Permalink
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
702 lines (459 sloc) 33.6 KB
---
title: Installing and Configuring Solace PubSub+ for Pivotal Cloud Foundry
owner: Partners
---
This topic describes how to install and configure Solace PubSub+ for Pivotal Cloud Foundry (PCF). Before installing Solace PubSub+ for PCF, you must complete the [prerequisites](#prereqs).
## <a id='resource-reqs'></a> Review Resource Requirements
Review the resource and IP requirements for installing the Solace PubSub+ for PCF tile.
<table border="1" class="nice">
<tr>
<th>Resource</th>
<th>Instances</th>
<th>CPU</th>
<th>Ram (MB)</th>
<th>Ephemeral (MB)</th>
<th>Persistent (MB)</th>
<th>Static IP</th>
<th>Dynamic IP</th>
</tr>
<tr>
<td>Solace Service Broker</td>
<td>1</td>
<td>1</td>
<td>1024</td>
<td>1024</td>
<td>0</td>
<td>0</td>
<td>1</td>
</tr>
<tr>
<td>Management</td>
<td>1<a href="#tableNote1"><sup>1</sup></a></td>
<td>1</td>
<td>2048</td>
<td>10240</td>
<td>10240</td>
<td>1</td>
<td>0</td>
</tr>
<tr>
<td>Arbitrator</td>
<td>0<a href="#tableNote2"><sup>2</sup></a></td>
<td>1</td>
<td>1024</td>
<td>10240</td>
<td>10240</td>
<td>1</td>
<td>0</td>
</tr>
<tr>
<td><a href='service-plans.html#plan_enterprise_large'>Enterprise Large</a></td>
<td>0<a href="#tableNote3"><sup>3</sup></a></td>
<td>4</td>
<td>12288</td>
<td>10240</td>
<td>40960<a href="#tableNote3"><sup>3</sup></a></td>
<td>1</td>
<td>0</td>
</tr>
<tr>
<td><a href='service-plans.html#plan_enterprise_shared'>Enterprise Shared</a></td>
<td>0<a href="#tableNote3"><sup>3</sup></a></td>
<td>2</td>
<td>4096</td>
<td>10240</td>
<td>20480<a href="#tableNote3"><sup>3</sup></a></td>
<td>1</td>
<td>0</td>
</tr>
<tr>
<td><a href='service-plans.html#plan_enterprise_medium_ha'>Enterprise Medium-HA</a></td>
<td>0
<a href="#tableNote3"><sup>3, </sup></a>
<a href="#tableNote4"><sup>4</sup></a></td>
<td>2</td>
<td>4096</td>
<td>10240</td>
<td>20480<a href="#tableNote3"><sup>3</sup></a></td>
<td>1</td>
<td>0</td>
</tr>
<tr>
<td><a href='service-plans.html#plan_enterprise_large_ha'>Enterprise Large-HA</a></td>
<td>0
<a href="#tableNote3"><sup>3, </sup></a>
<a href="#tableNote4"><sup>4</sup></a></td>
<td>4</td>
<td>12288</td>
<td>10240</td>
<td>40960<a href="#tableNote3"><sup>3</sup></a></td>
<td>1</td>
<td>0</td>
</tr>
<tr>
<td><a href='service-plans.html#plan_enterprise_5'>Enterprise Plan 5</a></td>
<td>0
<a href="#tableNote3"><sup>3, </sup></a>
<a href="#tableNote4"><sup>4</sup></a></td>
<td>0</td>
<td>0</td>
<td>0</td>
<td>0<a href="#tableNote3"><sup>3</sup></a></td>
<td>1</td>
<td>0</td>
</tr>
<tr>
<td><a href='service-plans.html#plan_enterprise_6'>Enterprise Plan 6</a></td>
<td>0
<a href="#tableNote3"><sup>3, </sup></a>
<a href="#tableNote4"><sup>4</sup></a></td>
<td>0</td>
<td>0</td>
<td>0</td>
<td>0<a href="#tableNote3"><sup>3</sup></a></td>
<td>1</td>
<td>0</td>
</tr>
<tr>
<td><a href='service-plans.html#plan_standard_medium'>Standard Medium</a></td>
<td>0<a href="#tableNote3"><sup>3</sup></a></td>
<td>2</td>
<td>4096</td>
<td>10240</td>
<td>20480<a href="#tableNote3"><sup>3</sup></a></td>
<td>1</td>
<td>0</td>
</tr>
<tr>
<td><a href='service-plans.html#plan_standard_medium_ha'>Standard Medium-HA</a></td>
<td>3
<a href="#tableNote3"><sup>3, </sup></a>
<a href="#tableNote4"><sup>4</sup></a></td>
<td>0</td>
<td>4096</td>
<td>10240</td>
<td>20480<a href="#tableNote3"><sup>3</sup></a></td>
<td>1</td>
<td>0</td>
</tr>
<tr>
<td><a href='service-plans.html#plan_standard_3'>Standard Plan 3</a></td>
<td>0
<a href="#tableNote3"><sup>3, </sup></a>
<a href="#tableNote4"><sup>4</sup></a></td>
<td>0</td>
<td>0</td>
<td>0</td>
<td>0<a href="#tableNote3"><sup>3</sup></a></td>
<td>1</td>
<td>0</td>
</tr>
<tr>
<td><a href='service-plans.html#plan_standard_4'>Standard Plan 4</a></td>
<td>0
<a href="#tableNote3"><sup>3, </sup></a>
<a href="#tableNote4"><sup>4</sup></a></td>
<td>0</td>
<td>0</td>
<td>0</td>
<td>0<a href="#tableNote3"><sup>3</sup></a></td>
<td>1</td>
<td>0</td>
</tr>
</table>
<p id="tableNote1" class="note"><strong><sup>1</sup> Note:</strong> The management VM is required to support Solace PubSub+ for PCF. <strong>Two</strong> instances are required for a production setup and must be combined with <strong>One</strong> arbitrator VM.</p>
<p id="tableNote2" class="note"><strong><sup>2</sup> Note:</strong> <strong>One</strong> arbitrator VM is required for a production setup and must be combined with <strong>Two</strong> management VM instances. Otherwise set this to zero.</p>
<p id="tableNote3" class="note"><strong><sup>3</sup> Note:</strong> You can modify the number of <strong>operator allocated</strong> instances and persistent disk size when configuring the tile for the Solace PubSub+ message broker jobs. For more information, see the <a href="#configure">Configure Solace PubSub+ for PCF</a> tile below.</p>
<p id="tableNote4" class="note"><strong><sup>4</sup> Note:</strong> A high availability Solace PubSub+ service instance requires three (3) HA Solace PubSub+ message broker job instances to be used. As such, the <strong>operator allocated</strong> number of HA Solace PubSub+ message broker job instances specified for the HA Solace PubSub+ message broker instances should be a multiple of 3. If it is not, the remaining job instances go unused.</p>
## <a id='prereqs'></a> Prerequisites
Solace PubSub+ for PCF requires the following:
* PCF version 2.1.x. or later.
* Java buildpack v4.x.x or later.
* MySQL database, which can be made available in one of these methods:
* Internal deployment as part of the Solace PubSub+ for PCF on a management VM
* [Internal MySQL](#required_mysql_internal)
* [Internal MySQL (Highly Available)](#required_mysql_internal_ha)
* As service from a deployment of [MySQL for Pivotal Cloud Foundry](http://docs.pivotal.io/p-mysql/index.html). Please ensure to configure for a High Availability setup and with service plans offering a minimum of 100&nbsp;MB. See [MySQL for PCF](#required_mysql_for_pcf).
* External when MySQL is already deployed outside PCF, it may be offered as a user provided service instance to Solace PubSub+ for PCF, see [External MySQL](#required_mysql_external).
## <a id='install'></a> Install Solace PubSub+ for PCF
To install Solace PubSub+ for PCF, do the following:
1. Download the product file from Pivotal Network.
1. Upload the product file on the Ops Manager **Installation Dashboard**.
1. Click **Add** next to the uploaded Solace PubSub+ tile in the Ops Manager **Available Products** view to add it to your staging area.
