This is version 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 . It is not the current version, and thus it cannot be edited.

Back to current versionRestore this version

credhub#

What runs op the director (pcf 1.11):

Resources#

• credhub
• credhub bosh release
• credhub bosh release docs!
• credhub api and cli ref
• cf-uaac
• pcf 1.12 and credhub
• Setting Up and Deploying CredHub with BOSH
• Using CredHub to Increase the Security of Your Platform - Dan Jahner, Pivotal
• YouTube "CredHub and Secure Credential Management - Peter Blum, Scott Frederick"

Setting up your local BOSH environment#

First create your local BOSH director:

bosh create-env ~/workspace/bosh-deployment/bosh.yml  \
 --state ./state.json \
 -o ~/workspace/bosh-deployment/virtualbox/cpi.yml \
 -o outbound-network.yml \
 -o ~/workspace/bosh-deployment/bosh-lite.yml \
 -o ~/workspace/bosh-deployment/bosh-lite-runc.yml \
 -o ~/workspace/bosh-deployment/jumpbox-user.yml \
 -o ~/workspace/bosh-deployment/uaa.yml \
 -o ~/workspace/bosh-deployment/credhub.yml \
 --vars-store ./creds.yml \
 -v director_name="Bosh Lite Director"  \
 -v internal_ip=192.168.50.6 \
 -v internal_gw=192.168.50.1 \
 -v internal_cidr=192.168.50.0/24 \
 -v outbound_network_name=NatNetwork
 
bosh alias-env vbox -e 192.168.50.6 --ca-cert <(bosh int ./creds.yml --path /director_ssl/ca)
 
export BOSH_ENVIRONMENT=vbox
export BOSH_CLIENT=admin
export BOSH_CLIENT_SECRET=`bosh int ./creds.yml --path /admin_password`

echo "updating cloud config..."
bosh -n update-cloud-config ~/workspace/bosh-deployment/warden/cloud-config.yml

Mind the uaa.yml and credhub.yml operator files.
When the deployment finishes you will have a creds.yml file that has all k

When you have this up and running, credhub should be running on port 8844 and use the local UAA (on port 8443) as it's authenticator.

Login to credhub#

First you need the credhub and uaa cli's, see the resources section for the download URLs. To install uaac, run sudo gem install cf-uaac.

Then you set the API to credhub:

metskem@athena-2~/workspace/boshlite/deployments/vbox $ credhub api -s https://192.168.50.6:8844 --ca-cert <(bosh int creds.yml --path /credhub_tls/ca) --skip-tls-validation
Setting the target url: https://192.168.50.6:8844
Warning: The targeted TLS certificate has not been verified for this connection.
Warning: The --skip-tls-validation flag is deprecated. Please use --ca-cert instead.

First some jq magic to get the UAA URL from the credhub /info api:

curl -k --silent https://192.168.50.6:8844/info|jq '.["auth-server"].url'  -r
https://192.168.50.6:8443

Login to credhub should be done with a UAA user, so create that first : ....the current admin user only has scope bosh.admin, and when trying to update that :

metskem@athena ~/workspace/boshlite/deployments/vbox master ●  uaac client update admin --authorities "bosh.admin scim.write"

error response:
{
  "error": "insufficient_scope",
  "error_description": "Insufficient scope for this resource",
  "scope": "uaa.admin clients.read clients.admin zones.uaa.admin"
}

You can then use this value for creating the uaa users:

export UAA_URL=$(curl -k --silent https://192.168.50.6:8844/info|jq '.["auth-server"].url'  -r)
uaac target ${UAA_URL} --skip-ssl-validation

CredHub on PCF#

/:~# ps -ef|grep -i credh
vcap      35083      1  0 Jan26 ?        00:05:10 java -Dspring.profiles.active=prod -Dspring.config.location=/var/vcap/jobs/credhub/config/application.yml -Dlog4j.configurationFile=/var/vcap/jobs/credhub/config/log4j2.properties -Djava.security.egd=file:/dev/urandom -Djava.io.tmpdir=/var/vcap/jobs/credhub/tmp -ea -jar credhub.jar
....

This listens on port 8844.
There is an interesting config file @ /var/vcap/jobs/credhub/config/application.yml
Logging is @ /var/vcap/sys/log/credhub/credhub.log

Setting the target#

metskeh@admin-d01we-cis:~$ ./credhub api --skip-tls-validation --server 10.253.6.11:8844
Warning: The targeted TLS certificate has not been verified for this connection.
Warning: The --skip-tls-validation flag is deprecated. Please use --ca-cert instead.
Setting the target url: https://10.253.6.11:8844

Getting info and health#

metskeh@admin-d01we-cis:~$ curl -k --silent https://10.253.6.11:8844/info | jq
{
  "auth-server": {
    "url": "https://10.253.6.11:8443"
  },
  "app": {
    "name": "CredHub",
    "version": "1.0.8"
  }
}

metskeh@admin-d01we-cis:~$ curl -k --silent https://10.253.6.11:8844/health | jq
{
  "status": "UP"
}