VMware Tanzu installation

You can deploy the Next-Gen WAF product within your VMware Tanzu Application Service by installing the Signal Sciences Service Broker service tile and then enabling the Next-Gen WAF agent.

Prerequisites

Prior to installing the Signal Sciences Service Broker for VMware Tanzu, you must:

• Have a VMware Tanzu license and the following products installed:

  Product	Supported versions
  VMware Tanzu Application Service for VMs	2.3.3 and above
  VMware Tanzu Operations Manager	2.3.0 and above
  Stemcells (Windows)	2019.x
  Pivotal Stemcells (Ubuntu Xenial)	621.x
  Stemcells (Ubuntu Jammy)	1.44.x

• Copy the agent keys for the site that you want the agent to be able to access. You will use the agent keys when configuring the Next-Gen WAF agent package.

Installing the Signal Sciences Service Broker

To install and configure the Signal Sciences Service Broker for VMware Tanzu, complete the following steps:

1. Log in to the Broadcom Support portal.
2. Download the Signal Sciences Service Broker product file.
3. Go to the Tanzu Operations Manager dashboard and install and configure the Signal Sciences Service Broker tile. Be sure to set the sigsci_buildpack_decorator Buildpack Order to zero. This setting is located in the Buildpack Settings tab.

Enabling the Next-Gen WAF agent

After installing the Signal Sciences Service Broker tile, embed the Next-Gen WAF agent in your app code and bind the service to your Tanzu app via the Cloud Foundry Command Line Interface (cf CLI):

1. Run the cf set-env command in the cf CLI to set the SIGSCI_ACCESSKEYID environment variable:

   cf set-env tanzu-app-name "SIGSCI_ACCESSKEYID" "environment-variable-value"

   Be sure to replace tanzu-app-name with the name of your Tanzu app and environment-variable-value with your site's (also known as workspace's) Agent Access Key (accesskeyid).

2. Run the cf set-env command again to set the SIGSCI_SECRETACCESSKEY environment variable, being sure to update tanzu-app-name and to replace environment-variable-value with your site's (workspace's) Agent Secret Key (secret-access-key):

   cf set-env tanzu-app-name "SIGSCI_SECRETACCESSKEY" "environment-variable-value"

3. (Optional) Run the cf set-env command again to set additional environment variables, being sure to replace tanzu-app-name, environment-variable-name, and environment-variable-value with the appropriate information:

   cf set-env tanzu-app-name "environment-variable-name" "environment-variable-value"

   The environment variables that you can configure are as follows:

   • SIGSCI_SERVER_HOSTNAME: the hostname for each agent. This is what gets displayed in the Signal Sciences web interface. The hostname must be a unique name per instance.
   • SIGSCI_AGENT_VERSION: the version of the Next-Gen WAF agent. By default, the latest version of the Next-Gen WAF agent is installed. To specify a specific version, set the variable to the desired version number.
   • SIGSCI_REQUIRED: whether or not the app will start when the Next-Gen WAF agent fails to start. By default, the app can start when the Next-Gen WAF agent fails to start (e.g. invalid agent keys). To ensure your app doesn't start without the agent, set the variable to true.

4. Ensure your app process obtains its listening port from the $PORT environment variable.

5. Run the following command in the cf CLI to push the Signal Sciences buildpack and the final buildpack:

   cf push tanzu-app-name -b sigsci_cloudfoundry_buildpack -b final_buildpack

   Be sure to replace tanzu-app-name with the name of your app and final_buildpack with the name of your final buildpack.

   IMPORTANT

   In the command, the Signal Sciences buildpack must come before the final buildpack.