anynines SSL/TLS Service Plans

This topic provides usage guidance for SSL/TLS plans of a9s Data Services.

Providing your own key

By default - if no certificate authority (CA) certificate has been deployed - a self-signed certificate is created. However, when creating or updating a data service instance using an SSL plan, it is possible to provide your own certificate, private key, and CA certificate.

Example node domain

*.node.dc1.consul

Example service domain

*.service.dc1.consul

Parameters to provide

You can use the -c parameter when using the CF CLI to specify x509 certificates. Use the cf create-service or cf update-service command with an escaped JSON string to do so. If you need to escape a PEM encoded x509 certificate file or private key you can do so using awk:

awk 'NF {sub(/\r/, ""); printf "%s\\n",$0;}' <path to your PEM-encoded certificate file>

The configuration options specified using the -c parameter are:

KeyValueDescription
cacrtA PEM-encoded x509 certificateThe CA certificate with which your certificate has been or will be signed.
wildcrtA PEM-encoded x509 certificateThe leaf certificate to be deployed to your service instance.
wildkeyA private keyThe private key for the certificate specified in wildcrt.

If you specify the wildcrt parameter, you must also specify the wildkey parameter and vice versa. If specified, it will be used in the service instance regardless of any other options. If you specify the cacrt option, it is expected to the be the certificate authority that signed the certificate in wildcrt.

Example

The following command creates a RabbitMQ service instance using an SSL plan and an x509 certificate:

$ cf create-service a9s-messaging37 a9s-messaging-single-nano-ssl msg1 -c '{"wildcrt": "-----BEGIN CERTIFICATE-----\nMIIDbDCCAlQCCQCL8wEgtl3HUjANBgkqhkiG9w0BAQsFADB4MQswCQYDVQQGEwJE\nRTERMA8GA1UECAwIU2FhcmxhbmQxFTATBgNVBAcMDFNhYXJicnVlY2tlbjEWMBQG\nA1UECgwNYW55bmluZXMgR21iSDELMAkGA1UECwwCSVQxGjAYBgNVBAMMEXRlc3Qu\nYW55bmluZXMuY29tMB4XDTE5MDYwNDA5MDUxMFoXDTI5MDYwMTA5MDUxMFoweDEL\nMAkGA1UEBhMCREUxETAPBgNVBAgMCFNhYXJsYW5kMRUwEwYDVQQHDAxTYWFyYnJ1\nZWNrZW4xFjAUBgNVBAoMDWFueW5pbmVzIEdtYkgxCzAJBgNVBAsMAklUMRowGAYD\nVQQDDBF0ZXN0LmFueW5pbmVzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC\nAQoCggEBAL6tR7CZDDIUv4n0hR9jV7oik1XhyUNhG8+LRsHL4XHuU5x3V3AA3ySQ\njeve1XmpDojgIkD48eEfAd1/HBzX7JZz5LUn/AiUIaApaxai0BUHS6IQ4iPObIB6\nftUHjltiaTb2JNOgm0OZ6/VBIZp+2KBY8IZP57jpa0GuQfX1wwTlN05290S5Vum8\nC6+Wd0MrMyXjoXosL+E8O4KdcH1fF9HEwIZERABxkWzOYRjzJ/nNfHiAl80Ej1yM\nqjwtD08mDF8IALB93C6MGaYSvmL7h7vpzX64EZlCvnCjqciI3COFab9bG1nicqnB\nLxJGNS8DRwjA7DNHOZqexeggiFNLTgMCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEA\nUsFGXgVITZwDAH5ZVdTAILcdBC838IvIX9TZqbD477i8Rpjstnc1d+663m2YpZyQ\ndFU6y22LD4BbHUWzCjt7R4c4ymyTxVGM0v0mo+9yYv0pmjdmApQY++iNk0g0hDB6\nFqcXN4J2l0LNZY/1dRPp97cdbjBgz0VeC9Xct9ih1Ngc+o8gzGTm4UWGlZeNTNaT\nA2JbARHaralcXn5V7rOyQBixjPluYzHNKlJl0amZlpRllEvOsYrIFQzfyv8J7NPV\nLDrtAkufQvzZt5ATVXLbj9UHtNqlcl5VWwAm4Hj8+vuCNroxyxLlEPUj7dXMp6XB\nSEZmO0x5Sprrao78sTI5Hw==\n-----END CERTIFICATE-----\n", "wildkey": "-----BEGIN RSA PRIVATE KEY-----\nMIIEpQIBAAKCAQEAvq1HsJkMMhS/ifSFH2NXuiKTVeHJQ2Ebz4tGwcvhce5TnHdX\ncADfJJCN697VeakOiOAiQPjx4R8B3X8cHNfslnPktSf8CJQhoClrFqLQFQdLohDi\nI85sgHp+1QeOW2JpNvYk06CbQ5nr9UEhmn7YoFjwhk/nuOlrQa5B9fXDBOU3Tnb3\nRLlW6bwLr5Z3QyszJeOheiwv4Tw7gp1wfV8X0cTAhkREAHGRbM5hGPMn+c18eICX\nzQSPXIyqPC0PTyYMXwgAsH3cLowZphK+YvuHu+nNfrgRmUK+cKOpyIjcI4Vpv1sb\nWeJyqcEvEkY1LwNHCMDsM0c5mp7F6CCIU0tOAwIDAQABAoIBAGNEhQkcdKvx/1HL\n+i5AIuDltTzF4mjwunDPepPUF9efkunne5705Tb9BtXgWdUPvWBnB445zHs+EFOH\nJFSj2SjuxwfE/EJfFC50waq0Mo5wEOEb1w97HSO6IiO33lYXIt2ZQcznVU3ZaW1y\nbhMnrJG2G+pg2St8Yfl8xhxNySzXXYs56t3haVx0vFlgWn9xXn/Dpjlvae3JJtCI\nFRpuUJEE+SasuexvqyHjn0Kioh2USiVXcPKV9XAzugw6wwl93F66X+pSmcH5WtBP\nS33qURspZL7dnltMYh+29pTIBq0SbRdfiFdHOsKY5yDAW+o2j2DbsxaR5q7xQ6eN\n0cDiZGkCgYEA8QycCkSSNHrRWodnDQc9InDQX5oC66oKH0RbLbH22Jh5rIeoHPzU\nZNUVAe0mcEHmfTlkgtj2BeVyU3NF9cSCysdixQp10Ni8q8xlLcWaS83I1DjKYmpx\nvjwgpfT7SVI9FKztRiwmLHCCoLdUpoRSZWvdMVza6XK/WgrhWYZhbuUCgYEAyoDb\nDXnKt2TxwQKiWWQcPXZuKHgl0d24VlHpDRsMzlvg9bMRtRADIVddKheE+118f9iF\nr8AqayLkz0VMhJJ07sxVoJNh2VCcGBlsh3HAHH0HskD/A9Gsm3tqeEy5bvlmsFeB\ngClweibuFPos4GyyDqO7cZplORqKNuTaaEscCgYEA2NNV3SqXNRuxC7S2bpKv\nXDaMSSKZM/DtT/jF55GokGZ/NEGGaCTIzLabQfNXWyz8LnIcxlJw4xbkQspzCMKu\nP8cgQkvJdIYxGHwwGv8fbsZ5uuQmsGY9UDh3ybBXBTozdVCj0jZOVDUUW4rtWye1\nkkN3YTq8M7ejBlS5JjVpmT0CgYEAwxvz8r/t+VVhOL34/nfeXbnF2WgpyFMAUOsK\nyH3PkOQlk5W88d9DpNQwB2Yx0p74XZWY+QUF2cP9AVebqgASeiKWPejC1kc8nlug\nnb+Tgd9VkwHcsylKTWRT6STDZZEWx8EIHRvQK2PIPJc4glJQ9J2nHRVHdfMv4A6u\nzk01lfECgYEAmAbpBHubbd0YcmOuMEfIvC9mu0stx6p+oJ3IHV42GAVEtbl9Ct5x\nOltNtaXMMdriurZ5raPuUxtmXLyX80/ofIhKIGZHzpKT8j06wl5i6PxD5X5sOip9\nOQw9mVcb+5w/YgnKO/gJVAajYpniLMs/qIfwFs4/aVPmbGQgqLHWRuE=\n-----END RSA PRIVATE KEY-----\n"}'

Creating service instance rmq1 in org organisation / space test as user@example.com...
OK

Create in progress. Use 'cf services' or 'cf service rmq1' to check operation status.

Deleting your key

In order to delete a previously deployed certificate from your service instance, you can issue a command similar to the following:

$ cf update-service msg1 -c '{"wildcrt": "", "wildkey": "", "cacrt": ""}'

In this example, it is assumed the service instance is named rmq1.

Using SSL in your apps

To use an a9s Data Service via SSL you will need to trust the certificate. One way to achieve this is to add the CA Certificate to the trusted CAs of your app. You will find a variable called cacrt in the credentials hash provided to your app via the VCAP_SERVICES environment variable.

For some organisations, such as those already operating internal CAs, it might be best to distribute a CA via a custom buildpack in conjunction with providing your own key.

RabbitMQ Go example

Here is a RabbitMQ example of how you might use cacrt in your apps.

RabbitMQ Ruby example

require 'json'
require 'bunny'

vcap_services = JSON.parse(ENV['VCAP_SERVICES'])
credentials = vcap_services['a9s-messaging37'][0]['credentials']
conn = Bunny.new(
  credentials['uri'],
  tls_ca_certificates: [credentials['cacrt']],
  tls: true)

conn.start