SlideShare a Scribd company logo

CredHub and Secure Credential Management

VMware Tanzu, profile picture
VMware Tanzu

The document discusses the importance of secure credential management using CredHub, highlighting various high-profile data breaches due to improper credential handling. It explains the architecture and functionality of CredHub, including how it manages credential generation, storage, and access control while providing examples of its integration with BOSH and service binding in applications. Additionally, it emphasizes the need for organizations to adopt secure practices to prevent exposing sensitive data.

Technology
1 of 43
Downloaded 28 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
CredHub and Secure Credential Management Scott Frederick @scottyfred 1 Peter Blum @_pblum
Agenda CredHub Why? What? Use cases BOSH credentials Application service binding credentials 2
Why? CredHub
Configuring Credentials 4 Verizon: Phone numbers, names and pin codes of of six million customers were left unsecured online for nine days. Accenture: Inadvertently left a massive store of private data across four unsecured cloud servers, exposing highly sensitive passwords and secret decryption keys. Equifax: Website Secured By The Worst Username And Password Possible - `admin`, `admin` Viacom: Owners of Paramount Pictures, Comedy Central, MTV, and hundreds of other properties—has exposed the keys to its kingdom on an unsecured Amazon S3 server.
Leaked Credentials 5 Uber: Breach occurred when hackers discovered that the company's developers had published code that included their usernames and passwords on a private account of the software repository Github. OneLogin breached: Hacker finds cleartext credential notepads Deloitte is a sitting duck: VPN and proxy 'login details leaked
Using Credentials 6 Equifax: Hackers roamed its systems undetected from mid-May through late July 2017, accessing files on nearly half the U.S. population. 14 Years to Discover Data Breach: Tewksbury Hospital in Massachusetts, where a clerk inappropriately accessed the records of more than 1,000 patients between 2003 and 2017 Compromised Data goes undetected for days: According to the latest Protenus Breach Barometer It took an average of 441 days for organizations to find out a breach occurred.
Central point for Credential: - Generation - Storage - Rotation - Logging - Access Control Goals 7 TimeCredential Config Credential Leaks TimeCredential Config Credential Leaks
User Groups 8 CredHub CLI BOSH REST API Operations - Infrastructure As Code Developers - SPRING!
What? Credhub
Architecture 10 CredHub CLI BOSH REST API Authentication Provider Encryption Provider (HSM) Backing SQL Database
Credential Types value - a simple string, used for configuration and other non-generated properties password - a simple string, used for generated secrets user - username and password pair json - a JSON object certificate - an object containing a root CA, certificate and private key rsa - an object containing an RSA public key and private key ssh - an object containing an SSH-formatted public key and private key 11 http://docs.cloudfoundry.org/credhub/credential-types.html
REST API - Secured via Mutual TLS, and/or OAuth2 with UAA - Get/Set/Generate/Delete Credential - Get/Add/Delete Permission - Interpolate VCAP_SERVICES https://credhub-api.cfapps.io 12
Java mapping to CredHub REST API ● supports all credential types and operations Spring Boot auto-configuration support Apps deployed to CF with Java Buildpack automatically negotiate mutual TLS 1.0.0.RELEASE coming soon 13
BOSH Credentials Use Cases
BOSH Deployments 15 CredHub BOSH Generate Cred Deploy Manifest Backing SQL Database Store Cred Return Cred Deployed Service with Deploy Service
$ bosh -e pcf -d pcf manifest BOSH Benefits 16 Simplified Deployment Manifests vs Relax Access to BOSH Director Enables Sharing of Deployment Manifests& $ bosh -e pcf -d pcf manifest vs
Availability Starting with Release Version 262 Starting in Pivotal CF 1.11 ● Ops Manager deploys CredHub with BOSH director 17
Secure Service Binding Credentials Use Cases
Service Bindings $ cf create-service service-name plan service-instance-name 19 $ cf bind-service app-name service-instance-name “credentials”: { “uri”: “https://service-6yQVNrhZVP.example.com”, “username”: “VofTuQk2BH”, “password”: “fRqah7Wygi” } Create Instance Provision Resources Details Cloud Controller Service Broker Create Binding Generate Credentials Credentials Cloud Controller Service Broker
Service Bindings $ cf env app-name “VCAP_SERVICES”: { “service-name”: [{ “credentials”: { “uri”: “https://service-6yQVNrhZVP.example.com”, “username”: “VofTuQk2BH”, “password”: “fRqah7Wygi” }, }] } 20
Where Binding Credentials Live 21 Cloud Controller database (encrypted) Cloud Controller REST API responses ● /v2/apps/:guid/env ● /v2/service_bindings/:guid Staged application droplets cf ssh Manual ssh Process Environment Application Memory
Service Bindings With CredHub 22 $ cf bind-service app-name service-instance-name create binding generate credentials credentials with credhub-ref PUT /data “credentials”: { “uri”: “https://service-6yQVNrhZVP.example.com”, “username”: “VofTuQk2BH”, “password”: “fRqah7Wygi” } “credentials”: { “credhub-ref”: “/c/my-broker/[instance-id]/[binding-id]/credentials” } Cloud Controller Service Broker CredHub
Service Bindings $ cf env app-name “VCAP_SERVICES”: { “service-name”: [{ “credentials”: { “credhub-ref”: “/c/my-broker/[instance-id]/[binding-id]/credentials” }, }] } 23
Credential Interpolation 24 CredHub “VCAP_SERVICES”: { “my-service”: [{ “credentials”: { “credhub-ref”: “/c/my-broker/1111/2222/credentials” }, }] } “VCAP_SERVICES”: { “service-name”: [{ “credentials”: { “uri”: “https://service-6yQVNrhZVP.example.com”, “username”: “VofTuQk2BH”, “password”: “fRqah7Wygi” }, }] } POST /interpolate interpolated credentials
Diego Cell Diego Assisted Credential Resolution CredHub 25 App cf push create env POST /interpolate VCAP_SERVICES Cloud Controller V##P_##### VCAP_SERVICESV##P_#####
Application Benefits of Using CredHub Cloud Controller database (encrypted) Cloud Controller REST API responses ● /v2/apps/:guid/env ● /v2/service_bindings/:guid Staged application droplets cf ssh 26 Assisted Mode
Non-Assisted Credential Resolution 27 Spring applications using Spring Cloud Connectors or Spring Boot ${vcap.service.} properties will have framework support to automate resolution CredHub POST /interpolate VCAP_SERVICES V##P_##### Diego Cell Diego App cf push create env Cloud Controller VCAP_SERVICESV##P_#####
Application Benefits of Using CredHub Cloud Controller database (encrypted) Cloud Controller REST API responses ● /v2/apps/:guid/env ● /v2/service_bindings/:guid Staged application droplets cf ssh 28 Assisted Mode Non-Assisted Mode Cloud Controller database (encrypted) Cloud Controller REST API responses ● /v2/apps/:guid/env ● /v2/service_bindings/:guid Staged application droplets cf ssh Manual ssh Process Environment Application Memory
Availability CredHub bits are included in cf-deployment since version v0.36.0 Deployment manifest customization required to enable secure service binding credentials workflow Starting in Pivotal CF 2.0 ● Secure service binding credentials support can be enabled or disabled in PAS tile configuration ● Assisted mode only 29 Service brokers will be updated to support secure binding credentials on their own release schedules
Learn More. Stay Connected. How to Build Spring Services for Cloud-Native Platforms Using the Open Service Broker API Matthew McNeeney, Sam Gunaratne Thursday 12:30 room 2004 30 #springone@s1p
STOP! Download Fonts Now PLEASE DOWNLOAD AND INSTALL PROXIMA NOVA FONTS BEFORE CREATING YOUR PRESENTATION. You can download the fonts here… https://brandfolder.com/pivotal Password: keepitsimple Fonts included in the ZIP file: Proxima Nova (headline and body text) http://www.fontspring.com/support/installing/how-do-i-install-fonts-on-my-mac http://www.fontspring.com/support/installing/how-do-i-install-fonts-on-my-windows- pc 31
Body Slide - Dark Background All body text is Proxima Nova Regular • Subhead (18pt) • Level Two (18pt) • Level Three (18pt) • Level Four (18pt) Use the “Decrease/Increase Indent” tools to change bullet levels • Click on the Home ribbon, Paragraph tab Line spacing is set in master slides 32
Two Columns – Dark Background Lorem ipsum dolor sit amet, consectetuer adipiscing elit. Aenean commodo ligula eget dolor. Aenean massa. Cum sociis natoque penatibus et magnis dis parturient montes, nascetur ridiculus mus. Donec quam felis, ultricies nec, pellentesque Lorem ipsum dolor sit amet, consectetuer adipiscing elit. Aenean commodo ligula eget dolor. Aenean massa. Cum sociis natoque penatibus et magnis dis parturient montes, nascetur ridiculus mus. Donec quam felis, ultricies nec, pellentesque 33
Two Columns – Light Background Lorem ipsum dolor sit amet, consectetuer adipiscing elit. Aenean commodo ligula eget dolor. Aenean massa. Cum sociis natoque penatibus et magnis dis parturient montes, nascetur ridiculus mus. Donec quam felis, ultricies nec, pellentesque Lorem ipsum dolor sit amet, consectetuer adipiscing elit. Aenean commodo ligula eget dolor. Aenean massa. Cum sociis natoque penatibus et magnis dis parturient montes, nascetur ridiculus mus. Donec quam felis, ultricies nec, pellentesque 34
Design Assets
Brand Colors SpringOne Platform 2017 Theme Colors 36 Spring Brand Color Pivotal Brand Color
Code Slide 37 // This is Andale Mono: 14pt or higher please public class TransferServiceImpl implements TransferService { public TransferServiceImpl(AccountRepository ar) { this.accountRepository = ar; } … }
Pivotal Logos on Dark Background 38 Looking for more Pivotal logos, PCF services icons, or OSS logos? Visit: brandfolder.com/pivotal-assets
Pivotal Logos on Light Background 39 Looking for more Pivotal logos, PCF services icons, or OSS logos? Visit: brandfolder.com/pivotal-assets
Event Logos 40
Spring Logo and Project Icons 41 Spring Framewor k Spring Securit y Sprin g Data Sprin g Batch Spring Integratio n Project Reacto r Sprin g AMQ P Spring Hateoas Spring Mobil e Spring Androi d Sprin g Social Spring Web Services Spring Web Flow Sprin g XD Sprin g Boot Sprin g LDAP Spring Tool Suite Spring Cloud Data Flow Spring Kafka Spring Cloud
Sample Table 42 2007 2008 2009 2010 Category 1 2.4 6.4 4.1 6.6 Category 2 8.2 4.5 3.2 3.8 Category 3 4.6 3.2 1.9 9.6 Category 4 6.7 3.3 3.4 2.2 Category 5 4.3 5.6 7.1 3.4
Sample Table 43 2007 2008 2009 2010 Category 1 2.4 6.4 4.1 6.6 Category 2 8.2 4.5 3.2 3.8 Category 3 4.6 3.2 1.9 9.6 Category 4 6.7 3.3 3.4 2.2 Category 5 4.3 5.6 7.1 3.4

