TLS/SSL Service Plans
Currently, some a9s Data Services are experiencing problems regarding logging when using TLSv1.3. Therefore, we strongly recommend to use TLSv1.2.
These issues with TLSv1.3 are not present in a9s Messaging nor a9s MariaDB.
This section describes the usage and configuration of TLS/SSL service plans from the perspective of the Application Developer.
All TLS/SSL service instances use a X.509 certificate in order to encrypt the communication between server and client. These X.509 certificates and their corresponding private keys must be in PKCS#1 format and PEM encoded.
There are three general sources for the certificate of a service instance:
- A specific user provided certificate
- A generated certificate that is signed by the Certificate Authority (CA) that the Platform Operator configured
- A wildcard certificate that is directly provided by the Platform Operator
Furthermore, please be aware that different services may have special limitations which are described explicitly in the Limitations section.
Supported Services
The following a9s Data Services support TLS/SSL service plans and share a common configuration interface:
- a9s KeyValue
- a9s LogMe2
- a9s MariaDB
- a9s Messaging
- a9s MongoDB
- a9s MySQL (10.4 only)
- a9s PostgreSQL
- a9s Redis (starting from version 6)
- a9s Search
Limitations
Currently, the a9s Data Services do not support service plan upgrades from Non-TLS/SSL to TLS/SSL service plans. We recommend that you create a new instance with TLS/SSL enabled and migrate your data to the new instance.
Using TLS/SSL in your apps
To use an a9s Data Service via TLS/SSL you will need to trust the certificate. One way to achieve this is to add the CA
certificate to the trusted CAs of your app. You will find a variable called cacrt
in the credentials
hash provided
to your app via the VCAP_SERVICES
environment variable.
RabbitMQ Go example
Here is a RabbitMQ example
of how you might use cacrt
in your apps.
RabbitMQ Ruby example
require 'bunny'
require 'json'
vcap_services = JSON.parse(ENV['VCAP_SERVICES'])
credentials = vcap_services['a9s-messaging310'][0]['credentials']
conn = Bunny.new(
credentials['uri'],
tls_ca_certificates: [credentials['cacrt']],
tls: true
)
conn.start