3. Story of CredHub
Configuring Credentials is Hard
Tesla: Unsecured Kubernetes console gave hackers
access to infra creds and mined bitcoin using hacked
creds
Oklahoma Securities Commission: Millions of files
including FBI files and Social Security numbers
exposed by public server with no password
Leaking Credentials is Easy
Uber: Code found on GitHub containing usernames
and passwords
Detecting Credential Leaks is Hard
Equifax: Hackers roamed its systems undetected
from mid-May through late July 2017
4. Story of CredHub
G
enerate
Encrypt
R
otate
Audit
Access Control
Configuring Credentials is Hard
Tesla: Unsecured Kubernetes console gave hackers
access to infra creds and mined bitcoin using hacked
creds
Oklahoma Securities Commission: Millions of files
including FBI files and Social Security numbers
exposed by public server with no password
Leaking Credentials is Easy
Uber: Code found on GitHub containing usernames
and passwords
Detecting Credential Leaks is Hard
Equifax: Hackers roamed its systems undetected
from mid-May through late July 2017
6. Java mapping to CredHub REST API
Supports all credential types and operations
Spring Boot auto-configuration support
Apps deployed to CF with Java Buildpack automatically negotiate mutual TLS
Spring CredHub
9. Credential API
Credential Types
● value - a simple string, used for configuration and other non-generated properties
● password - a simple string, used for generated secrets
● user - username and password pair
● json - a JSON object
● certificate - an object containing a root CA, certificate and private key
● rsa - an object containing an RSA public key and private key
● ssh - an object containing an SSH-formatted public key and private key
https://credhub-api-cfapps.io
Operations
● Get/Set/Generate/Delete Credential
● Get/Add/Delete Permission
● Interpolate (VCAP_SERVICES)
Authentication
● Mutual TLS
● OAuth2 with UAA
11. BOSH Benefits
$ bosh -e pcf -d pcf manifest
Simplified Deployment
Manifests
vs
Relax Access to BOSH
Director
Enables Sharing of
Deployment Manifests&
$ bosh -e pcf -d pcf manifest
vs
21. Creating CredHub Service Broker Instances
create service
instance
create service instance
Cloud
Controller
CredHub
Service
Broker
CredHub
cf create-service credhub default dbcreds -c
'{"username": "name", "password": "CREDHUB_SECRET"}'
22. Securing User Provided Services - CredHub Service Broker
Diego Cell
Diego
CredHub
App
POST /interpolate
VCAP_SERVICES
CredHub
Broker
V##P_#####
cf create-service cred:
dbpassword