TLS/SSL Service Plans

caution

Currently, some a9s Data Services are experiencing problems regarding logging when using TLSv1.3. Therefore, we strongly recommend to use TLSv1.2.

These issues with TLSv1.3 are not present in a9s Messaging nor a9s MariaDB.

This section describes the usage and configuration of TLS/SSL service plans from the perspective of the Application Developer.

All TLS/SSL service instances use a X.509 certificate in order to encrypt the communication between server and client. These X.509 certificates and their corresponding private keys must be in PKCS#1 format and PEM encoded.

There are three general sources for the certificate of a service instance:

• A specific user provided certificate
• A generated certificate that is signed by the Certificate Authority (CA) that the Platform Operator configured
• A wildcard certificate that is directly provided by the Platform Operator

Furthermore, please be aware that different services may have special limitations which are described explicitly in the Limitations section.

Supported Services

The following a9s Data Services support TLS/SSL service plans and share a common configuration interface:

• a9s KeyValue
• a9s LogMe2
• a9s MariaDB
• a9s Messaging
• a9s MongoDB
• a9s MySQL (10.4 only)
• a9s PostgreSQL
• a9s Redis (starting from version 6)
• a9s Search

Limitations

Currently, the a9s Data Services do not support service plan upgrades from Non-TLS/SSL to TLS/SSL service plans. We recommend that you create a new instance with TLS/SSL enabled and migrate your data to the new instance.

Using TLS/SSL in your apps

To use an a9s Data Service via TLS/SSL you will need to trust the certificate. One way to achieve this is to add the CA certificate to the trusted CAs of your app. You will find a variable called cacrt in the credentials hash provided to your app via the VCAP_SERVICES environment variable.

RabbitMQ Go example

Here is a RabbitMQ example of how you might use cacrt in your apps.

RabbitMQ Ruby example

require 'bunny'
require 'json'

vcap_services = JSON.parse(ENV['VCAP_SERVICES'])
credentials = vcap_services['a9s-messaging310'][0]['credentials']
conn = Bunny.new(
  credentials['uri'],
  tls_ca_certificates: [credentials['cacrt']],
  tls: true
)

conn.start