More Related Content

PDF
ประกาศสำนักงานราชบัณฑิตยสภา เรื่อง กำหนดชื่อประเทศ ดินแดน เขตการปกครอง และเมื...
Pechngam Sriprommatut
 
PDF
Manual PACE HDS 7522/78
Silas Silva
 
DOC
Perumpamaan
Mohd Hilmi Mohd Noor
 
DOCX
Bm ulangkaji peperiksaan PT3 disediakan oleh kelvin
KelvinSmart2
 
DOC
第7课 向牵牛花学习 深究课文练习 .doc
yijinlee
 
PPT
多音多义字
Pang Lee Lian
 
DOC
Sinopsis Kursus Pembungkusan Dan Pelabelan Makanan Jun1620089389
Firdauz
 
DOCX
KSSR 2016年 四年级 华文成语完整收集
慈心 Chan
 
ประกาศสำนักงานราชบัณฑิตยสภา เรื่อง กำหนดชื่อประเทศ ดินแดน เขตการปกครอง และเมื...
Pechngam Sriprommatut
 
Manual PACE HDS 7522/78
Silas Silva
 
Perumpamaan
Mohd Hilmi Mohd Noor
 
Bm ulangkaji peperiksaan PT3 disediakan oleh kelvin
KelvinSmart2
 
第7课 向牵牛花学习 深究课文练习 .doc
yijinlee
 
多音多义字
Pang Lee Lian
 
Sinopsis Kursus Pembungkusan Dan Pelabelan Makanan Jun1620089389
Firdauz
 
KSSR 2016年 四年级 华文成语完整收集
慈心 Chan
 

Similar to CredHub and Secure Credential Management (20)

PDF
Spring Boot & Spring Cloud on Pivotal Application Service
VMware Tanzu
 
PDF
CredHub and Secure Credential Management
VMware Tanzu
 
PPTX
Spring Boot & Spring Cloud Apps on Pivotal Application Service - Daniel Lavoie
VMware Tanzu
 
PDF
Red Hat Openshift on Microsoft Azure
John Archer
 
PPTX
SpringOne Tour Denver - Spring Boot & Spring Cloud on Pivotal Application Ser...
VMware Tanzu
 
PDF
Using CredHub for Kubernetes Deployments
VMware Tanzu
 
PPTX
Serverless - minimizing the attack surface
Avi Shulman
 
PDF
Spring and Pivotal Application Service - SpringOne Tour Dallas
VMware Tanzu
 
PPTX
How to get along with HATEOAS without letting the bad guys steal your lunch?
Graham Charters
 
PDF
Compose Gen-AI Apps With Real-Time Data - In Minutes, Not Weeks
confluent
 
PDF
OpenShift Meetup - Tokyo - Service Mesh and Serverless Overview
María Angélica Bracho
 
PDF
Secure Credential Management with CredHub - Eoghan Kelleher
VMware Tanzu
 
PDF
batbern43 Self Service on a Big Data Platform
BATbern
 
PDF
Kubernetes One-Click Deployment: Hands-on Workshop (Mainz)
QAware GmbH
 
PDF
Cisco Managed Private Cloud in Your Data Center: Public cloud experience on ...
Cisco DevNet
 
PPTX
Z101666 best practices for delivering hybrid cloud capability with apis
Teodoro Cipresso
 
PDF
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
CA API Management
 
PDF
Pivoting Spring XD to Spring Cloud Data Flow with Sabby Anandan
PivotalOpenSourceHub
 
PPTX
Secure Credential Management with CredHub - DaShaun Carter & Sharath Sahadevan
VMware Tanzu
 
PPTX
CoLabora March 2022 - Improve security posture by implementing new Azure AD ...
Peter Selch Dahl
 
Spring Boot & Spring Cloud on Pivotal Application Service
VMware Tanzu
 
CredHub and Secure Credential Management
VMware Tanzu
 
Spring Boot & Spring Cloud Apps on Pivotal Application Service - Daniel Lavoie
VMware Tanzu
 
Red Hat Openshift on Microsoft Azure
John Archer
 
SpringOne Tour Denver - Spring Boot & Spring Cloud on Pivotal Application Ser...
VMware Tanzu
 
Using CredHub for Kubernetes Deployments
VMware Tanzu
 
Serverless - minimizing the attack surface
Avi Shulman
 
Spring and Pivotal Application Service - SpringOne Tour Dallas
VMware Tanzu
 
How to get along with HATEOAS without letting the bad guys steal your lunch?
Graham Charters
 
Compose Gen-AI Apps With Real-Time Data - In Minutes, Not Weeks
confluent
 
OpenShift Meetup - Tokyo - Service Mesh and Serverless Overview
María Angélica Bracho
 
Secure Credential Management with CredHub - Eoghan Kelleher
VMware Tanzu
 
batbern43 Self Service on a Big Data Platform
BATbern
 
Kubernetes One-Click Deployment: Hands-on Workshop (Mainz)
QAware GmbH
 
Cisco Managed Private Cloud in Your Data Center: Public cloud experience on ...
Cisco DevNet
 