1. Click the **Solace PubSub+** tile.
1. Follow the steps in the section below to configure the tile.
## <a id='configure'></a> Configure Solace PubSub+ for PCF
To configure Solace PubSub+ for PCF, do the following:
From the **Settings** tab of the Solace PubSub+ tile:
<%= image_tag('select_tile_settings_new.png') %>
1. Configure the [**Required Settings**](#configure_required):
* [**Assign AZs and Networks**](#required_azs_and_network)
* [**Management Access**](#required_management_access)
* [**MySQL Configuration**](#required_mysql_configuration)
* [**TCP Routes**](#required_tcp_routes)
* [**Standard Plans**](#required_standard_plans)
* [**Enterprise Plans**](#required_enterprise_plans)
* [**Stemcell**](#required_stemcell)
* [**Resource Config**](#required_resource_config)
1. Configure the [**Optional Settings**](#configure_optional):
* [**Message Broker Config**](#general_settings)
* [**TLS Config**](#optional_tls_config)
* [**Management Access (LDAP)**](#optional_management_access)
* [**Service Access**](#optional_service_access)
* [**Application Access**](#optional_application_access)
* [**LDAP Settings**](#optional_ldap_settings)
* [**System Logging**](#optional_system_logging)
* [**TCP Routes**](#optional_tcp_routes)
1. [Apply Changes](#apply_changes).
### <a id='configure_required'></a> Required Settings
#### <a id='required_azs_and_network'></a> Assign AZs and Networks
1. From the **Settings** tab of the Solace PubSub+ tile, click **Assign AZs and Networks**.
<%= image_tag('select_1_assign_azs_and_networks.png') %>
1. Under **AZ and Network Assignments**, choose the availability zones and network where the Solace PubSub+ deployment should run. This will include all **Operator Allocated** Message Brokers. If you are deploying Solace PubSub+ with high availability plans, consider using multiple availability zones for maximum fault tolerance. Also choose the Service Network, this is where **On Demand** Allocated Message Brokers will be deployed, the Availability Zones for On Demand Allocated Message Brokers are controlled in each plan.
<%= image_tag('form_assign_azs_and_networks_new2.png') %>
1. Click **Save**.
#### <a id='required_mysql_configuration'></a> MySQL Configuration
1. Click **MySQL Configuration**.
<%= image_tag('select_1_mysql.png') %>
1. Select one of the supported MySQL configuration for the service broker's database.
<p></p>
<a id='required_mysql_internal'></a>
**Internal MySQL**: The default option is for an 'Internal MySQL' deployed to a single management VM. For a production setup please make sure to allocate two management VMs and one arbitrator VM. The arbitrator VM should be located in a different availability zone than the management VMs. Without a load balancer, the service broker relies on MySQL driver for failover functions using up to two management VMs when available.
<%= image_tag('form_mysql_default_new.png') %>
<p></p>
<a id='required_mysql_internal_ha'></a>
**Internal MySQL (Highly Available)**: Make sure to allocate two management VMs and one arbitrator VM. The arbitrator VM should be located in a different availability zone than the management VMs. When using a load balancer setup, ensure to point to the two management VMs with health check port `1936`. The load balancer setup must be sticky. For more information, see [CF MySQL Release - Proxy: Configuring Load Balancer](https://github.com/cloudfoundry/cf-mysql-release/blob/develop/docs/proxy.md#configuring-load-balancer). Without a load balancer, the service broker relies on MySQL driver for failover functions using up to two management VMs when available.
<%= image_tag('form_mysql_internal_ha_new2.png') %>
<p></p>
<a id='required_mysql_for_pcf'></a>
**MySQL for PCF**: When MySQL for PCF tile is available, select a highly available service plan with a minimum of 100&nbsp;MB database size.
<%= image_tag('form_mysql_for_pcf_new.png') %>
<p></p>
<a id='required_mysql_external'></a>
**External MySQL**: When MySQL is available as an external service, it may be provided as a user-provided-service to Solace PubSub+ for PCF. Ensure you have a highly available deployment with a minimum of 100&nbsp;MB database size.
