Skip to content

credhub job from credhub/1.1.2

Github source: a804d22 or master branch

Properties

credhub

authentication

mutual_tls
trusted_cas

List of certificates for accepted CAs trusted for signing mutual TLS certificates

Default
[]
Example
- |+
  -----BEGIN CERTIFICATE-----
  ...
  -----END CERTIFICATE-----
- |+
  -----BEGIN CERTIFICATE-----
  ...
  -----END CERTIFICATE-----
uaa
ca_certs

List of certificates of CAs trusted trusted for signing TLS certificates for UAA

url

URL of UAA instance for client to contact

verification_key

The public key for verifying tokens issued by the UAA instance

authorization

acls
enabled

Whether to enable or disable ACL enforcement

Default
false

data_storage

database

Name of database

Default
credhub
host

Host for credhub’s database access

password

Password for credhub’s database access

port

Port for credhub’s database access

require_tls

If true, forbid insecure connections to MySQL. Does not apply to Postgres.

Default
true
tls_ca

Certificate that database must supply when validation is required.

type

Database type, either in-memory (development only), mysql, or postgres, and there is no default

username

User name for credhub’s database access

encryption

keys

A list of active and inactive encryption keys, specifying the provider name and the encryption key name or value. One key must be marked as active. See below for example keys for each supported provider type. The internal provider accepts an encryption_password (minimum length 20).

Example
- active: true
  encryption_key_name: active-hsm-key-name
  provider_name: hsm-provider
- encryption_key_name: inactive-hsm-key-name
  provider_name: hsm-provider
- encryption_password: example-encryption-password
  provider_name: internal-provider
providers

A list of all providers used for the current set of encryption keys. See below for example structures of all supported provider types. HSM port will default to 1792, if not provided.

Example
- client_certificate: |+
    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----
  client_key: |+
    -----BEGIN RSA PRIVATE KEY-----
    ...
    -----END RSA PRIVATE KEY-----
  name: hsm-provider
  partition: my-hsm-partition
  partition_password: example-hsm-password
  servers:
  - certificate: |+
      -----BEGIN CERTIFICATE-----
      ...
      -----END CERTIFICATE-----
    host: 10.0.1.1
    partition_serial_number: 123123
    port: 1792
  - certificate: |+
      -----BEGIN CERTIFICATE-----
      ...
      -----END CERTIFICATE-----
    host: 10.0.1.2
    partition_serial_number: 456456
    port: 1792
  type: hsm
- name: internal-provider
  type: internal

java7_tls_ciphers_enabled

Allows legacy TLS cipher suites to enable TLS communication with Java 7 clients

Default
false

log_level

Log level. Available levels are none, error, warn, info, debug

Default
info

max_heap_size

Maximum memory heap size in MB for CredHub JVM

Default
1024

port

Port for the CredHub server to listen on

Default
8844

tls

Certificate and private key for TLS connection to CredHub API

Example
|+
  certificate: |
    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----
  private_key: |
    -----BEGIN RSA PRIVATE KEY-----
    ...
    -----END RSA PRIVATE KEY-----

Templates

Templates are rendered and placed onto corresponding instances during the deployment process. This job's templates will be placed into /var/vcap/jobs/credhub/ directory (learn more).

  • bin/bbr/backup (from backup.erb)
  • bin/bbr/restore (from restore.erb)
  • bin/configure_hsm.sh (from configure_hsm.erb)
  • bin/ctl (from ctl.erb)
  • bin/drain (from drain.erb)
  • bin/init_key_stores.sh (from init_key_stores.erb)
  • bin/post-start (from post-start.erb)
  • bin/pre-start (from pre-start.erb)
  • config/application.yml (from application.yml.erb)
  • config/encryption.conf (from encryption.conf.erb)
  • config/log4j2.properties (from log4j2.properties.erb)

Packages

Packages are compiled and placed onto corresponding instances during the deployment process. Packages will be placed into /var/vcap/packages/ directory.