This is version 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 . It is not the current version, and thus it cannot be edited.

Back to current versionRestore this version

credhub#

What runs op the director (pcf 1.11):

Resources#

• credhub
• credhub bosh release
• credhub bosh release docs!
• credhub api and cli ref
• cf-uaac
• pcf 1.12 and credhub
• Setting Up and Deploying CredHub with BOSH
• Using CredHub to Increase the Security of Your Platform - Dan Jahner, Pivotal
• YouTube "CredHub and Secure Credential Management - Peter Blum, Scott Frederick"

Setting up your local BOSH environment#

First create your local BOSH director:

bosh create-env ~/workspace/bosh-deployment/bosh.yml  \
 --state ./state.json \
 -o ~/workspace/bosh-deployment/virtualbox/cpi.yml \
 -o outbound-network.yml \
 -o ~/workspace/bosh-deployment/bosh-lite.yml \
 -o ~/workspace/bosh-deployment/bosh-lite-runc.yml \
 -o ~/workspace/bosh-deployment/jumpbox-user.yml \
 -o ~/workspace/bosh-deployment/uaa.yml \
 -o ~/workspace/bosh-deployment/credhub.yml \
 --vars-store ./creds.yml \
 -v director_name="Bosh Lite Director"  \
 -v internal_ip=192.168.50.6 \
 -v internal_gw=192.168.50.1 \
 -v internal_cidr=192.168.50.0/24 \
 -v outbound_network_name=NatNetwork
 
bosh alias-env vbox -e 192.168.50.6 --ca-cert <(bosh int ./creds.yml --path /director_ssl/ca)
 
export BOSH_ENVIRONMENT=vbox
export BOSH_CLIENT=admin
export BOSH_CLIENT_SECRET=`bosh int ./creds.yml --path /admin_password`

echo "updating cloud config..."
bosh -n update-cloud-config ~/workspace/bosh-deployment/warden/cloud-config.yml

Mind the uaa.yml and credhub.yml operator files.
When the deployment finishes you will have a creds.yml file that has all k

When you have this up and running, credhub should be running on port 8844 and use the local UAA (on port 8443) as it's authenticator.

Login to credhub#

First you need the credhub and uaa cli's, see the resources section for the download URLs. To install uaac, run sudo gem install cf-uaac.

Then you set the API to credhub:

metskem@athena-2~/workspace/boshlite/deployments/vbox $ credhub api -s https://192.168.50.6:8844 --ca-cert <(bosh int creds.yml --path /credhub_tls/ca) --skip-tls-validation
Setting the target url: https://192.168.50.6:8844
Warning: The targeted TLS certificate has not been verified for this connection.
Warning: The --skip-tls-validation flag is deprecated. Please use --ca-cert instead.

First some jq magic to get the UAA URL from the credhub /info api:

curl -k --silent https://192.168.50.6:8844/info|jq '.["auth-server"].url'  -r
https://192.168.50.6:8443

Login to credhub should be done with a UAA user, so create that first (it took me quite some time to find out which user/password to use for uaa admin):

uaac token client get uaa_admin -s l128pcpdag6olta4ec1x # get this password from creds.yml#uaa_admin_client_secret

After that you are able to list the contexts and you can see you have scime.write (needed for adding users) and more:

metskem@athena  ~/workspace/boshlite/deployments/vbox uaac contexts

[0]*[https://192.168.50.6:8443]
  skip_ssl_validation: true

  [0] [admin]
      client_id: admin
      access_token: eyJhbGciOiJSUzI1NiIsImtpZCI6ImxlZ2FjeS10b2tlbi1rZXkiLCJ0eXAiOiJKV1QifQ.eyJqdGkiOiI2MzMyOWY4Y2JmMjI0YzE3OThhYjVlN2I5MTdjY2QzYyIsInN1YiI6ImFkbWluIiwiYXV0aG9yaXRpZXMiOlsiYm9zaC5hZG1pbiJdLCJzY29wZSI6WyJib3NoLmFkbWluIl0sImNsaWVudF9pZCI6ImFkbWluIiwiY2lkIjoiYWRtaW4iLCJhenAiOiJhZG1pbiIsInJldm9jYWJsZSI6dHJ1ZSwiZ3JhbnRfdHlwZSI6ImNsaWVudF9jcmVkZW50aWFscyIsInJldl9zaWciOiI0YmI2OTAwYyIsImlhdCI6MTUzNTk4MDQxNSwiZXhwIjoxNTM2MDIzNjE1LCJpc3MiOiJodHRwczovLzE5Mi4xNjguNTAuNjo4NDQzL29hdXRoL3Rva2VuIiwiemlkIjoidWFhIiwiYXVkIjpbImFkbWluIiwiYm9zaCJdfQ.URHw2xjZrqUFBMFVV4Ap4t4u5QqiMk61krlrIQx4s8klW2PDnEPS0tyl0qwmDOxdU08-C-s-E_GPbgePl8gqFGs6sgXagRmqw2ecnI2LDLu0SvhpKjMPGtCN0Gv38ZhDA_hzbrLouRgZ7SaxctSX4TnQMad_uxG0mq1KgFePy6luVqr32vvepkqMbRDBrNHro30wI_CDjie0vcFNBA9pQF5Z5SmUqzXAUvt2jEzPEc7Hqhwd8gAzOTAzOQYRnDnfMHdf3MP6ZGjPly7xDyRp9Z-QXo6PLItI7KmlO-qluU0JgKFnaznBl5TxTwMMA5o0k7FKXCjewPa--87yO3-A6w
      token_type: bearer
      expires_in: 43199
      scope: bosh.admin
      jti: 63329f8cbf224c1798ab5e7b917ccd3c

