General Configuration
a9s Framework Server Components
Each a9s Data Services Framework (DSF) component provides the following properties to configure the API endpoints:
| Property | Note |
|---|---|
protocols.https.cert | The single certificate (server/leaf certificate) that is used for the component. The X.509 certificate MUST be in PKCS#1 format and PEM encoded. |
protocols.https.key | The private key for the protocols.https.cert. The private key MUST be in PKCS#1 format and PEM encoded. The private key MUST NOT be encrypted. |
protocols.https.ca | The ordered certificate chain for the protocols.https.cert. The individual X.509 certificates MUST be in PKCS#1 format and PEM encoded. The first certificate MUST be the CA certificate that signed the certificate in protocols.https.cert. The last certificate MUST be the root CA certificate. The certificate chain can also only consist of the root CA. |
protocols.https.tls_ciphers | Optional This is a property that sets the allowed TLS ciphers by providing a string containing a list of ciphers-filters separated by a colon. Every element of this list can be either a specific cipher suite or a cipher filter. |
tls_ciphers valueHere are some examples on how the value of the tls_ciphers property can be set
A specific cipher suite: AES256-GCM-SHA384.
Multiple cipher suites: AES256-GCM-SHA384:ECDHE-RSA-CAMELLIA128-SHA256.
A cipher filter that represents the list of cipher suites that contain a specific algorithm: SHA1 represent all the cipher filters that uses digest algorithm SHA1.
You can use the operator
+as a logical AND operation to allow for multiple algorithms to be specified. For example: SHA1+DES represents all cipher suites containing the SHA1 and DES algorithms.For more information on the
tls_ciphersstring format, you can check the [openssl/ciphers] (https://www.openssl.org/docs/man1.1.1/man1/ciphers.html) documentation.
Example:
protocols:
http:
enabled: true
port: 3000
https:
enabled: true
port: 3001
ca: ((example_certificate.ca))
cert: ((example_certificate.certificate))
key: ((example_certificate.private_key))
tls_ciphers: HIGH:!ADH:!RC4
This configuration applies to:
Please note that the tls_ciphers property is not enabled for a9s Backup manager and a9s CF Service Guard.
Enable or Disable Endpoints
It is possible to
- have only plain-text endpoints (HTTP) enabled
- have only TLS-secured endpoints (HTTPS) enabled
- have both enabled at the same time
by setting the enabled property to either true or false.
We strongly advise you to not permanently enable both protocols at the same time.
This is only useful for the transition of the a9s Framework from plain-text HTTP to TLS-secured HTTPS communication of the components.
Ports
The default port for most of the a9s components is 3000 for the plain text (HTTP).
The port for the TLS (HTTPS) interface is always HTTP port +1, so in most cases 3001.
An overview of the used ports in the a9s Framework can be found in the ports overview.
a9s Framework Client Components
This section describes the TLS configuration for outgoing connections to the servers using TLS.
Please keep in mind to replace [data_service] with the data services name, e.g.: rabbitmq, postgresql, and so
forth.
a9s Service Broker
The a9s Service Broker communicates with the a9s SPIs:
properties:
anynines_service_broker:
service_adapter:
name: Anynines::ServiceAdapters::ExternalSpi
api_endpoint: https://[data_service]-service-spi.service.dc1.consul.example:3001
username: admin
password: (([data_service]_service_spi_password))
ca: ((/a9s_private_components_ca.ca))
And the a9s BOSH Deployer:
properties:
anynines_service_broker:
bosh_deployer:
api_endpoint: https://[data_service]-service-deployer.service.dc1.((iaas.consul.domain)):3001
username: admin
password: ((/[data_service]_service_deployer_password))
ca: ((/a9s_private_components_ca.ca))
Errands
template-uploader
The template-uploader errand communicates with the a9s Deployer API.
This is the configuration of the TLS properties:
properties:
anynines_service_broker:
bosh_deployer:
api_endpoint: https://[data_service]-service-deployer.service.dc1.consul.example:3001
skip-ssl-validation: false
ca: ((/a9s_deployer_ca.certificate))((/a9s_components_ca.certificate))
password: ((/[data_service]_service_deployer_password))
username: admin
deployment-updater
The deployment-updater errand can be configured to communicate via TLS with the a9s Service Broker:
properties:
deployment-updater:
force-update: true
service-broker-host: [data_service]-service-broker.service.dc1.consul.example
service-broker-password: ((/[data_service]_service_broker_password))
service-broker-protocol: 'https'
service-broker-port: 3001
service-broker-skip-ssl-validation: false
service-broker-username: admin
service-broker-ca: ((/a9s_[data_service]_broker_ca.certificate))((/a9s_components_ca.certificate))
a9s Dashboard Service
The a9s DS API Gateway comunicates with the a9s Backup Manager.
properties:
backup_manager:
url: https://backup-service-backup-manager.service.dc1.((iaas.consul.domain)):3001
username: admin
password: ((/backup_manager_password))
ca: ((/a9s_private_components_ca.ca))
And the a9s Dashboard API:
properties:
anynines-backup-manager:
api_endpoint: https://backup-service-backup-manager.service.dc1.((iaas.consul.domain)):3001
ca: ((/a9s_private_components_ca.ca))
authentication:
http_auth_username: admin
http_auth_password: ((/backup_manager_password))
In addition, the a9s Dashboard Service exposes routing information to CloudFoundry's NATS through its
route_registrar process. Currently, TLS communication is disabled by default for this process due to
backward compatibility concerns.