credhub#

What runs op the director (pcf 1.11):

Resources#

• credhub
• credhub bosh release
• credhub bosh release docs!
• credhub api and cli ref
• pcf 1.12 and credhub
• Setting Up and Deploying CredHub with BOSH
• Using CredHub to Increase the Security of Your Platform - Dan Jahner, Pivotal
• YouTube "CredHub and Secure Credential Management - Peter Blum, Scott Frederick"

Setting up your local BOSH environment#

First create your local BOSH director:

bosh create-env ~/workspace/bosh-deployment/bosh.yml  \
 --state ./state.json \
 -o ~/workspace/bosh-deployment/virtualbox/cpi.yml \
 -o outbound-network.yml \
 -o ~/workspace/bosh-deployment/bosh-lite.yml \
 -o ~/workspace/bosh-deployment/bosh-lite-runc.yml \
 -o ~/workspace/bosh-deployment/jumpbox-user.yml \
 -o ~/workspace/bosh-deployment/uaa.yml \
 -o ~/workspace/bosh-deployment/credhub.yml \
 --vars-store ./creds.yml \
 -v director_name="Bosh Lite Director"  \
 -v internal_ip=192.168.50.6 \
 -v internal_gw=192.168.50.1 \
 -v internal_cidr=192.168.50.0/24 \
 -v outbound_network_name=NatNetwork
 
bosh alias-env vbox -e 192.168.50.6 --ca-cert <(bosh int ./creds.yml --path /director_ssl/ca)
 
export BOSH_ENVIRONMENT=vbox
export BOSH_CLIENT=admin
export BOSH_CLIENT_SECRET=`bosh int ./creds.yml --path /admin_password`

echo "updating cloud config..."
bosh -n update-cloud-config ~/workspace/bosh-deployment/warden/cloud-config.yml

Mind the uaa.yml and credhub.yml operator files.

When you have this up and running, credhub should be running on port 8844 and use the local UAA (on port 8443) as it's authenticator.

CredHub on PCF#

/:~# ps -ef|grep -i credh
vcap      35083      1  0 Jan26 ?        00:05:10 java -Dspring.profiles.active=prod -Dspring.config.location=/var/vcap/jobs/credhub/config/application.yml -Dlog4j.configurationFile=/var/vcap/jobs/credhub/config/log4j2.properties -Djava.security.egd=file:/dev/urandom -Djava.io.tmpdir=/var/vcap/jobs/credhub/tmp -ea -jar credhub.jar
....

This listens on port 8844.
There is an interesting config file @ /var/vcap/jobs/credhub/config/application.yml
Logging is @ /var/vcap/sys/log/credhub/credhub.log

Setting the target#

metskeh@admin-d01we-cis:~$ ./credhub api --skip-tls-validation --server 10.253.6.11:8844
Warning: The targeted TLS certificate has not been verified for this connection.
Warning: The --skip-tls-validation flag is deprecated. Please use --ca-cert instead.
Setting the target url: https://10.253.6.11:8844

Getting info and health#

metskeh@admin-d01we-cis:~$ curl -k --silent https://10.253.6.11:8844/info | jq
{
  "auth-server": {
    "url": "https://10.253.6.11:8443"
  },
  "app": {
    "name": "CredHub",
    "version": "1.0.8"
  }
}

metskeh@admin-d01we-cis:~$ curl -k --silent https://10.253.6.11:8844/health | jq
{
  "status": "UP"
}