You can configure Transport Layer Security (TLS) termination for HTTP traffic in Tanzu Platform for Cloud Foundry with a TLS certificate, as part of the process of configuring Tanzu Platform for Cloud Foundry for deployment.

Configure TLS termination

When you deploy Operations Manager, you must configure the TLS termination for HTTP traffic in your Tanzu Platform for Cloud Foundry configuration. You can terminate TLS at all of these points:

• Load balancer
• Load balancer and the Gorouter
• The Gorouter

To choose and configure the TLS termination option for your deployment, see TLS Termination Options for HTTP Routing in Securing Traffic into Tanzu Platform for Cloud Foundry.

Obtain TLS certificates

To secure traffic into Operations Manager, you must obtain at least one TLS certificate. For general certificate requirements for deploying Operations Manager, see Certificate Requirements in Securing Traffic into Tanzu Platform for Cloud Foundry.

For additional IaaS-specific certificate requirements:

• AWS: Certificate Requirements on AWS
• Azure: Certificate Requirements on Azure
• GCP: Certificate Requirements on GCP
• OpenStack: Certificate Requirements on OpenStack
• vSphere: Certificate Requirements on vSphere

Create a wildcard certificate for Operations Manager deployments

You can create or generate a certificate for your Tanzu Platform for Cloud Foundry environment. If you are deploying to a production environment, you must obtain a certificate from a trusted Certificate Authority (CA).

For internal development or testing environments, you have two options for creating a required TLS certificates:

• You can create a self-signed certificate, or
• You can have Tanzu Platform for Cloud Foundry generate the certificate for you.

To create a certificate, you can use a wide variety of tools including OpenSSL, Java’s keytool, Adobe Reader, and Apple’s Keychain to generate a Certificate Signing Request (CSR).

In either case for either self signed or trusted single certificates, apply these rules when creating the CSR:

• Specify your registered wildcard domain as the Common Name, where DOMAIN is your registered wildcard domain. For example, *.DOMAIN.com.

• VMware recommends using a split domain configuration that separates the domains for apps and sys components. To use a split domain configuration, enter these values in the Subject Alternative Name of the certificate, where DOMAIN is your registered wildcard domain:

  • *.apps.DOMAIN.com
  • *.sys.DOMAIN.com
  • *.login.sys.DOMAIN.com
  • *.uaa.sys.DOMAIN.com

• If you are using a single domain configuration, use these values as the Subject Alternative Name of the certificate, where DOMAIN is your registered wildcard domain:

  • *.login.sys.DOMAIN.com
  • *.uaa.sys.DOMAIN.com

  TLS certificates generated for wildcard DNS records only work for a single domain name component or component fragment. For example, a certificate generated for *.DOMAIN.com does not work for *.apps.DOMAIN.com and *.sys.DOMAIN.com. The certificate must have both *.apps.DOMAIN.com and *.sys.DOMAIN.com attributed to it.

Generate an RSA certificate in Tanzu Platform for Cloud Foundry

To generate an RSA certificate in Tanzu Platform for Cloud Foundry:

1. Go to the VMware Tanzu Operations Manager Installation Dashboard.

2. Click the Tanzu Platform for Cloud Foundry tile.

3. Select Networking.

4. Under Certificate and private keys for the Gorouter:

   1. Under Certificate and private key, click Change.
   2. Click Generate RSA Certificate to populate the Certificate and private key fields with RSA certificate and private key information.

   VMware recommends using a split domain configuration that separates the domains for apps and sys components. To use a split domain configuration, enter the following domains for the certificate, where DOMAIN is your registered wildcard domain: * *.DOMAIN.com * *.apps.DOMAIN.com * *.sys.DOMAIN.com * *.login.sys.DOMAIN.com * *.uaa.sys.DOMAIN.com

5. Click Generate.