TLS Connections in PCF
Page last updated:
Warning: Pivotal Operations Manager v2.3 is no longer supported because it has reached the End of General Support (EOGS) phase as defined by the Support Lifecycle Policy. To stay up to date with the latest software and security updates, upgrade to a supported version.
This topic classifies the different paths through which external clients, internal components, app containers, and app services communicate in Pivotal Cloud Foundry (PCF), and how the platform uses Transport Layer Security (TLS) protocols to secure these communications.
This section classifies the different types of network communication in PCF and how they are secured with TLS.
Within a PCF deployment, TLS secures connections between components like the BOSH Director and service tiles. PCF components also use TLS connections to secure communications with external hardware, such as customer load balancers.
The following diagram illustrates the flow of communication from a client making a request to an app:
The following table describes each component involved in receiving a client request and where their certificates for TLS termination originate.
|External Load Balancer||Enterprise root certificate authority (CA).|
|Gorouter||Enterprise root CA.|
|App||PCF root CA dedicated to app instance identity. For more information, see App Instance Container Identity Credentials.|
The following diagram illustrates communication between platform components, secured with TLS:
The CredHub instance in BOSH generates certificates for all components in PCF. The certificates are self signed by default. To issue certificates signed by your enterprise, you can add a custom CA to CredHub.
Note: Traffic between the Gorouter and Windows stemcells is not encrypted with TLS.
These topics list the paths, ports, and protocols that subsystems within Pivotal Application Service (PAS) use to communicate.
The following diagram illustrates TLS communications between apps running on PCF:
In this example, the
frontend-green apps both receive client requests, but only the
frontend-green app is allowed to communicate with the
Apps can communicate with each other over TLS using certificates generated by a PCF root CA dedicated to app instance identity. For more information, see App Instance Container Identity Credentials.
Developers specify which apps are allowed to communicate using container networking policies. For more information, see Configuring Container-to-Container Networking.
The following diagram illustrates TLS communication between apps and managed, on-platform services. It uses Pivotal Cloud Cache as an example of a managed service.
BOSH CredHub issues certificates to the Pivotal Cloud Cache components. For the app, the developer must retrieve a copy of this certificate using the CredHub API and place it in the truststore for the app. For more information, see Developing an App Under TLS in the Pivotal Cloud Cache documentation.
Separately, PAS Runtime CredHub might store credentials for the app to access a service over the TLS connection, adding a second layer of security. For more information, see Securing Services Instance Credentials with Runtime CredHub.
The following diagram illustrates communications between apps and external, brokered services secured with TLS:
The developer must retrieve the certificate from the external service and provide it to their app. One way to do this is by placing the certificate in Runtime CredHub and modifying your app to consume the certificate through the CredHub Service Broker. For more information, see the CredHub Service Broker for PCF documentation.
Each app instance container in PCF has its own identity credentials. This section describes how to understand and use these credentials.
To learn about app instance identity credentials, see the following table:
|Properties of certificate||
|Contents of certificate file||
If you want to enable secure TLS communications from an app using container instance identity credentials, ensure that you:
Add the credentials to your development stack configuration: The credentials must be present in your development stack configuration for your app to use them. You can retrieve the credentials through following environment variables, which PCF sets to the locations of key and certificate files.
Credential/Keypair Element Environment Variable Command to Retrieve Credential Value Certificate Chain
cf ssh APP-NAME -c 'cat $CF_INSTANCE_CERT'
cf ssh APP-NAME -c 'cat $CF_INSTANCE_KEY'
APP-NAMEis the name of your app.
Reload the credential files before they expire: PCF rotates the credentials shortly before the current certificate expires. Apps that use these credentials must reload the certificate and key file contents either periodically or in reaction to filesystem watcher events.
Configure external clients or servers to trust the root CA: To enable secure TLS communication between an app and a client or server external to PCF, you must configure the external client or server to trust the CA that issues app instance container identity credentials. For more information, see the Issuing Authority row of the table in About App Instance Identity Credentials.
For more information about instance identity credentials, see Instance Identity in the diego-release repository on GitHub.
By default, PCF uses a limited set of cipher suites to secure its internal communications. However, some components used in PCF, like the Gorouter and HAProxy, may support additional TLS cipher suites to accommodate older clients outside of PCF.
Note: The AWS Classic load balancer does not support the recommended TLS cipher suites. For details and mitigations, see TLS Cipher Suite Support in Securing Traffic into PAS.
For components that allow you to configure TLS cipher suites, only specify the TLS cipher suites that you need.
The default version of TLS is TLS v1.2. VMware recommends using this version.
The TLS cipher suites VMware recommends using within PCF are:
As part of your PAS networking configuration, you must specify the TLS cipher suites that the Gorouter uses to secure its communications. Only specify the cipher suites that you need.
The TLS cipher suites VMware recommends for the Gorouter are:
You can specify other cipher suites and a different minimum version of TLS support if your deployment requires it. For a list of other cipher suites and other versions of TLS that are optionally supported by the Gorouter, see TLS Cipher Suite Support in Securing Traffic into PAS.
For instructions to configure the TLS cipher suites for the Gorouter, see Configure Networking in Configuring PAS.
As part of your PAS networking configuration, you must specify the TLS cipher suites that HAProxy uses to secure its communications. Only specify the cipher suites that you need.
The TLS cipher suites VMware recommends for HAProxy are:
You can specify other cipher suites and a different minimum version of TLS support if your deployment requires it. For a list of other cipher suites and other versions of TLS that are optionally supported by HAProxy, see ciphers - Cipher Suite Names in the OpenSSL documentation.
If you use the default and recommended Gorouter TLS cipher suites in PAS, then ensure you have included these Gorouter TLS cipher suites in your HAProxy TLS cipher suite configuration.
If you change the default Gorouter TLS cipher suites in PAS, and you change the TLS cipher suites for HAProxy, ensure that you have at least one overlapping TLS cipher suite within the two sets.
For instructions to configure the TLS cipher suites for HAProxy, see Configure Networking in Configuring PAS.