How to change NATS Protocol property to 'TLS only' in TPCF v6 version.
search cancel

How to change NATS Protocol property to 'TLS only' in TPCF v6 version.

book

Article ID: 417457

calendar_today

Updated On:

Products

VMware Tanzu Platform - Cloud Foundry

Issue/Introduction

This article provides a step-by-step instruction on how to change NATS Protocol property to TLS only in TPCF v6. You may want to use TLS only in a highly secure environment. This ensure that NATS always communicates over HTTPS instead of both HTTPS and HTTP. Non-TLS NATS is removed in newer versions of TPCF. Setting this property on TPCF 6.0 can reduce the count of changes during upgrades in the future.

Resolution

Please validate the above procedure in your test environment before performing so in your production environment. 

1. Refer to Using the Tanzu Operations Manager API to access the tanzu Operations Manager API and retrieve the access token.

2. Retrieve the TPCF product guid.

Refer to All deployed products if you need more information about this API endpoint usage.

$ curl https://YOUR-OPS-MANAGER-FQDN/api/v0/deployed/products -H "Content-Type: application/json" \
        -H "Authorization: bearer $access_token" -k | jq '.' | grep "cf-"

Expected outputs:

    "installation_name": "cf-SOME-GUID",
    "guid": "cf-SOME-GUID",

3. Review the current value for .properties.nats_enabled_endpoints.

Refer to Getting A staged product's properties if you need more information about this API endpoint usage.

$ curl https://YOUR-OPS-MANAGER-FQDN/api/v0/staged/products/cf-SOME-GUID/properties -H "Content-Type: application/json"  \
       -H "Authorization: bearer $access_token" -k  | jq '.properties' | grep -A 6 nats_enabled_endpoints

Expected outputs:

  ".properties.nats_enabled_endpoints": {
    "type": "selector",
    "configurable": true,
    "credential": false,
    "value": "https_and_http",
    "optional": false,
    "selected_option": "https_and_http"

4. Update the value to https.

Refer to Updating A staged product's properties if you need more information about this API endpoint usage. 

$ curl https://YOUR-OPS-MANAGER-FQDN/api/v0/staged/products/cf-SOME-GUID/properties \
	-X PUT -H "Content-type: application/json" \
	-d '{"properties": {".properties.nats_enabled_endpoints": {"value": "https"}}}' \
	-H "Authorization: bearer $access_token" -k

Expected outputs:

{} means the API PUT request was completed successfully

{}

5. Confirm the value now has been changed to https.

$ curl https://YOUR-OPS-MANAGER-FQDN/api/v0/staged/products/cf-SOME-GUID/properties -H "Content-Type: application/json" \
      -H "Authorization: bearer $access_token" -k  | jq '.properties' | grep -A 6 nats_enabled_endpoints

Expected outputs:

  ".properties.nats_enabled_endpoints": {
    "type": "selector",
    "configurable": true,
    "credential": false,
    "value": "https",
    "optional": false,
    "selected_option": "https"

6. Visit the Ops Manager UI > Click REVIEW PENDING CHANGES > Click SEE CHANGES for Tanzu Platform for Cloud Foundry. If you are seeing the following change, then you can select Tanzu Platform for Cloud Foundry and go ahead with Apply Change to complete the change.

 instance_groups:
 - name: nats
   jobs:
   - name: nats
     properties:
       nats:
+        disable: true
-        disable: false
Powered by Wolken Software