use the Pivotal Ops Manager to set the environment variables. If you are using IBM Cloud, you can select the application, select Runtimeand then Environment Variables to set the value.

  3. This example shows how to set the value in the command line:

    cf set-env contrast-security-service-broker CONTRAST_SERVICE_PLANS
        " {
                "ServicePlan1": {
                 } "
    To run the agent on IBM Cloud, you must use single quotes to set the CONTRAST_SERVICE_PLANS environment variable. Example:
        cf set-env contrast-security-service-broker CONTRAST_SERVICE_PLANS
        " {
                'ServicePlan1': {
                 } "
  4. After you modify the environment variable, restage your application:

    cf restage contrast-security-service-broker
  5. The application also requires an environment variable for a username and a password:

    cf set-env contrast-security-service-broker SECURITY_USER_NAME aSecureUsername
    cf set-env contrast-security-service-broker SECURITY_USER_PASSWORD aSecurePassword
  6. Create a service broker instance. Define at least one service plan for this. You must use the same username and password as above.

    cf create-service-broker contrast-security-service-broker USER_NAME PASSWORD
    <URL of your application>
    On IBM Cloud, add --space-scoped at the end of the command. For example:
    cf create-service-broker contrast-security-service-broker USER_NAME PASSWORD
    <URL of your application> --space-scoped
  7. All service brokers start as private. Make it public with:

    cf enable-service-access contrast-security-service-broker
  8. Now that the service broker is working, create a service instance and bind it to the application. To create a service instance, run the following command:

    cf create-service contrast-security-service-broker ServicePlan1 <name_of_service>
  9. To bind it to your application, run the following command:

    cf bind-service <app_name> <name_of_service>
  10. You should see the agent start up with your application. You will also see your application in Contrast.

Add the Contrast service broker tile for Node.js

Before you add the Contrast service broker tile, you must have:

  • Pivotal Apps Manager and Ops Manager

  • An active Contrast account

  • The default Node.js buildpack for any application using Contrast. If you have a custom buildpack, you must copy the Contrast framework support and configuration into it.

With a service broker, Pivotal Cloud Foundry (PCF) applications can easily bind to, and consume services from the Apps Manager or the command line. You can deploy the Contrast service broker as a Node.js application on PCF, and use one or more Contrast accounts. The broker exposes the Contrast service on the PCF marketplace so you can create a service instance.

When you add a tile, it creates one organization: the contrast-security-service-broker-org. Use this organization to deploy the Contrast service broker application. This requires 512MB of memory.


If you want, you can try this first with a sample application called Spring Music. Clone, build, and push the sample applications with the following commands:

git clone
cd spring-music
./gradlew assemble
cf push spring-music

To add the Contrast service broker tile for Node.js:

  1. Download the Contrast service broker tile from the VMware Tanzu Network.

  2. Select Import a Product then select the contrast-security-service-broker-#.#.#.pivotal tile that you downloaded.

    If the file you downloaded has a ZIP extension, rename it to contrast-security-service-broker-#.#.#.pivotal.
  3. The tile requires some configuration before you can deploy it. The service broker does not include service plans by default. You must add at least one before you can deploy the Contrast service broker tile. To add a service plan, select Service Plansin the Contrast service broker tile and select Add.

  4. Complete these configuration parameters in the service plan:

    • TeamServer: URL to your Contrast application instance

    • TeamServer Service Key:Organization service key

    • TeamServer API Key:Organization API key

    • Organization UUID:Organization ID to which the application will belong

    • Username: Your Contrast username

    • Plan Name: Name of the plan as it will appear in Apps Manager

    • Proxy Host: The hostname of a proxy for the service broker to communicate with Contrast

    • Proxy Port: The proxy port

    • Proxy Username: The proxy username if it requires authentication

    • Plan Password: The proxy password

  5. After you define the service plan, select Save. If you want some applications to belong to different organizations, define the other plans you will need.

  6. Select the Apply Changes in the dashboard. This may take some time to finish.

  7. After you successfully deploy the service broker, you can bind the credentials to an application. Go to the Marketplace to find the Contrast service broker option.

  8. Select the Contrast service broker option to see the available plans that you created in the Pivotal Ops Manager.

  9. Use Select this Plan to choose the plan you want to bind to an application.

  10. Specify an instance name for the plan. This doesn't affect the service broker. You can name the instance what you want.

  11. In the Bind to App drop-down menu, select the application to bind to this service. Then restage the application. This will retrieve the latest agent from Contrast to instrument your application.

  12. If you want to override agent properties, such as the application name, you can set environment variables in PCF. Here is a command line example:

    cf set-env APP-NAME JAVA_OPTS "
    -Dcontrast.server=PivotalServerName "

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request