forked from pivotal-cf/docs-pcf-install
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy path_credhub.html.md.erb
58 lines (55 loc) · 5.77 KB
/
_credhub.html.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
<p class="note"><strong>Note:</strong> Enabling CredHub is not required. However, you cannot leave the fields under <strong>Encryption Keys</strong> blank. If you do not intend to use CredHub, enter any text in the <strong>Name</strong> and <strong>Key</strong> fields as placeholder values.</p>
1. Select **CredHub**.
1. Choose the location of your CredHub database. PAS includes this CredHub database for services to store their service instance credentials.
<p class="note"><strong>Note</strong>: You cannot choose <strong>Internal</strong> for the CredHub database if you choose <strong>External</strong> for your System Databases. See <a href="#sys-db">Configure System Databases</a> below.</p>
<%= image_tag("images/credhub-db.png") %>
If you chose **External**, enter the following:
<% if current_page.data.iaas == "GCP" and current_page.data.install_type == "terraform" %>
* **Hostname**. This is the IP address of your database server. See the value of `sql_db_ip` from your Terraform output.
* **TCP Port**. This is the port of your database server. Enter `3306`.
* **Username**. This is the value of `pas_sql_username` from your Terraform output.
* **Password**. This is the value of `pas_sql_password` from your Terraform output.
* **Database CA Certificate**. This certificate is used when encrypting traffic to and from the database.
<% elsif current_page.data.iaas == "AWS" and current_page.data.install_type == "terraform" %>
* **Hostname**. This is the IP address of your database server. See the value from the `PcfRdsAddress` key in the AWS output.
* **TCP Port**. This is the port of your database server. See the value from the `PcfRdsPort` key in the AWS output.
* **Username**. This is the value from the `PcfRdsUsername` key in the AWS output.
* **Password**. This is the value from the `PcfRdsPassword` key in the AWS output.
* **Database CA Certificate**. This certificate is used when encrypting traffic to and from the database.
<% elsif current_page.data.iaas == "GCP" %>
* **Hostname**. This is the IP address of the Google Cloud SQL instance that you created in [Step 6: Create Database Instance and Databases](../om/gcp/prepare-env-manual.html#dbs) of the _Preparing to Deploy PCF on GCP_ topic. You can obtain it from the Instances dashboard of the **SQL** configuration page in the GCP Console.
* **TCP Port**. This is the port of your database server, `3306`.
* **Username**. This username can access your CredHub database on the database server. You created users in [Preparing to Deploy PCF on GCP](../om/gcp/prepare-env-manual.html#dbs).
* **Password**. This is the password for the provided username.
* **Database CA Certificate**. This certificate is used when encrypting traffic to and from the database.
<% else %>
* **Hostname**. This is the IP address of your database server.
* **TCP Port**. This is the port of your database server, such as `3306`.
* **Username**. This is a unique username that can access your CredHub database on the database server.
* **Password**. This is the password for the provided username.
* **Database CA Certificate**. This certificate is used when encrypting traffic to and from the database.
<% end %>
1. Under **Encryption Keys**, specify one or more keys to use for encrypting and decrypting the values stored in the CredHub database.
<%= image_tag("images/encryption-keys.png") %>
* **Name**. This is the name of the encryption key.
* **Provider**. This is the provider of the encryption key.
If you have configured an HSM provider and HSM servers above, select **HSM**. Otherwise, select **Internal**.
* **Key**. This key is used for encrypting all data. The key must be at least 20 characters long.
* **Primary**. This checkbox is used for marking the key you specified above as the primary encryption key.
<p class="note"><strong>Note:</strong> Ensure that you mark only one key as <strong>Primary</strong>. For more information about using additional keys for key rotation, see the <a href="../opsguide/credential-rotation.html">Rotating Runtime CredHub Encryption Keys</a> topic.</p>
1. (Optional) To configure CredHub to use an HSM, complete the following fields:
* **HSM Provider Partition**. This is the name of the HSM provider partition.
* **HSM Provider Partition Password**. This password is used to access the HSM provider partition.
* **HSM Provider Client Certificate**. This is the client certificate for the HSM. For more information, see [Create and Register HSM Clients](hsm-config.html#create-register-hsm) in the _Preparing CredHub HSMs for Configuration_ topic.
<%= image_tag("images/hsm-provider.png") %>
* In the **HSM Provider Servers** section, click **Add** to add an HSM server. You can add multiple HSM servers. For each HSM server, complete the following fields:
* **Host Address**. This is the host name or IP address of the HSM server.
* **Port**. This is the port of the HSM server. If you do not know your port address, enter `1792`.
* **Partition Serial Number**. This is the serial number of the HSM partition.
* **HSM Certificate**. This is the certificate for the HSM server. The HSM presents this certificate to CredHub to establish a two-way TLS connection.
1. If your deployment uses any PCF services that support storing service instance credentials in CredHub and you want to enable this feature, select the **Secure Service Instance Credentials** checkbox.
1. Click **Save**.
1. Select the **Resource Config** pane.
1. Under the **Job** column of the **CredHub** row, set the number of instances to `2`. This is the minimum instance count required for high availability.
1. Click **Save**.
For more information about using CredHub for securing service instance credentials, see [Securing Service Instance Credentials with Runtime CredHub](../opsguide/secure-si-creds.html).