Z101666 best practices for delivering hybrid cloud capability with apis
Teodoro Cipresso
 
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
CA API Management
 
Pivoting Spring XD to Spring Cloud Data Flow with Sabby Anandan
PivotalOpenSourceHub
 
Secure Credential Management with CredHub - DaShaun Carter & Sharath Sahadevan
VMware Tanzu
 
CoLabora March 2022 - Improve security posture by implementing new Azure AD ...
Peter Selch Dahl
 
Ad

More from VMware Tanzu (20)

PDF
Spring into AI presented by Dan Vega 5/14
VMware Tanzu
 
PDF
What AI Means For Your Product Strategy And What To Do About It
VMware Tanzu
 
PDF
Make the Right Thing the Obvious Thing at Cardinal Health 2023
VMware Tanzu
 
PPTX
Enhancing DevEx and Simplifying Operations at Scale
VMware Tanzu
 
PDF
Spring Update | July 2023
VMware Tanzu
 
PPTX
Platforms, Platform Engineering, & Platform as a Product
VMware Tanzu
 
PPTX
Building Cloud Ready Apps
VMware Tanzu
 
PDF
Spring Boot 3 And Beyond
VMware Tanzu
 
PDF
Spring Cloud Gateway - SpringOne Tour 2023 Charles Schwab.pdf
VMware Tanzu
 
PDF
Simplify and Scale Enterprise Apps in the Cloud | Boston 2023
VMware Tanzu
 
PDF
Simplify and Scale Enterprise Apps in the Cloud | Seattle 2023
VMware Tanzu
 
PPTX
tanzu_developer_connect.pptx
VMware Tanzu
 
PDF
Tanzu Virtual Developer Connect Workshop - French
VMware Tanzu
 
PDF
Tanzu Developer Connect Workshop - English
VMware Tanzu
 
PDF
Virtual Developer Connect Workshop - English
VMware Tanzu
 
PDF
Tanzu Developer Connect - French
VMware Tanzu
 
PDF
Simplify and Scale Enterprise Apps in the Cloud | Dallas 2023
VMware Tanzu
 
PDF
SpringOne Tour: Deliver 15-Factor Applications on Kubernetes with Spring Boot
VMware Tanzu
 
PDF
SpringOne Tour: The Influential Software Engineer
VMware Tanzu
 
PDF
SpringOne Tour: Domain-Driven Design: Theory vs Practice
VMware Tanzu
 
Spring into AI presented by Dan Vega 5/14
VMware Tanzu
 
What AI Means For Your Product Strategy And What To Do About It
VMware Tanzu
 
Make the Right Thing the Obvious Thing at Cardinal Health 2023
VMware Tanzu
 
Enhancing DevEx and Simplifying Operations at Scale
VMware Tanzu
 
Spring Update | July 2023
VMware Tanzu
 
Platforms, Platform Engineering, & Platform as a Product
VMware Tanzu
 
Building Cloud Ready Apps
VMware Tanzu
 
Spring Boot 3 And Beyond
VMware Tanzu
 
Spring Cloud Gateway - SpringOne Tour 2023 Charles Schwab.pdf
VMware Tanzu
 
Simplify and Scale Enterprise Apps in the Cloud | Boston 2023
VMware Tanzu
 
Simplify and Scale Enterprise Apps in the Cloud | Seattle 2023
VMware Tanzu
 
tanzu_developer_connect.pptx
VMware Tanzu
 
Tanzu Virtual Developer Connect Workshop - French
VMware Tanzu
 
Tanzu Developer Connect Workshop - English
VMware Tanzu
 
Virtual Developer Connect Workshop - English
VMware Tanzu
 
Tanzu Developer Connect - French
VMware Tanzu
 
Simplify and Scale Enterprise Apps in the Cloud | Dallas 2023
VMware Tanzu
 
SpringOne Tour: Deliver 15-Factor Applications on Kubernetes with Spring Boot
VMware Tanzu
 
SpringOne Tour: The Influential Software Engineer
VMware Tanzu
 
SpringOne Tour: Domain-Driven Design: Theory vs Practice
VMware Tanzu
 
Ad

Recently uploaded (20)

