Skip to main content
Version: Develop

TLS Encryption

This section describes the TLS usage and configuration for the a9s Data Service Framework (DSF) components.

General Layout

Each server component is proxied by a NGINX which among other things takes care of the TLS termination. This way all components offer the same usage and configuration if it comes to (m)TLS. All upstream communications from the NGINX to the proxied component is done via localhost and through a non-TLS connection.

Certificate Requirements

The components use X.509 certificates for the (m)TLS connections. These X.509 certificates and their corresponding private keys must be in PKCS#1 format and PEM encoded. It must be explicitly distinguished between the server certificates and the client certificates which are used for the (m)TLS connection.

The certificates may be signed by different intermediate certificates but ultimately, they are all issued by the same root CA certificate. This root CA certificate is stored in CredHub under /a9s_private_components_ca.

Supported Components

The following a9s Data Service Framework components use (m)TLS connections and share a common configuration interface:

Required Non-TLS Communications

Although it is possible to enable TLS also for the other components that are not mentioned above, it is currently not possible to switch these to TLS-only because not all clients support TLS at this time.

Used Certificates

The following table lists the certificates currently used by the a9s DSF components.

DeploymentComponentCertificateSigned by
backup-servicea9s Backup Managerbackup_manager_server_cert/a9s_private_components_ca
backup-servicea9s Backup Managerbackup_manager_client_cert/a9s_private_components_ca
cf-service-guarda9s CF Service Guardserver_tls/a9s_private_components_ca
a9s Data Servicea9s BOSH Deployera9s_deployer_tls_cert/a9s_private_components_ca
a9s Data Servicea9s SPIa9s_spi_tls_cert/a9s_private_components_ca
a9s Data Servicea9s SPIa9s_spi_framework_components_ca/a9s_private_components_ca
Service Instancea9s Backup Agentbackup_agent_server_certa9s_spi_framework_components_ca
Table Legend
  • Deployment: Either the name of the deployment, such as backup-service, or a placeholder: a9s Data Service stands for any a9s Data Service deployment like postgresql-service, Service instance represents any Service Instance deployment independent of the used a9s Data Service.
  • Component: The component using the certificate in question.
  • Certificate: The name of the CredHub variable containing the certificate.
  • Signed by: The name of the CredHub variable containing the certificate that signed the certificate in question.