Page last updated:
Warning: Pivotal Operations Manager v2.3 is no longer supported because it has reached the End of General Support (EOGS) phase as defined by the Support Lifecycle Policy. To stay up to date with the latest software and security updates, upgrade to a supported version.
BOSH CredHub is a secure credential management component that runs on the BOSH VM to minimize the surface area where credentials can be compromised. This topic provides resources for configuring service tiles to store their internal credentials in BOSH CredHub, instead of encoding them in product template and job template files.
Credentials that service tiles store in BOSH CredHub for their own internal use are distinct from secure service instance credentials that Pivotal Application Service (PAS) stores in runtime CredHub to enable PAS apps to securely access services.
Both BOSH CredHub and runtime CredHub are instances of the CredHub credential management component. See the CredHub documentation for more information.
Many Pivotal Platform components use credentials to authenticate connections, and Pivotal Platform installations often have hundreds of active credentials. Secure credential management is essential to prevent data and security breaches.
In Pivotal Cloud Foundry (PCF) v1.11.0, CredHub runs on the BOSH VM, alongside the BOSH Director and UAA. Ops Manager v1.11 stores its credentials in CredHub, and users can retrieve them using the CredHub API or the Credentials tab of the BOSH Director tile. Tile developers can embed CredHub calls in manifest snippets and PCF apps can retrieve credentials using the CredHub API.
See Fetching Variable Names and Values for how to fetch variable names and values using the CredHub API.
CredHub Credential Types
CredHub stores and retrieves the following types of credentials:
value— single string value
json— arbitrary JSON object
password— password string
certificate— object containing certificate authority (CA), certificate, and private key
ssh— object containing SSH public key and private key
rsa— object containing RSA public key and private key
For more information, read CredHub Credential Types.
For BOSH variable types, read BOSH Variable Types.
Creating New Variables
To use CredHub in your deployment, you must create new variables and store them in CredHub. By default, variable namespaces are written to prevent collision across deployments, but you can type variable names precisely if you wish.
For more information, read Creating New Variables in CredHub.
For more information, read Migrating Existing Credentials to CredHub.
Fetching Variable Names and Values
API endpoints are available to help you find variable names and values for products known to the BOSH Director.
For more information, read Fetching Variable Names and Values.
CredHub in Manifest Snippets
Tile developers can embed CredHub in product template and job template manifest snippets using triple-parenthesis notation:
manifest: | credhub: concatenated_password: prefix-((( credhub-password )))-suffix password: ((( credhub-password )))
PCF v1.11.0 Limitations
PCF v1.11.0 supports CredHub for credential storage, but it does not support the following:
Automatic backup and restore for CredHub, along with other PCF system components.
Automatic tile upgrades that migrate all types of credentials defined in property blueprints in previous tile versions, to storage in CredHub.
Using CredHub to generate new credentials.
Tile authors may choose to wait until PCF supports some or all of these features before incorporating CredHub into their service.
The following are some helpful resources:
- A blog post covering CredHub basics
- The CredHub repository
- A recent CF Summit talk: CredHub and Secure Credential Management