PDF
Getting Started with Data Integration: FME Form 101
Safe Software
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PPTX
TLE Review Electricity (Electricity).pptx
JayPolicarpio2
 
PPTX
TechTalks-8-2019-Service-Management-ITIL-Refresh-ITIL-4-Framework-Supports-Ou...
bonakiduza1024
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PPTX
cloud_computing_Infrastucture_as_cloud_p
mainakbhattacharya20
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Mushroom cultivation and it's methods.pdf
mailmeonrishi
 
PDF
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
PDF
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
PPTX
1. Introduction to Computer Programming.pptx
bonakiduza1024
 
Getting Started with Data Integration: FME Form 101
Safe Software
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
TLE Review Electricity (Electricity).pptx
JayPolicarpio2
 
TechTalks-8-2019-Service-Management-ITIL-Refresh-ITIL-4-Framework-Supports-Ou...
bonakiduza1024
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
cloud_computing_Infrastucture_as_cloud_p
mainakbhattacharya20
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Mushroom cultivation and it's methods.pdf
mailmeonrishi
 
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Approach and Philosophy of On baking technology
30anthuong17
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
A Presentation on Artificial Intelligence
memembruh336
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
1. Introduction to Computer Programming.pptx
bonakiduza1024
 

CredHub and Secure Credential Management

  • 1. CredHub and Secure Credential Management Scott Frederick @scottyfred 1 Peter Blum @_pblum
  • 4. Configuring Credentials 4 Verizon: Phone numbers, names and pin codes of of six million customers were left unsecured online for nine days. Accenture: Inadvertently left a massive store of private data across four unsecured cloud servers, exposing highly sensitive passwords and secret decryption keys. Equifax: Website Secured By The Worst Username And Password Possible - `admin`, `admin` Viacom: Owners of Paramount Pictures, Comedy Central, MTV, and hundreds of other properties—has exposed the keys to its kingdom on an unsecured Amazon S3 server.
  • 5. Leaked Credentials 5 Uber: Breach occurred when hackers discovered that the company's developers had published code that included their usernames and passwords on a private account of the software repository Github. OneLogin breached: Hacker finds cleartext credential notepads Deloitte is a sitting duck: VPN and proxy 'login details leaked
  • 6. Using Credentials 6 Equifax: Hackers roamed its systems undetected from mid-May through late July 2017, accessing files on nearly half the U.S. population. 14 Years to Discover Data Breach: Tewksbury Hospital in Massachusetts, where a clerk inappropriately accessed the records of more than 1,000 patients between 2003 and 2017 Compromised Data goes undetected for days: According to the latest Protenus Breach Barometer It took an average of 441 days for organizations to find out a breach occurred.
  • 7. Central point for Credential: - Generation - Storage - Rotation - Logging - Access Control Goals 7 TimeCredential Config Credential Leaks TimeCredential Config Credential Leaks
  • 8. User Groups 8 CredHub CLI BOSH REST API Operations - Infrastructure As Code Developers - SPRING!
  • 11. Credential Types value - a simple string, used for configuration and other non-generated properties password - a simple string, used for generated secrets user - username and password pair json - a JSON object certificate - an object containing a root CA, certificate and private key rsa - an object containing an RSA public key and private key ssh - an object containing an SSH-formatted public key and private key 11 http://docs.cloudfoundry.org/credhub/credential-types.html
