You can ensure service instance credentials are securely stored in runtime CredHub.
The VMware Tanzu Application Service for VMs (TAS for VMs) tile includes its own CredHub component, separate from the CredHub component included with the BOSH Director tile. For more information about this centralized credential management component, see the CredHub documentation.
Runtime CredHub exists to securely store service instance credentials. Previously, TAS for VMs can only use the Cloud Controller database for storing these credentials.
When developers want their app to use a service, such as those provided by Spring Cloud Services for VMware Tanzu, they must bind their app to an instance of that service. Service bindings include credentials that developers can use to access the service from their app. For more information, see Binding credentials.
To ensure that service instance credentials are stored in runtime CredHub, you must configure TAS for VMs to activate this capability. Not all services support the use of runtime CredHub.
TAS for VMs supports services that do and do not use runtime CredHub. Services that do not use runtime CredHub continue to pass their credentials to the Cloud Controller database.
Runtime CredHub supports credential rotation. For more information, see Rotating Runtime CredHub Encryption Keys.
The procedures in this document are only effective for services that support storing their instance credentials in runtime CredHub. To learn whether a service supports this feature, see the table below or the documentation for that service.
Service | Versions with secure binding credentials | Broadcom Support listing |
---|---|---|
VMware GemFire for Tanzu Application Service | v1.7 and later | VMware GemFire |
CredHub Service Broker | All | CredHub Service Broker |
VMware Tanzu SQL [MySQL] | v2.3 and later (available to user groups only) | VMware Tanzu SQL [MySQL] |
RabbitMQ for VMware Tanzu [VMs] | v1.12 and later | RabbitMQ for VMware Tanzu [VMs] |
Redis for VMware Tanzu | v1.13 and later | Redis for VMware Tanzu |
Spring Cloud Services for VMware Tanzu | v1.5 and later | Spring Cloud Services for VMware Tanzu |
Runtime CredHub allows you to use one or more Hardware Security Modules (HSMs) to store encryption keys. If you wish to use an HSM with CredHub, you must configure the HSM before completing the following procedures. For more information, see Preparing CredHub HSMs for Configuration.
To configure the TAS for VMs tile to support securing service instance credentials in CredHub, you must:
In the CredHub pane, provide at least one encryption key. CredHub supports multiple encryption key providers.
In the Resource Config pane, set the number of CredHub instances to at least one.
CredHub configuration options include:
Internal or external databases
Encryption keys stored internally, externally in a Hardware Security Module (HSM), or both
To configure the TAS for VMs tile, start with Prerequisites.
App Security Groups (ASGs) are network policy rules specifying protocols, ports, and IP ranges that apply to outbound network connections initiated from apps.
The default ASGs in Operations Manager allow apps running on your deployment to send traffic to almost any IP address. This step is only required if your ASGs restrict network access from apps to the network on which TAS for VMs runs. For more information, see Restricting App Access to Internal TAS for VMs Components.
To ensure the ASGs for your deployment allow apps to communicate with the runtime CredHub API:
From the TAS for VMs tile, click Assign AZs and Networks and record the selected network where the tile is installed.
From the BOSH Director tile, in the Settings tab, click Create Networks.
In the Networks section, click the name of the TAS for VMs network to expand it.
Record the CIDR for the TAS for VMs network.
Create a file named runtime-credhub.json
for specifying your ASG rules. Copy the following content into the file. Replace YOUR-TAS-CIDR
with the CIDR you recorded in the previous step.
[
{
"protocol": "tcp",
"destination": "YOUR-TAS-CIDR",
"ports": "8844"
}
]
Create an ASG that allows apps to access the CredHub API by running:
cf create-security-group runtime-credhub ~/workspace/runtime-credhub runtime-credhub.json
Bind this ASG to your deployment or the specific space in which you want apps to access CredHub. For more information about binding ASGs, see the Bind ASGs section of the App Security Groups topic. Ensure that apps deployed as part of the service tile installation process have access to CredHub in addition to the apps pushed to the platform by developers. For example, the Spring Cloud Services for VMware Tanzu tile deploys the spring-cloud-broker
app to the p-spring-cloud-services
space of the system
org.
Restart apps for the ASGs to take effect. Optionally, you can use the app-restarter cf CLI plug-in to restart all apps in a particular space, org, or deployment.
For any service instance bindings that existed before runtime CredHub was supported for that service, you must work with your developers to unbind and rebind the service instances to their apps. If you do not unbind and rebind the service, apps continue functioning as normal and fetching credentials from the Cloud Controller database.
Important This step is not required for bindings created after you installed the new version of the service tile that supports CredHub and you completed the procedures in steps 1 and 2 of this topic.
To unbind and rebind your service instances to their apps:
Unbind the service instance from the app by running:
cf unbind-service YOUR-APP YOUR-SERVICE-INSTANCE
Where:
YOUR-APP
is the app that you bound the service instance.YOUR-SERVICE-INSTANCE
is the service instance you want to unbind from the app.Rebind the service instance to the app by running:
cf bind-service YOUR-APP YOUR-SERVICE-INSTANCE
Where:
YOUR-APP
is the app from which you unbound the service instance.YOUR-SERVICE-INSTANCE
is the service instance you want to rebind to the app.Review the VCAP_SERVICES
environment variable to verify that the new service instance binding includes CredHub pointers by running:
cf env YOUR-APP
Where YOUR-APP
is the app to which you bound the service instance.
For help parsing the output of the cf-env
command, see VCAP_SERVICES in TAS for VMs Environment Variables.
Start the app again to apply the service instance binding by running:
cf restart YOUR-APP
Where YOUR-APP
is the app to which you bound the service instance.
If you run cf-env
again, you can see the VCAP-SERVICES
environment variable now contains the credentials for the service instance binding.