Configuration of PPA should take around 15 minutes.
- Configure networking.
- Setup an SSH key.
- Set a strong admin password.
- Provide an Active Directory server for user authentication.
Setting a static IP address for AWS
After deploying the virtual machine it is good idea to set a static IP address for the appliance.
Navigate to the Elastic IPs sub-menu in the EC2 Dashboard in AWS.
Allocate a new address or choose an existing address to assign to the PPA appliance.
Apply Actions > Associate address to the elastic IP address.
Select the PPA appliance machine from the dropdown.
Navigate to the Instances sub-menu in the EC2 Dashboard, and apply Actions > Instance State > Reboot to the PPA appliance machine.
Update the PPA Configuration
Connect to the PPA machine using SSH.
/var/disk/config/fqdn configuration file with your Elastic IP address.
For example, if your Elastic IP address is 10.20.30.40, you can use the following command:
sudo bash -c "echo 10.20.30.50 > /var/disk/config/fqdn"
Securing the appliance
After configuring the network, the next step is to secure it.
Connect to the appliance with a web-browser using the IP address shown in Vsphere or the cloud provider console.
PPA creates a self-signed certificate on first boot that will be reported as insecure by browsers:
Manually verify that the connection is secure by viewing the certificate:
Scroll down and verify that the SHA256 fingerprint:
...matches the output of the
You can run the
fingerprint command via the web console for VMware, or via SSH for AWS or Azure.
When you are satisfied that the connection is secure, trust the certificate and proceed to the appliance's web UI.
Master SSH key
PPA does not use a password for SSH authentication, so you will need to use the master key pair that was created during the installation process.
Back in the web-browser, PPA will ask you to choose a strong password for the
admin local account:
admin account has complete control over the appliance. It is recommended that you generate a strong password and store it in a vault or password manager, then switch to using an Active Directory account for everyday access to PPA.
PPA can authenticate Active Directory users using LDAPS.
To complete this step you will require:
- The active directory domain you wish to use for authentication, plus the host and LDAPS port if it is not resolvable
- The sAMAccountNames for list of groups you wish to allow access to PPA, e.g:
Login to the web interface as admin and then click on the 'Active Directory' tab. Click the 'Edit Configuration' button:
This will open a four-step web form:
You will need to provide the following information:
|Domain||The domain used by Active Directory||None|
|Host||The host and port LDAPS is listening on.||The host returned by a DNS lookup for Domain|
Active Directory Credentials
You will need to provide a username and password to access Active Directory. These credentials will not be saved on the appliance.
Organizational Units of Interest
You can select organisational units from the dropdown menu. Or you can leave the selection empty to select all groups. Then click Import Security Groups to fetch groups.
Check that PPA has managed to retrieve the correct number of security groups. Then click Save to save the configuration.
Installing custom HTTPS certificates
Replace the files at
You can use
tar -c https.key https.crt | ssh support@<address> -C "tar -x --no-same-owner -C /tmp/" ssh support@<address> -C "sudo mv /tmp/https.* /var/disk/certs/https.*"
or edit the files using
Reboot the appliance.
Configuring HashiCorp Vault
PPA comes with a copy of HashiCorp Vault running on port 8200.
Navigating there with a browser will take you to the initial setup wizard.
Here you will create keys that will be required whenever PPA is restarted or the vault is sealed.
Put your keys in a safe place! Losing your keys will permanently lock you out of the vault.
|Environment||Key Share||Key Threshold|
Once the initial setup is complete and the vault unsealed you can now add it to PPA.
Back in PPA, click the Vaults section and select Add Vault.
After setting a password for
admin you will be asked to log in.
Setup is now complete.