<%= image_tag('form_mysql_external_new.png') %>
<p></p>
<p class="note"><strong>Note:</strong> The choices you make for the MySQL configurations are not modifiable once the deployment has completed. Be sure to select the most appropriate option for your deployment.</p>
1. Click **Save**.
#### <a id='required_management_access'></a> Management Access
1. Click **Management Access**.
<%= image_tag('select_1_management_access.png') %>
1. Under **Admin user password**, pick a password for the message brokers `admin` user.
<%= image_tag('form_management_access_admin_user_password_new.png') %>
1. [(Optional) if you want to use LDAP](#optional_management_access).
1. Click **Save**.
#### <a id='required_tcp_routes'></a> TCP Routes (Save Required)
Open this pane and click **Save** even if using the default setting. If you want to enable TCP routes, follow the procedure in [(Optional) TCP Routes](#optional_tcp_routes).
1. Click **TCP Routes**.
<%= image_tag('select_1_tcp_routes.png') %>
1. Default: **TCP Routes Disabled**.
<%= image_tag('form_tcp_routes_new.png') %>
1. Click **Save**.
<p class="note"><strong>Note:</strong> Failing to click <strong>Save</strong> might result in an <code>unknown property "solace_router"</code> exception when you attempt to Apply Changes.</p>
#### <a id='required_standard_plans'></a> Standard Plans (Save Required)
Open this pane even if using the default setting. You need to select all the Availability Zones before this can be saved. If you want to customize an plans please see [Service Plan Configuration](#service_plan_configuration).
1. Click **Standard Plans**.
<%= image_tag('select_1_standard_plans.png') %>
1. Click **Save**.
#### <a id='required_enterprise_plans'></a> Enterprise Plans (Save Required)
Open this pane even if using the default setting. You need to select all the Availability Zones before this can be saved. If you want to customize an plans please see [Service Plan Configuration](#service_plan_configuration).
1. Click **Enterprise Plans**.
<%= image_tag('select_1_enterprise_plans.png') %>
1. Click **Save**.
#### <a id='required_stemcell'></a> Stemcell
You might need to import a stemcell import if the minimum stemcell required for Solace PubSub+ for PCF is not found.
1. Click **Stemcell**.
<%= image_tag('select_1_stemcell.png') %>
1. Click **Import Stemcell** to import the required stemcell for your installation of PCF.
* [Download Stemcells for PCF](https://network.pivotal.io/products/stemcells)
#### <a id='required_resource_config'></a> Resource Config
1. Click **Resource Config**.
<%= image_tag('select_1_resource_config.png') %>
1. Use the drop-down menus to configure the number of Solace PubSub+ message broker job instances that are available in each of the service plans mentioned above. These job instances are statically created when the tile is deployed. Service instances are then dynamically allocated at service instance creation time, post-deployment, using these job instances.<br/><br/>
Five Enterprise Shared service instances can be hosted on a single Enterprise Shared job instance. As such, the maximum number of Enterprise Shared service instances that can concurrently exist for the `Enterprise Shared` service plan is equal to five times the number of `Enterprise Shared` job instances. Conversely, three HA Solace PubSub+ message broker job instances are required for a single HA Solace PubSub+ message broker service instance. As such, the maximum number of HA Solace PubSub+ message broker service instances that can concurrently exist for the `Enterprise Large-HA` and `Enterprise Medium-HA` service plans is equal to one-third the number of their corresponding job instances. In order for `Enterprise Large-HA` and `Enterprise Medium-HA` service plans to provide high availability fault tolerance, make use of multiple availability zones for your deployment, with a minimum of 2 and an ideal of 3 or more. If you have only one availability zone, the deployment is not fault tolerant and Solace does not recommend using high availability service plans under this scenario.
<p class="note"><strong>Note:</strong> The <strong>Automatic</strong> number of job instances is kept to the same values found in previous tile releases. This is just to ensure no instances are lost during upgrades.</p>
<p class="note"><strong>Note:</strong> The number of job instances can be increased after the tile is deployed without impacting already bound apps. However, reducing the number of instances can result in app failure and message loss.</p>
<p class="note"><strong>Note:</strong> The size of the persistent disk can be changed both before and after deployment. Increasing the size of the persistent disks will impact the service of already bound apps. However, messages will not be lost. Reducing the size of the persistent disk post-deployment is not recommended and can result in message loss, inoperable Solace PubSub+ message broker, and/or undefined behaviors.</p>
<p class="note"><strong>Note:</strong> Unless there are no existing service instances or you are configuring a new plan, Solace recommends keeping the default values for <strong>VM Type</strong> and ensuring it matches the configurable service plan. A reduction of the RAM or CPU capacity may lead to a deployment failure or service degradation.</p>