  [1]*[uaa_admin]
      client_id: uaa_admin
      access_token: eyJhbGciOiJSUzI1NiIsImtpZCI6ImxlZ2FjeS10b2tlbi1rZXkiLCJ0eXAiOiJKV1QifQ.eyJqdGkiOiJkNjU5NDFhYWM5MTc0MTBkYTE5NzMzODNlNTU2OTU5YiIsInN1YiI6InVhYV9hZG1pbiIsImF1dGhvcml0aWVzIjpbImNsaWVudHMucmVhZCIsInBhc3N3b3JkLndyaXRlIiwiY2xpZW50cy5zZWNyZXQiLCJjbGllbnRzLndyaXRlIiwidWFhLmFkbWluIiwic2NpbS53cml0ZSIsInNjaW0ucmVhZCJdLCJzY29wZSI6WyJjbGllbnRzLnJlYWQiLCJwYXNzd29yZC53cml0ZSIsImNsaWVudHMuc2VjcmV0IiwiY2xpZW50cy53cml0ZSIsInVhYS5hZG1pbiIsInNjaW0ud3JpdGUiLCJzY2ltLnJlYWQiXSwiY2xpZW50X2lkIjoidWFhX2FkbWluIiwiY2lkIjoidWFhX2FkbWluIiwiYXpwIjoidWFhX2FkbWluIiwicmV2b2NhYmxlIjp0cnVlLCJncmFudF90eXBlIjoiY2xpZW50X2NyZWRlbnRpYWxzIiwicmV2X3NpZyI6ImFhOWIzNmI0IiwiaWF0IjoxNTM1OTgxNDgwLCJleHAiOjE1MzYwMjQ2ODAsImlzcyI6Imh0dHBzOi8vMTkyLjE2OC41MC42Ojg0NDMvb2F1dGgvdG9rZW4iLCJ6aWQiOiJ1YWEiLCJhdWQiOlsic2NpbSIsInVhYV9hZG1pbiIsInBhc3N3b3JkIiwiY2xpZW50cyIsInVhYSJdfQ.KGCXMI0d5QxtfONsA1xPr8gLBFnGxRNrs6v3pLbLIlgW4yDeReWI428MDxKX57rh8acyjV4fLv734PHxt9h8DDgOVe582BYaTzoSKJnuPC5cUiz0lApNYuXXtKwwhS5WeSp0hnpBx26n6ETg5fWAUKS0tNYy-1jfM2jDbRRuubWCxac1iJ5UjXnIhnpefRyIWuymEbyG3aEzTg0MST1SGQA4u4VTKVY-2ElNW3SQ4AAK_TgVNM-pXxoN4BM3Q51lKWf0y7yoLWCilIPMQVyQpQmbTtwzjgmVmOQAe8v6SpivYtMxd5iJLkYGxeQHTV72gOlDS7fpOH4Y2YgMHeIkLQ
      token_type: bearer
      expires_in: 43199
      scope: clients.read password.write clients.secret clients.write uaa.admin scim.write scim.read
      jti: d65941aac917410da1973383e556959b

 metskem@athena  ~/workspace/boshlite/deployments/vbox

error response:
{
  "error": "insufficient_scope",
  "error_description": "Insufficient scope for this resource",
  "scope": "uaa.admin clients.read clients.admin zones.uaa.admin"
}

You can then use this value for creating the uaa users:

export UAA_URL=$(curl -k --silent https://192.168.50.6:8844/info|jq '.["auth-server"].url'  -r)
uaac target ${UAA_URL} --skip-ssl-validation

CredHub on PCF#

/:~# ps -ef|grep -i credh
vcap      35083      1  0 Jan26 ?        00:05:10 java -Dspring.profiles.active=prod -Dspring.config.location=/var/vcap/jobs/credhub/config/application.yml -Dlog4j.configurationFile=/var/vcap/jobs/credhub/config/log4j2.properties -Djava.security.egd=file:/dev/urandom -Djava.io.tmpdir=/var/vcap/jobs/credhub/tmp -ea -jar credhub.jar
....

This listens on port 8844.
There is an interesting config file @ /var/vcap/jobs/credhub/config/application.yml
Logging is @ /var/vcap/sys/log/credhub/credhub.log

Setting the target#

metskeh@admin-d01we-cis:~$ ./credhub api --skip-tls-validation --server 10.253.6.11:8844
Warning: The targeted TLS certificate has not been verified for this connection.
Warning: The --skip-tls-validation flag is deprecated. Please use --ca-cert instead.
Setting the target url: https://10.253.6.11:8844

Getting info and health#

metskeh@admin-d01we-cis:~$ curl -k --silent https://10.253.6.11:8844/info | jq
{
  "auth-server": {
    "url": "https://10.253.6.11:8443"
  },
  "app": {
    "name": "CredHub",
    "version": "1.0.8"
  }
}

metskeh@admin-d01we-cis:~$ curl -k --silent https://10.253.6.11:8844/health | jq
{
  "status": "UP"
}