VMware Tanzu (formerly PCF) articles:

Configure the Java agent for VMware Tanzu (formerly known as Pivotal Cloud Foundry)

Avatar
Mark LaCasse
  • Updated

You can access a variety of VMware Tanzu (formerly Pivotal Cloud Foundry) integrations for your applications using the default Java buildpack.

Create a user-provided service and bind the service to your application to use the buildpack on its own. With the service broker you can define multiple service plans, and generate service instances to bind to applications.

Contrast has a service broker tile that automates the BOSH deployment and configuration of the Contrast service broker.

To instrument an application in a VMware Tanzu Network environment, your application must use one of these buildpacks:

  • Cloud Foundry Java Buildpack, version 3.19 and later or version 4.2 and later

  • IBM Liberty Buildpack, version 2.7.0.2 and later

    Note

    If you're using the offline version of the buildpack, you cannot override the version of the agent currently in use by an application. The buildpack bundles the dependencies.

The Contrast Security agent framework downloads the latest Contrast agent and creates a configuration file. The buildpack detect script prints tags to standard output.

Note

The detect script confirms the existence of a single, bound Contrast service. A Contrast service exists if the VCAP_SERVICES payload contains a service name, label or tag with contrast-security as a substring.

To bind Contrast with a user-provided service, you must have a name or tag with contrast-security in it. The credential payload must also contain the standard YAML properties.

For general information on configuring the buildpack, including how to specify configuration values through environment variables, refer to the Configuration and Extension section of the Cloud Foundry Java Buildpack documentation.

This example creates a user-provided service and binds it to an application:

cf create-user-provided-service contrast-security-service -p "teamserver_url, username, api_key, service_key"
cf bind-service spring-music contrast-security-service
cf restage spring-music

Note

The teamserver_url should be only protocol and hostname. Do not include /contrast/ or /contrast/api.

You can configure the framework by modifying the config/contrast_security_agent.yml file in the buildpack fork. The framework uses the Repository utility support and supports the version syntax defined there.

Name

Description

repository_root

The URL of the Contrast Security repository index

version

The version of the Contrast agent to use

To specify a version of the Java agent to use, set the JBP_CONFIG_CONTRASTSECURITYAGENT environment variable and specify a version listed in the index.

JBP_CONFIG_CONTRASTSECURITYAGENT='version: 4.13.1'

Add the Contrast service broker for VMware Tanzu Network for Java

To set up VMware Tanzu Network, contact Support. Once you have a service broker source code:

  1. Deploy the service broker application:

    cf push contrast-security-service-broker

  2. You should now see the service broker now appears in PCF. The service broker doesn't offer any plans by default. Configure plans with CONTRAST_SERVICE_PLANS environment variable. You can also use the Pivotal Ops Manager to set the environment variables. If you are using IBM Cloud, you can select the application, select Runtimeand then Environment Variables to set the value.

  3. This example shows how to set the value in the command line:

    cf set-env contrast-security-service-broker CONTRAST_SERVICE_PLANS
    " {
            "ServicePlan1": {
                 "name":"ServicePlan1",
                 "teamserver_url":"https://yourteamserverurl.com",
                 "username":"your_username",
                 "org_uuid":"00000000-1111-2222-3333-000000000000",
                 "api_key":"your_api_key",
                 "service_key":"your_service_key"
             },
             "AnotherServicePlan":{
                 "name":"AnotherServicePlan",
                 "teamserver_url":"https://yourteamserverurl.com",
                 "username":"your_username",
                 "org_uuid":"00000000-1111-2222-3333-000000000001",
                 "api_key":"your_api_key",
                 "service_key":"some_other_service_key"
                 }
             } "

    Note

    To run the agent on IBM Cloud, you must use single quotes to set the CONTRAST_SERVICE_PLANS environment variable. Example:

        cf set-env contrast-security-service-broker CONTRAST_SERVICE_PLANS
    " {
            'ServicePlan1': {
                 'name':'ServicePlan1',
                 'teamserver_url':'https://yourteamserverurl.com',
                 'username':'your_username',
                 'org_uuid':'00000000-1111-2222-3333-000000000000',
                 'api_key':'your_api_key',
                 'service_key':'your_service_key'
             },
             'AnotherServicePlan':{
                 'name':'AnotherServicePlan',
                 'teamserver_url':'https://yourteamserverurl.com',
                 'username':'your_username',
                 'org_uuid':'00000000-1111-2222-3333-000000000000',
                 'api_key':'your_api_key',
                 'service_key':'some_other_service_key'
                 }
             } "

  4. After you modify the environment variable, restage your application:

    cf restage contrast-security-service-broker

  5. The application also requires an environment variable for a username and a password:

    cf set-env contrast-security-service-broker SECURITY_USER_NAME aSecureUsername
cf set-env contrast-security-service-broker SECURITY_USER_PASSWORD aSecurePassword

  6. Create a service broker instance. Define at least one service plan for this. You must use the same username and password as above.

    cf create-service-broker contrast-security-service-broker USER_NAME PASSWORD
<URL of your application>

    Note

    On IBM Cloud, add --space-scoped at the end of the command. For example:

    cf create-service-broker contrast-security-service-broker USER_NAME PASSWORD
<URL of your application> --space-scoped

  7. All service brokers start as private. Make it public with:

    cf enable-service-access contrast-security-service-broker

  8. Now that the service broker is working, create a service instance and bind it to the application. To create a service instance, run the following command:

    cf create-service contrast-security-service-broker ServicePlan1 <name_of_service>

  9. To bind it to your application, run the following command:

    cf bind-service <app_name> <name_of_service>

  10. You should see the agent start up with your application. You will also see your application in Contrast.

Add the Contrast service broker tile for Java

You need to install the Contrast service broker tile to integrate Contrast with VMware Tanzu Network (formerly Pivotal Cloud Foundry).

  1. Download the Contrast service broker tile from VMware Tanzu Network.

  2. Store the file locally and navigate to your Pivotal Ops Manager instance.

  3. Select Import a Product then select the contrast-security-service-broker-#.#.#.pivotal tile that you downloaded.

    Note

    If the file you downloaded has a ZIP extension, rename it to contrast-security-service-broker-#.#.#.pivotal.

  4. The tile requires some configuration before you can deploy it. The service broker does not include service plans by default. You must add at least one before you can deploy the Contrast service broker tile. To add a service plan, select Service Plans in the Contrast service broker tile and select Add.

  5. Complete these configuration parameters in the service plan:

    • TeamServer: URL to your Contrast application instance

    • TeamServer Service Key: Organization service key

    • TeamServer API Key: Organization API key

    • Organization UUID: Organization ID to which the application will belong

    • Username: Your Contrast username

    • Plan Name: Name of the plan as it will appear in Apps Manager

    • Proxy Host: The hostname of a proxy for the service broker to communicate with Contrast

    • Proxy Port: The proxy port

    • Proxy Username: The proxy username if it requires authentication

    • Proxy Password: The proxy password

  6. After you define the service plan, select Save. If you want some applications to belong to different organizations, define the other plans you will need.

  7. Select the Apply Changes in the dashboard. This may take some time to finish.

  8. After you successfully deploy the service broker, you can bind the credentials to an application. Go to the Marketplace to find the Contrast service broker option.

  9. Select the Contrast service broker option to see the available plans that you created in the Pivotal Ops Manager.

  10. Use Select this Plan to choose the plan you want to bind to an application.

  11. Specify an instance name for the plan. This doesn't affect the service broker. You can name the instance what you want.

  12. In the Bind to App drop-down menu, select the application to bind to this service. Then restage the application. This will retrieve the latest agent from Contrast to instrument your application.

  13. If you want to override agent properties, such as the application name, you can set environment variables in PCF. Here is a command line example:

    cf set-env APP-NAME JAVA_OPTS " -Dcontrast.agent.java.standalone_app_name=PivotalSpringApp"
Was this article helpful?
0 out of 0 found this helpful
Return to top