<%= image_tag('form_resource_config.png') %>
1. Click **Save**.
### <a id='configure_optional'></a> Optional Settings
#### <a id='general_settings'></a> (Optional) General Settings
1. Click **General Settings**.
<%= image_tag('select_1_general_settings.png') %>
1. Under **Starting Port**, enter a port where the messaging services on the Solace PubSub+ message brokers (e.g. MQTT, REST, or SMF) will start listening from, for example, `7000`. The exact port numbers chosen for each service will be based on this starting port and specified in the `VCAP_SERVICES` environment variable passed to apps. For an example, see [Example Environment Variable](credentials.html#example).
<p class="note"><strong>Note:</strong> The Starting Port may only be set at tile installation time. Its value may not be changed later.</p>
<%= image_tag('form_general_settings_starting_port.png') %>
1. <a id='default_orphaned_resource_policy'></a> Under **Default Orphaned Resource Policy**, choose a default policy for your deployment. This default policy is used when a service does not have its own policy. See [Service Orphaned Resource Policy](service-instances.html#service_orphaned_resource_policy) for more details about the options.
<%= image_tag('form_general_settings_default_orphaned_resource_policy.png') %>
1. <a id='webhook'></a> Under **Web Hook**, you can choose to Enable or Disable.
<%= image_tag('form_general_settings_webhook.png') %>
Web Hook enables an operator to receive POST requests to an endpoint of their choosing
to get informed about Service create, delete, and update events.
1. <a id='sb_settings'></a> Adjust service broker related settings.
<%= image_tag('form_general_settings_sb.png') %>
An operator has a chance to confirm the buildpack and the amount of memory used for the Service Broker installation in CF.
1. <a id='monitor_settings'></a> Adjust Monitor VM Type and Disk Type
<%= image_tag('form_general_monitor.png') %>
The Monitor **VM Type** and **Disk Type** settings apply to all on-demand plans with **High Availability** enabled.
A Monitor node requires 1 CPU and 1 GB of RAM.
1. Click **Save**.
#### <a id='optional_tls_config'></a> (Optional) TLS Config
1. Click **TLS Config**.
<%= image_tag('select_1_tls_config.png') %>
TLS is disabled by default.
<%= image_tag('form_tls_config_new.png') %>
1. Click **TLS Enabled**.
<%= image_tag('form_tls_config_enabled_new.png') %>
By enabling and configuring TLS, you allow messaging between apps and the Solace PubSub+ message broker to be encrypted. Apps requiring encryption would then need to use the TLS-specific URLs passed in the `VCAP_SERVICES` environment variable. For more information about the `VCAP_SERVICES` environment variable, see [Example Environment Variable](credentials.html#example). If TLS is not configured, the TLS specific URLs continue to be passed in the `VCAP_SERVICES` environment variable but fail to connect to a PubSub+ Message Broker if used.
1. Configure **Message Broker's RSA certificate (Server Certificate)** either by pasting in a certificate and private key in PEM format or asking one to be generated by clicking **Generate RSA Certificate**. Generated certificates are equivalent to self-signed certificates.
<%= image_tag('form_tls_config_server_certificate_new.png') %>
<p class="note"><strong>Note:</strong> The server certificate configured will be used by all Solace PubSub+ message brokers deployed. As such, all Solace PubSub+ message brokers deployed in a PCF instances will have the same identification.</p>
<%= image_tag('form_tls_config_disable_sb_cert_validation.png') %>
<p class="note"><strong>Note:</strong> Communication between the Solace PubSub+ Service Broker and Solace PubSub+ message broker is also encrypted if a TLS certificate is configured. The Service Broker uses the Container Certificate Trust Store Framework to validate the server certificate returned by Solace PubSub+ message brokers. So if the framework is not operational when the tile is deployed, the Service Broker will be unable to validate server certificates sent by the Solace PubSub+ message brokers and the tile will fail to deploy. In development environments, it may be acceptable to not require server certificate validation, in which case the <strong>Disable RSA Server Certificate validation on the Service Broker (For development only)</strong> checkbox can be selected. This checkbox should never be selected in production deployments. Instead, the framework should be made operational.</p>
1. (Optional) Configure **Message Broker's Trusted Root Certificates**. These certificates will be stored in the trust store on the Solace PubSub+ message brokers. They are required if you choose to use LDAP with TLS.
