Page last updated:

This topic gives an overview of the purpose and functionality of the CredHub component.

CredHub is a component designed for centralized credential management in Ops Manager. It is a single component that can address several scenarios in the Ops Manager ecosystem. At the highest level, CredHub centralizes and secures credential generation, storage, lifecycle management, and access.


CredHub performs a number of different functions to help generate and protect the credentials in your Ops Manager deployment:

  • Securing data for storage
  • Authentication
  • Authorization and Permissions
  • Access and change logging
  • Data typing
  • Credential generation
  • Credential metadata
  • Credential versioning

App Architecture

CredHub consists of a REST API and a CLI. CredHub is an OAuth2 resource server that integrates with User Account Authentication (UAA) to provide core authentication and federation capabilities.

Diagram shows that the CredHub CLI interacts with CredHub to export credentials to the Encryption Provider, Data Store, and Authentication Provider

CredHub in Ops Manager

A Ops Manager deployment stores credentials in these locations:

  • BOSH CredHub: Colocated with the BOSH Director on a single VM. This CredHub instance stores credentials for the BOSH Director.

  • Runtime CredHub: Deployed as an independent service and stores service instance credentials.

BOSH CredHub

In Ops Manager, the BOSH Director VM includes a CredHub job. This provides a lightweight credential storage instance for the BOSH Director. The BOSH Director, VMware Tanzu Application Service for VMs (TAS for VMs), and other tiles store credentials in BOSH CredHub. For more information, see Retrieve Credentials Stored in BOSH CredHub in Retrieving Credentials from Your Deployment.

Note: This configuration does not provide high availability.

In this colocated deployment architecture, the BOSH Director, CredHub, UAA, and the BOSH Director database are all installed on a single BOSH VM, as shown in the diagram below:

Diagram that show the following components colocated on the BOSH VM: BOSH Director, CredHub, UAA, and the BOSH Director database

Runtime CredHub

The TAS for VMs tile deploys CredHub as an independent service on its own VM. This provides a highly available credential storage instance for securing service instance credentials. For more information, see Securing Service Instance Credentials with Runtime CredHub.

CredHub is a stateless app, so you can scale it to multiple instances that share a common database cluster and encryption provider.

With CredHub as a service, the load balancer and external databases communicate directly with the CredHub VMs, as shown in the diagram below:

Diagram that shows multiple CredHub VMs that connect to UAA, an HSM, an external database, and a load balancer. The load balancer connects to four consumer VMs.

Using CredHub to Store Credentials for Service Tiles

If you develop a service tile for Ops Manager and want to store its credentials in BOSH CredHub, see CredHub in Ops Manager Tile Developer Guide.

CredHub Credential Types

Credentials exist in multiple places. Components use credentials to authenticate connections between components. Installations often have hundreds of active credentials. Leaked credentials are common causes of data and security breaches, so managing them securely is very important.

For more information, see CredHub Credential Types.

Backing Up and Restoring CredHub Instances

CredHub does not hold state, but you must ensure its dependent components are backed up. Redundant backups can help prevent data loss if an individual component fails. For more information, see Backing Up and Restoring CredHub Instances.