Establishing Mutually Trusted TLS Credentials

In order for services instances in two foundations to communicate using TLS encryption, the CredHub “/services/tls_ca” certificate must be trusted in both foundations; otherwise, WAN connections with TLS will fail.

Assumptions

  • You have two PCF foundations, A and B, with a network connection between them.
  • You wish to establish a TLS-encrypted WAN connection between a service instance on Foundation A and a service instance on Foundation B.
  • The Preparing for TLS procedure has been followed for each foundation, establishing a CredHub “/services/tls_ca” certificate for each.

Establish Mutual Trust

In order for services instances in two foundations to communicate with TLS, the CredHub “/services/tls_ca” certificate must be trusted in both foundations; otherwise, WAN connections requiring TLS will fail.

To be trusted in both foundations, their certificates must be signed by:

  • a single CA that is identical in both foundations, or
  • two CAs, one in each foundation, which is trusted by the other foundation.

If one of these conditions is satisfied, mutually trusted credentials are already in place; there is no need to execute the following procedure.

If the two foundations have different “/services/tls_ca” certificates that are not already mutually trusted, follow these steps to establish mutual trust.

Assuming you have two different PCF foundations, A and B, connected by a WAN.

  1. Access the CredHub of Foundation A using instructions from Access BOSH CredHub

  2. Fetch the certificate from Foundation A using CredHub:

    credhub get -n /services/tls_ca -k certificate
    
  3. Record the output.

  4. Navigate to the Ops Manager Installation Dashboard of Foundation B and click the BOSH Director tile.

  5. Click Security.

  6. Append the contents of the new CA certificate to the old CA certificate under Trusted Certificates. Do not remove the old CA certificate.

  7. Click Save.

  8. Distribute the new CA certificate to your PCC VMs and regenerate each server certificate using the new CA:

    • Navigate back to the Installation Dashboard.
    • Click Review Pending Changes.
    • Click ERRANDS.
    • Select Upgrade All Service Instances.
  9. Return to the Installation Dashboard in Ops Manager and click Apply Changes.

Repeat Steps 2 - 9 for Foundation B to put its services CA into Foundation A.