<%= image_tag('form_tls_config_trusted_root_certificates_new.png') %>
1. Click **Save**.
#### <a id='optional_service_access'></a>(Optional) Service Access
1. Click **Service Access**.
<%= image_tag('select_1_service_access.png') %>
1. Check the **Enable global access to plans of service solace_pubsub** option.
<%= image_tag('form_service_access_new.png') %>
<p class="note"><strong>Note:</strong> To control access to Solace PubSub+ service plans on a case-by-case basis, do not enable this option. Once this is enabled, it cannot be disabled from this form. It must be revoked by the operator manually.</p>
1. Click **Save**.
#### <a id='optional_credhub'></a>(Optional) Security
1. Click **Security**.
<%= image_tag('select_1_security.png') %>
1. Check the **Secure service instance credentials** option.
<%= image_tag('form_secure_service_instance_credentials.png') %>
<p class="note"><strong>Note:</strong> This enables credentials storage on CredHub capable deployments.</p>
1. Check the **Automatic application security group management** option.
<%= image_tag('form_security_asg.png') %>
<p class="note"><strong>Note:</strong> This allows for application security groups to be created for each service binding and deleted on unbind. The created application security groups will grant an application's space access to the Solace PubSub+ Service Instance IP and service ports only.</p>
1. Click **Save**.
#### <a id='optional_management_access'></a> (Optional) Management Access
1. Click **Management Access**.
<%= image_tag('select_1_management_access.png') %>
1. If you configured [LDAP](#optional_ldap_settings), you may choose to have the LDAP Server provide the authentication and authorization for the management roles on a Solace service instance.
<%= image_tag('form_management_access_ldap_new.png') %>
1. (Optional) Configure Groups with Solace PubSub+ message brokers administration read-only privilege.
<%= image_tag('form_management_access_ldap_readonly_new.png') %>
1. (Optional) Configure Groups with Solace PubSub+ message brokers administration read-write privileges.
<%= image_tag('form_management_access_ldap_readwrite_new.png') %>
1. (Optional) Configure Groups with Solace PubSub+ message brokers administration administrator privileges.
<%= image_tag('form_management_access_ldap_admin_new.png') %>
<p class="note"><strong>Note:</strong> Cloud Operators need to have global access to the Solace PubSub+ message brokers deployed by the tile. This will allow them to administer the Solace PubSub+ message brokers with SolAdmin, CLI, or SEMP-based tools. Cloud operators might have different roles. Each role requires one of the three types of access-level: administrator, read-write, and read-only. When using "Message Broker Internal", the cloud operators access to a single administrator level role using the admin password. With "LDAP Server", users can be assigned to groups in LDAP mapping to their respective roles.</p>
1. Click **Save**.
#### <a id='optional_application_access'></a> (Optional) Application Access
1. Click **Application Access**.
<%= image_tag('select_1_application_access.png') %>
1. Using the defaults, the Solace PubSub+ message broker will use its internal database for user credentials per service instance. If you configured LDAP, you may request the Solace PubSub+ message broker to use the LDAP Server for authentication and authorization of when a client attempts to access a Solace PubSub+ service instance.
<%= image_tag('form_application_access_new.png') %>
1. Click **Save**.
#### <a id='optional_ldap_settings'> </a>(Optional) LDAP Settings
1. Click **LDAP Settings**.
<%= image_tag('select_1_ldap_settings.png') %>
LDAP is disabled by default.