  • 12. REST API - Secured via Mutual TLS, and/or OAuth2 with UAA - Get/Set/Generate/Delete Credential - Get/Add/Delete Permission - Interpolate VCAP_SERVICES https://credhub-api.cfapps.io 12
  • 13. Java mapping to CredHub REST API ● supports all credential types and operations Spring Boot auto-configuration support Apps deployed to CF with Java Buildpack automatically negotiate mutual TLS 1.0.0.RELEASE coming soon 13
  • 15. BOSH Deployments 15 CredHub BOSH Generate Cred Deploy Manifest Backing SQL Database Store Cred Return Cred Deployed Service with Deploy Service
  • 16. $ bosh -e pcf -d pcf manifest BOSH Benefits 16 Simplified Deployment Manifests vs Relax Access to BOSH Director Enables Sharing of Deployment Manifests& $ bosh -e pcf -d pcf manifest vs
  • 17. Availability Starting with Release Version 262 Starting in Pivotal CF 1.11 ● Ops Manager deploys CredHub with BOSH director 17
  • 19. Service Bindings $ cf create-service service-name plan service-instance-name 19 $ cf bind-service app-name service-instance-name “credentials”: { “uri”: “https://service-6yQVNrhZVP.example.com”, “username”: “VofTuQk2BH”, “password”: “fRqah7Wygi” } Create Instance Provision Resources Details Cloud Controller Service Broker Create Binding Generate Credentials Credentials Cloud Controller Service Broker
  • 20. Service Bindings $ cf env app-name “VCAP_SERVICES”: { “service-name”: [{ “credentials”: { “uri”: “https://service-6yQVNrhZVP.example.com”, “username”: “VofTuQk2BH”, “password”: “fRqah7Wygi” }, }] } 20
  • 21. Where Binding Credentials Live 21 Cloud Controller database (encrypted) Cloud Controller REST API responses ● /v2/apps/:guid/env ● /v2/service_bindings/:guid Staged application droplets cf ssh Manual ssh Process Environment Application Memory
  • 22. Service Bindings With CredHub 22 $ cf bind-service app-name service-instance-name create binding generate credentials credentials with credhub-ref PUT /data “credentials”: { “uri”: “https://service-6yQVNrhZVP.example.com”, “username”: “VofTuQk2BH”, “password”: “fRqah7Wygi” } “credentials”: { “credhub-ref”: “/c/my-broker/[instance-id]/[binding-id]/credentials” } Cloud Controller Service Broker CredHub
  • 23. Service Bindings $ cf env app-name “VCAP_SERVICES”: { “service-name”: [{ “credentials”: { “credhub-ref”: “/c/my-broker/[instance-id]/[binding-id]/credentials” }, }] } 23
  • 24. Credential Interpolation 24 CredHub “VCAP_SERVICES”: { “my-service”: [{ “credentials”: { “credhub-ref”: “/c/my-broker/1111/2222/credentials” }, }] } “VCAP_SERVICES”: { “service-name”: [{ “credentials”: { “uri”: “https://service-6yQVNrhZVP.example.com”, “username”: “VofTuQk2BH”, “password”: “fRqah7Wygi” }, }] } POST /interpolate interpolated credentials
  • 25. Diego Cell Diego Assisted Credential Resolution CredHub 25 App cf push create env POST /interpolate VCAP_SERVICES Cloud Controller V##P_##### VCAP_SERVICESV##P_#####
  • 26. Application Benefits of Using CredHub Cloud Controller database (encrypted) Cloud Controller REST API responses ● /v2/apps/:guid/env ● /v2/service_bindings/:guid Staged application droplets cf ssh 26 Assisted Mode
  • 27. Non-Assisted Credential Resolution 27 Spring applications using Spring Cloud Connectors or Spring Boot ${vcap.service.} properties will have framework support to automate resolution CredHub POST /interpolate VCAP_SERVICES V##P_##### Diego Cell Diego App cf push create env Cloud Controller VCAP_SERVICESV##P_#####
  • 28. Application Benefits of Using CredHub Cloud Controller database (encrypted) Cloud Controller REST API responses ● /v2/apps/:guid/env ● /v2/service_bindings/:guid Staged application droplets cf ssh 28 Assisted Mode Non-Assisted Mode Cloud Controller database (encrypted) Cloud Controller REST API responses ● /v2/apps/:guid/env ● /v2/service_bindings/:guid Staged application droplets cf ssh Manual ssh Process Environment Application Memory
