CredHub Integration
seilc1 opened this issue · 2 comments
Problem
Credentials for services are stored in the database. The database is not the ideal place to store sensitive data.
CredHub is a component designed for centralized credential management in Cloud Foundry (CF). It is a single component that can address several scenarios in the CF ecosystem. At the highest level, CredHub centralizes and secures credential generation, storage, lifecycle management, and access.
In a first iteration a proof of concept should be implemented, which connects the servicebroker to credhub and allows reading and writing of credentials.
Requirements
- Service Class with functions:
- Credential GetCredential(String key)
- void CreateCredential(String key, Credential credential)
- void UpdateCredential(String key, Credential credential)
- void DeleteCredential(String key)
- Service connects successful to CredHub
- Service is well tested
- It should be possible to store username & password
- It should be possible to store a certificate.
- Propose a solution for local Integration und Unit Testing without connection CredHub (mock? flags? separate implementation?)
Links
- Latest Service Broker API Spec
- CredHub API Ref
- SprintBoot Profiles for local Solution - this could be an option.
CredHub integration requires a HTTPS connection, so a JKS keystore with CredHub/UAA server certificates is needed and has to be set using JVM command line parameters:
-Djavax.net.ssl.keyStore=osb_client.jks
-Djavax.net.ssl.keyStorePassword=changeit
-Djavax.net.ssl.trustStore=osb_client.jks
-Djavax.net.ssl.trustStorePassword=changeit
We should be able to save any data in CredHub as we do not just have username / password pairs as credentials (e.g. Redis Credentials). To support that I'd suggest to use JsonCredential instead of UserCredential.