<%= image_tag('form_ldap_settings_new.png') %>
<p class="note"><strong>Note:</strong> Using the default <strong>LDAP Disabled</strong>, the Solace PubSub+ message broker will use its internal database for management and user credentials per service instance. To use an LDAP store, you must select <strong>LDAP Enabled</strong> and provide all the required settings for your LDAP server.</p>
1. Click **LDAP Enabled**.
<%= image_tag('form_ldap_settings_enabled_new.png') %>
1. Set LDAP Server URL.
<%= image_tag('form_ldap_settings_server_url.png') %>
<p class="note"><strong>Note:</strong> Consider the network accessibility of the provided LDAP server. You may need to check the <strong>Internet Connected</strong> option in <a href="#required_resource_config">Resource Config</a>.</p>
1. Set LDAP TLS Preference.
<%= image_tag('form_ldap_settings_starttls_new.png') %>
1. Set LDAP Credentials to use with the LDAP Server.
<%= image_tag('form_ldap_settings_credentials.png') %>
1. Set User Search Base.
<%= image_tag('form_ldap_settings_user_search_base.png') %>
1. Set User Search Filter.
<%= image_tag('form_ldap_settings_user_search_filter.png') %>
1. Set User Group Membership Attribute Name.
<%= image_tag('form_ldap_settings_user_group_membership_attribute_name.png') %>
1. Click **Save**.
In order to have an effective LDAP configuration, configure LDAP for [Management Access](#optional_management_access)
and [Application Access](#optional_application_access). **If neither [Management Access](#optional_management_access) nor [Application Access](#optional_application_access) are configured for LDAP, the Solace PubSub+ message broker will continue to use its internal database for management and user credentials.**
#### <a id='optional_system_logging'></a> (Optional) System Logging
1. Click **System Logging**.
<%= image_tag('select_1_system_logging.png') %>
System logging is disabled by default.
<%= image_tag('form_system_logging.png') %>
1. Click **System Logging Enabled**.
<%= image_tag('form_system_logging_enabled_new.png') %>
1. Set the external syslog hostname.
<%= image_tag('form_system_logging_server.png') %>
<p class="note"><strong>Note:</strong> Consider the network accessibility of the provided syslog server. You may need to check the <strong>Internet Connected</strong> option in [Resource Config](#required_resource_config).</p>
1. Set the external syslog port.
<%= image_tag('form_system_logging_port.png') %>
1. Set the external syslog network protocol.
<%= image_tag('form_system_logging_protocol.png') %>
1. Select what logs to send to the external syslog server.
<%= image_tag('form_system_logging_mb_commands.png') %>
<%= image_tag('form_system_logging_mb_events.png') %>
<%= image_tag('form_system_logging_mb_system.png') %>
<%= image_tag('form_system_logging_sb_agent.png') %>
1. Click **Save**.
#### <a id='optional_tcp_routes'></a> (Optional) Enable TCP Routes
1. Click **TCP Routes**.
<%= image_tag('select_1_tcp_routes.png') %>
TCP routes are disabled by default.
<%= image_tag('form_tcp_routes_new.png') %>
1. Click **TCP Routes Enabled**.
<%= image_tag('form_tcp_routes_enabled_1_new.png') %>
<%= image_tag('form_tcp_routes_enabled_2_new.png') %>
<p class="note"><strong>Note:</strong> Fine-grained control is available by protocol. If you choose <strong>Not Allowed</strong>, a TCP route will never be created for this protocol, even if requested at service creation time. If you choose <strong>Disabled by default</strong>, at service creation time, a TCP route will not be created for this protocol unless a user-provided parameter overrides it with a <code>true</code> setting. If you choose <strong>Enabled by default</strong>, a TCP route will be created for this protocol at service creation time, unless a user-provided parameter overrides it with <code>false</code> setting.</p>
A solace\_router UAA agent is required to use the TCP Routes feature. If using a new version of the Elastic Runtime (v1.11, v1.10.11, v1.9.24, v1.8.46), the solace\_router UAA client may be present already, and there is no need to provide Cloud Foundry credentials. Check your installation for the presence of the solace\_router UAA client, which can be found under <strong>Pivotal Elastic Runtime > Credentials > UAA</strong>. If a solace\_router is not found, you must to create one. To create a solace\_router, do the following:
1. Look up the UAA 'Admin Client Credentials', which will be needed to create the solace\_router.</p>
1. Install uaac if you do not already have it.
<pre class="terminal">
$ gem install cf-uaac
</pre>
1. Log in to CF, target the UAA API, and log in with uaac using the 'Admin Client Credentials'.
<pre class="terminal">
$ cf api api.YOUR-SYSTEM-DOMAIN
$ cf login
$ uaac target uaa.sys.YOUR-SYSTEM-DOMAIN
$ uaac token client get admin
</pre>
1. Create the solace\_router uaa client with the necessary permissions and assign it a password.
<pre class="terminal">
$ uaac client add solace_router --name solace\_router --scope uaa.none --authorized\_grant\_types "refresh\_token,client\_credentials" \
$ --authorities "routing.routes.read,routing.routes.write,routing.router\_groups.read,cloud\_controller.read,cloud\_controller.write,cloud\_controller.admin" \
$ -s "A\_GOOD\_SECRET\_PASSWORD"
</pre>
1. Ensure that you have a `tcp` domain.
<pre class="terminal">
$ cf create-shared-domain tcp.YOUR-DOMAIN --router-group default-tcp
</pre>
1. Consider PCF quotas, networking, and firewalls when using TCP routes. For example, consider removing the limits on reserved route ports.
<pre class="terminal">
$ cf update-quota default --reserved-route-ports -1
</pre>
1. Use solace\_router and the <strong>A\_GOOD\_SECRET\_PASSWORD</strong> as the CF credentials for TCP Routes.</p>
1. Click **Save**.
### <a id='apply_changes'></a> Apply Changes
In order to apply changes, all the settings for the Solace tile must be marked with green checkmarks.
<%= image_tag('select_all_done.png') %>
1. Click **Installation Dashboard** at the top left corner of the screen to leave the tile configuration and go back to dashboard.
<%= image_tag('link_installation_dashboard_new.png') %>
1. Click **Apply Changes** to deploy the tile.
<%= image_tag('apply_changes_new.png') %>
1. After the tile has deployed, see [Creating and Binding Solace PubSub+ Service Instances](service-instances.html) for information about creating instances of the Solace PubSub+ service and binding them to apps.
## <a id='upgrades'></a> Upgrades
Solace PubSub+ for PCF supports upgrades starting with PCF v2.0. Future releases can upgrade a deployment if the deployment is v2.0 or higher. In-Service-Upgrades are supported from PCF v2.0 for high-availability service plans.
If a v1.x.x tile is currently installed, a direct upgrade path to v2.0.0 is not supported. The v1.x.x tile should be uninstalled before a v2.0.0 tile is installed.
### <a id='upgrades_non_ha'></a> Non-High Availability Upgrades
Upgrades are service-affecting for non-HA service plans `Enterprise Shared`, `Enterprise Large`, and `Standard Medium`.
The messaging service for an application will experience an outage that lasts no longer than the time it takes to upgrade the Solace PubSub+ message broker and start it up again.
### <a id='upgrades_ha'></a> High Availability Upgrades
Upgrades are non-service-affecting for high-availability plans `Enterprise Large-HA`, `Enterprise Medium-HA` and `Standard Medium-HA`, so there will always be a service available during upgrades. Upgrades will affect each VM providing the HA service one at a time.
An application using an HA service experiences at least one switch-over during an upgrade, and at most two switch-overs.
See our [Getting Started Samples](http://dev.solace.com/get-started/pcf-tutorials/) with full source code available in [GitHub](https://github.com/SolaceSamples/solace-samples-cloudfoundry-java) for some examples of how HA connections are used, as well as [Configuring-Client-Connections](https://docs.solace.com/Solace-Messaging-APIs/Developer-Guide/Configuring-Connection-T.htm) for additional information on client connection setup to allow for switch-overs during upgrades.
The upgrade process is designed to keep services available.
Failures in upgrades are due to either pre-conditions or post-conditions, and are intended to keep services available in case of any failure.
The following pre-conditions must be met before an upgrade can proceed, or the upgrade will abort.
* The version of the tile being upgraded must be v2.0 or higher.
* The redundancy state of HA services must be healthy.
If any failure occurs during an upgrade, services remain available.
For more information, see the [Troubleshooting Guide](troubleshooting.html#upgrade_errors).