CredHub

Page last updated:

Warning: Pivotal Operations Manager v2.3 is no longer supported because it has reached the End of General Support (EOGS) phase as defined by the Support Lifecycle Policy. To stay up to date with the latest software and security updates, upgrade to a supported version.

BOSH CredHub is a secure credential management component that runs on the BOSH VM to minimize the surface area where credentials can be compromised. This topic provides resources for configuring service tiles to store their internal credentials in BOSH CredHub, instead of encoding them in product template and job template files.

Credentials that service tiles store in BOSH CredHub for their own internal use are distinct from secure service instance credentials that Pivotal Application Service (PAS) stores in runtime CredHub to enable PAS apps to securely access services.

Both BOSH CredHub and runtime CredHub are instances of the CredHub credential management component. See the CredHub documentation for more information.

Overview

Many Pivotal Platform components use credentials to authenticate connections, and Pivotal Platform installations often have hundreds of active credentials. Secure credential management is essential to prevent data and security breaches.

In Pivotal Cloud Foundry (PCF) v1.11.0, CredHub runs on the BOSH VM, alongside the BOSH Director and UAA. Ops Manager v1.11 stores its credentials in CredHub, and users can retrieve them using the CredHub API or the Credentials tab of the BOSH Director tile. Tile developers can embed CredHub calls in manifest snippets and PCF apps can retrieve credentials using the CredHub API.

See Fetching Variable Names and Values for how to fetch variable names and values using the CredHub API.

CredHub Credential Types

CredHub stores and retrieves the following types of credentials:

  • value — single string value
  • json — arbitrary JSON object
  • user - username
  • password — password string
  • certificate — object containing certificate authority (CA), certificate, and private key
  • ssh — object containing SSH public key and private key
  • rsa — object containing RSA public key and private key

For more information, read CredHub Credential Types.

For BOSH variable types, read BOSH Variable Types.

Creating New Variables

To use CredHub in your deployment, you must create new variables and store them in CredHub. By default, variable namespaces are written to prevent collision across deployments, but you can type variable names precisely if you wish.

For more information, read Creating New Variables in CredHub.

Migrating Credentials

To migrate existing non-configurable credentials to CredHub, such as blobstore secrets and backup encryption keys, use the JavaScript migration process. After a successful migration, Ops Manager deletes the migrated credentials from installation.yml.

For more information, read Migrating Existing Credentials to CredHub.

Fetching Variable Names and Values

API endpoints are available to help you find variable names and values for products known to the BOSH Director.

For more information, read Fetching Variable Names and Values.

CredHub in Manifest Snippets

Tile developers can embed CredHub in product template and job template manifest snippets using triple-parenthesis notation:

  manifest: |
    credhub:
      concatenated_password: prefix-((( credhub-password )))-suffix
      password: ((( credhub-password )))

PCF v1.11.0 Limitations

PCF v1.11.0 supports CredHub for credential storage, but it does not support the following:

  • Automatic backup and restore for CredHub, along with other PCF system components.

  • Automatic tile upgrades that migrate all types of credentials defined in property blueprints in previous tile versions, to storage in CredHub.

  • Using CredHub to generate new credentials.

Tile authors may choose to wait until PCF supports some or all of these features before incorporating CredHub into their service.

CredHub Resources

The following are some helpful resources: