TLS Encryption
This section describes the TLS usage and configuration for the a9s Data Service Framework (DSF) components.
General Layout
Each server component is proxied by a NGINX which among other things takes care of the TLS termination. This way all components offer the same usage and configuration if it comes to (m)TLS. All upstream communications from the NGINX to the proxied component is done via localhost and through a non-TLS connection.
Certificate Requirements
The components use X.509 certificates for the (m)TLS connections. These X.509 certificates and their corresponding private keys must be in PKCS#1 format and PEM encoded. It must be explicitly distinguished between the server certificates and the client certificates which are used for the (m)TLS connection.
The certificates can be signed by different intermediate certificates. But they are issued by one of the existing root CA certificates described in Root CAs.
Root CAs
The existing root CA certificates, which are stored in CredHub, that are used to sign the automatically generated certificates are:
/a9s_private_components_ca- Used for the internal communication of the a9s Data Service Framework components./a9s_public_components_ca- Used to provide endpoints to external entities.
Those root CAs can be either set manually, or they are generated automatically by the prepare.sh
script in the deployment process of the a9s DS Framework.
Supported Components
The following a9s Data Service Framework components use (m)TLS connections and share a common configuration interface:
Although it is possible to enable TLS also for the other components that are not mentioned above, it is currently not possible to switch these to TLS-only because not all clients support TLS at this time.
Used Certificates
The following table lists the certificates currently used by the a9s DSF components.
| Deployment | Component | Certificate | Signed by |
|---|---|---|---|
backup-service | a9s Backup Manager | backup_manager_server_cert | /a9s_private_components_ca |
backup-service | a9s Backup Manager | backup_manager_client_cert | /a9s_private_components_ca |
cf-service-guard | a9s CF Service Guard | server_tls | /a9s_private_components_ca |
| a9s Data Service | a9s BOSH Deployer | a9s_deployer_tls_cert | /a9s_private_components_ca |
| a9s Data Service | a9s SPI | a9s_spi_tls_cert | /a9s_private_components_ca |
| a9s Data Service | a9s SPI | a9s_spi_framework_components_ca | /a9s_private_components_ca |
| Service Instance | a9s Backup Agent | backup_agent_server_cert | a9s_spi_framework_components_ca |
| a9s Data Service | a9s Service Broker | a9s_broker_tls_cert | /a9s_public_components_ca |
Table Legend
- Deployment: Either the name of the deployment, such as
backup-service, or a placeholder: a9s Data Service stands for any a9s Data Service deployment likepostgresql-service, Service instance represents any Service Instance deployment independent of the used a9s Data Service. - Component: The component using the certificate in question.
- Certificate: The name of the CredHub variable containing the certificate.
- Signed by: The name of the CredHub variable containing the certificate that signed the certificate in question.