TLS Encryption
This section describes the TLS usage and configuration for the a9s Data Service Framework (DSF) components.
General Layout
Each server component is proxied by a NGINX which among other things takes care of the TLS termination. This way all components offer the same usage and configuration if it comes to (m)TLS. All upstream communications from the NGINX to the proxied component is done via localhost and through a non-TLS connection.
Certificate Requirements
The components use X.509 certificates for the (m)TLS connections. These X.509 certificates and their corresponding private keys must be in PKCS#1 format and PEM encoded. It must be explicitly distinguished between the server certificates and the client certificates which are used for the (m)TLS connection.
The certificates may be signed by different intermediate certificates but ultimately, they are all issued by the same
root CA certificate. This root CA certificate is stored in CredHub under /a9s_private_components_ca
.
Supported Components
The following a9s Data Service Framework components use (m)TLS connections and share a common configuration interface:
Although it is possible to enable TLS also for the other components that are not mentioned above, it is currently not possible to switch these to TLS-only because not all clients support TLS at this time.
Used Certificates
The following table lists the certificates currently used by the a9s DSF components.
Deployment | Component | Certificate | Signed by |
---|---|---|---|
backup-service | a9s Backup Manager | backup_manager_server_cert | /a9s_private_components_ca |
backup-service | a9s Backup Manager | backup_manager_client_cert | /a9s_private_components_ca |
cf-service-guard | a9s CF Service Guard | server_tls | /a9s_private_components_ca |
a9s Data Service | a9s BOSH Deployer | a9s_deployer_tls_cert | /a9s_private_components_ca |
a9s Data Service | a9s SPI | a9s_spi_tls_cert | /a9s_private_components_ca |
a9s Data Service | a9s SPI | a9s_spi_framework_components_ca | /a9s_private_components_ca |
Service Instance | a9s Backup Agent | backup_agent_server_cert | a9s_spi_framework_components_ca |
Table Legend
- Deployment: Either the name of the deployment, such as
backup-service
, or a placeholder: a9s Data Service stands for any a9s Data Service deployment likepostgresql-service
, Service instance represents any Service Instance deployment independent of the used a9s Data Service. - Component: The component using the certificate in question.
- Certificate: The name of the CredHub variable containing the certificate.
- Signed by: The name of the CredHub variable containing the certificate that signed the certificate in question.