Configure the Java agent for Pivotal Cloud Foundry (now VMware Tanzu)

You can access a variety of Pivotal Cloud Foundry (now VMware Tanzu) integrations for your applications using the default Java buildpack.

Create a user-provided service and bind the service to your application to use the buildpack on its own. With the service broker you can define multiple service plans, and generate service instances to bind to applications.

Contrast has a service broker tile that automates the BOSH deployment and configuration of the Contrast service broker.Add the Contrast service broker tile for Java

To instrument an application in a VMware Tanzu Network environment, your application must use one of these buildpacks:

  • Cloud Foundry Java Buildpack, version 3.19 and later or version 4.2 and later

  • IBM Liberty Buildpack, version 2.7.0.2 and later

    Note

    If you're using the offline version of the buildpack, you cannot override the version of the agent currently in use by an application. The buildpack bundles the dependencies.

The Contrast Security agent framework downloads the latest Contrast agent and creates a configuration file. The buildpack detect script prints tags to standard output.

Note

The detect script confirms the existence of a single, bound Contrast service. A Contrast service exists if the VCAP_SERVICES payload contains a service name, label or tag with contrast-security as a substring.

To bind Contrast with a user-provided service, you must have a name or tag with contrast-security in it. The credential payload must also contain the standard YAML properties.

For general information on configuring the buildpack, including how to specify configuration values through environment variables, refer to the Configuration and Extension section of the Cloud Foundry Java Buildpack documentation.

This example creates a user-provided service and binds it to an application:

cf create-user-provided-service contrast-security-service -p "teamserver_url, username, api_key, service_key"
cf bind-service spring-music contrast-security-service
cf restage spring-music

Note

The teamserver_url should be only protocol and hostname. Do not include /contrast/ or /contrast/api.

You can configure the framework by modifying the config/contrast_security_agent.yml file in the buildpack fork. The framework uses the Repository utility support and supports the version syntax defined there.

Name

Description

repository_root

The URL of the Contrast Security repository index

version

The version of the Contrast agent to use

To specify a version of the Java agent to use, set the JBP_CONFIG_CONTRASTSECURITYAGENT environment variable and specify a version listed in the index.

JBP_CONFIG_CONTRASTSECURITYAGENT`: version: 3.5.6_606

Add the Contrast service broker for VMware Tanzu Network for Java

To set up VMware Tanzu Network, contact Support. Once you have a service broker source code:

  1. Deploy the service broker application:

    cf push contrast-security-service-broker
  2. You should now see the service broker now appears in VMware Tanzu Network. The service broker doesn't offer any plans by default. Configure plans with CONTRAST_SERVICE_PLANS environment variable. You can also use the Pivotal Ops Manager to set the environment variables. If you are using IBM Cloud, you can select the application, select Runtime and then Environment Variables to set the value.

  3. This example shows how to set the value in the command line:

    cf set-env contrast-security-service-broker CONTRAST_SERVICE_PLANS
        " {
                "ServicePlan1": {
                     "name":"ServicePlan1",
                     "teamserver_url":"https://yourteamserverurl.com",
                     "username":"your_username",
                     "org_uuid":"00000000-1111-2222-3333-000000000000",
                     "api_key":"your_api_key",
                     "service_key":"your_service_key"
                 },
                 "AnotherServicePlan":{
                     "name":"AnotherServicePlan",
                     "teamserver_url":"https://yourteamserverurl.com",
                     "username":"your_username",
                     "org_uuid":"00000000-1111-2222-3333-000000000001",
                     "api_key":"your_api_key",
                     "service_key":"some_other_service_key"
                     }
                 } "

    Note

    To run the agent on IBM Cloud, you must use single quotes to set the CONTRAST_SERVICE_PLANS environment variable. Example:

        cf set-env contrast-security-service-broker CONTRAST_SERVICE_PLANS
        " {
                'ServicePlan1': {
                     'name':'ServicePlan1',
                     'teamserver_url':'https://yourteamserverurl.com',
                     'username':'your_username',
                     'org_uuid':'00000000-1111-2222-3333-000000000000',
                     'api_key':'your_api_key',
                     'service_key':'your_service_key'
                 },
                 'AnotherServicePlan':{
                     'name':'AnotherServicePlan',
                     'teamserver_url':'https://yourteamserverurl.com',
                     'username':'your_username',
                     'org_uuid':'00000000-1111-2222-3333-000000000000',
                     'api_key':'your_api_key',
                     'service_key':'some_other_service_key'
                     }
                 } "
  4. After you modify the environment variable, restage your application:

    cf restage contrast-security-service-broker
  5. The application also requires an environment variable for a username and a password:

    cf set-env contrast-security-service-broker SECURITY_USER_NAME aSecureUsername
    cf set-env contrast-security-service-broker SECURITY_USER_PASSWORD aSecurePassword
  6. Create a service broker instance. Define at least one service plan for this. You must use the same username and password as above.

    cf create-service-broker contrast-security-service-broker USER_NAME PASSWORD
    <URL of your application>

    Note

    On IBM Cloud, add --space-scoped at the end of the command. For example:

    cf create-service-broker contrast-security-service-broker USER_NAME PASSWORD
    <URL of your application> --space-scoped
  7. All service brokers start as private. Make it public with:

    cf enable-service-access contrast-security-service-broker
  8. Now that the service broker is working, create a service instance and bind it to the application. To create a service instance, run the following command:

    cf create-service contrast-security-service-broker ServicePlan1 <name_of_service>
  9. To bind it to your application, run the following command:

    cf bind-service <app_name> <name_of_service>
  10. You should see the agent start up with your application. You will also see your application in Contrast.