CredHub is a secure credential management component that runs on the BOSH VM to minimize the surface area where credentials can be compromised. This topic provides resources for configuring service tiles to use CredHub, instead of encoding credentials in product template and job template files.
See the CredHub documentation for more information.
Many PCF components use credentials to authenticate connections, and PCF installations often have hundreds of active credentials. Secure credential management is essential to prevent data and security breaches.
In Pivotal Cloud Foundry (PCF) v1.11.0, CredHub runs on the BOSH VM, alongside the BOSH Director and UAA. Ops Manager v1.11 stores its credentials in CredHub, and users can retrieve them using the CredHub API or the Credentials tab of the Ops Manager Director tile. Tile developers can embed CredHub calls in manifest snippets and PCF apps can retrieve credentials using the CredHub API.
See Fetching Variable Names and Values for how to fetch variable names and values using the CredHub API.
CredHub stores and retrieves the following types of credentials:
value— single string value
json— arbitrary JSON object
password— password string
certificate— object containing certificate authority (CA), certificate, and private key
ssh— object containing SSH public key and private key
rsa— object containing RSA public key and private key
For more information, read CredHub Credential Types.
To use CredHub in your deployment, you must create new variables and store them in CredHub. By default, variable namespaces are written to prevent collision across deployments, but you can type variable names precisely if you wish.
For more information, read Creating New Variables in CredHub.
For more information, read Migrating Existing Credentials to CredHub.
API endpoints are available to help you find variable names and values for products known to the Ops Manager Director.
For more information, read Fetching Variable Names and Values.
Tile developers can embed CredHub in product template and job template manifest snippets using triple-parenthesis notation:
manifest: | credhub: concatenated_password: prefix-((( credhub-password )))-suffix password: ((( credhub-password )))
PCF v1.11.0 supports CredHub for credential storage, but it does not support the following:
Automatic backup and restore for CredHub, along with other PCF system components.
Using CredHub to generate new credentials.
Tile authors may choose to wait until PCF supports some or all of these features before incorporating CredHub into their service.