When attempting to apply changes for TAS, the UAA VM fails on the pre-start script. When looking into the UAA in /var/vcap/sys/log/uaa.log , the following error is seen in the exception:

Error creating bean with name 'identityZoneConfigurationBootstrap' defined in ServletContext resource [/WEB-INF/spring-servlet.xml]: Invocation of init method failed; nested exception is org.cloudfoundry.identity.uaa.zone.InvalidIdentityZoneDetailsException: The zone configuration is invalid. There is a security problem with the SAML SP Key configuration for key 'key1'.

There are a few different reasons that this error might be thrown, but the main underlying cause is due to the UAA SAML certificates. Within the UAA logs, there should be a more specific message detailing the error, by this line:

Caused by: java.security.cert.CertificateException:

Once that message has been checked, the UAA certificate and private key can be verified in this file: /var/vcap/jobs/uaa/config/uaa.yml. The key will be listed under the key1 section.

If you have checked these certs and still cannot determine the cause of the issue, please open a case with Broadcom support.