  • 29. Availability CredHub bits are included in cf-deployment since version v0.36.0 Deployment manifest customization required to enable secure service binding credentials workflow Starting in Pivotal CF 2.0 ● Secure service binding credentials support can be enabled or disabled in PAS tile configuration ● Assisted mode only 29 Service brokers will be updated to support secure binding credentials on their own release schedules
  • 30. Learn More. Stay Connected. How to Build Spring Services for Cloud-Native Platforms Using the Open Service Broker API Matthew McNeeney, Sam Gunaratne Thursday 12:30 room 2004 30 #springone@s1p
  • 31. STOP! Download Fonts Now PLEASE DOWNLOAD AND INSTALL PROXIMA NOVA FONTS BEFORE CREATING YOUR PRESENTATION. You can download the fonts here… https://brandfolder.com/pivotal Password: keepitsimple Fonts included in the ZIP file: Proxima Nova (headline and body text) http://www.fontspring.com/support/installing/how-do-i-install-fonts-on-my-mac http://www.fontspring.com/support/installing/how-do-i-install-fonts-on-my-windows- pc 31
  • 32. Body Slide - Dark Background All body text is Proxima Nova Regular • Subhead (18pt) • Level Two (18pt) • Level Three (18pt) • Level Four (18pt) Use the “Decrease/Increase Indent” tools to change bullet levels • Click on the Home ribbon, Paragraph tab Line spacing is set in master slides 32
  • 33. Two Columns – Dark Background Lorem ipsum dolor sit amet, consectetuer adipiscing elit. Aenean commodo ligula eget dolor. Aenean massa. Cum sociis natoque penatibus et magnis dis parturient montes, nascetur ridiculus mus. Donec quam felis, ultricies nec, pellentesque Lorem ipsum dolor sit amet, consectetuer adipiscing elit. Aenean commodo ligula eget dolor. Aenean massa. Cum sociis natoque penatibus et magnis dis parturient montes, nascetur ridiculus mus. Donec quam felis, ultricies nec, pellentesque 33
  • 34. Two Columns – Light Background Lorem ipsum dolor sit amet, consectetuer adipiscing elit. Aenean commodo ligula eget dolor. Aenean massa. Cum sociis natoque penatibus et magnis dis parturient montes, nascetur ridiculus mus. Donec quam felis, ultricies nec, pellentesque Lorem ipsum dolor sit amet, consectetuer adipiscing elit. Aenean commodo ligula eget dolor. Aenean massa. Cum sociis natoque penatibus et magnis dis parturient montes, nascetur ridiculus mus. Donec quam felis, ultricies nec, pellentesque 34
  • 36. Brand Colors SpringOne Platform 2017 Theme Colors 36 Spring Brand Color Pivotal Brand Color
  • 37. Code Slide 37 // This is Andale Mono: 14pt or higher please public class TransferServiceImpl implements TransferService { public TransferServiceImpl(AccountRepository ar) { this.accountRepository = ar; } … }
  • 38. Pivotal Logos on Dark Background 38 Looking for more Pivotal logos, PCF services icons, or OSS logos? Visit: brandfolder.com/pivotal-assets
  • 39. Pivotal Logos on Light Background 39 Looking for more Pivotal logos, PCF services icons, or OSS logos? Visit: brandfolder.com/pivotal-assets
  • 41. Spring Logo and Project Icons 41 Spring Framewor k Spring Securit y Sprin g Data Sprin g Batch Spring Integratio n Project Reacto r Sprin g AMQ P Spring Hateoas Spring Mobil e Spring Androi d Sprin g Social Spring Web Services Spring Web Flow Sprin g XD Sprin g Boot Sprin g LDAP Spring Tool Suite Spring Cloud Data Flow Spring Kafka Spring Cloud
  • 42. Sample Table 42 2007 2008 2009 2010 Category 1 2.4 6.4 4.1 6.6 Category 2 8.2 4.5 3.2 3.8 Category 3 4.6 3.2 1.9 9.6 Category 4 6.7 3.3 3.4 2.2 Category 5 4.3 5.6 7.1 3.4
  • 43. Sample Table 43 2007 2008 2009 2010 Category 1 2.4 6.4 4.1 6.6 Category 2 8.2 4.5 3.2 3.8 Category 3 4.6 3.2 1.9 9.6 Category 4 6.7 3.3 3.4 2.2 Category 5 4.3 5.6 7.1 3.4