The Luna Security Provider Framework causes an application to be automatically configured to work with a bound Luna Security Service.
Detection Criterion | Existence of a single bound Luna Security Provider service. The existence of an Luna Security service defined by the VCAP_SERVICES payload containing a service name, label or tag with luna as a substring.
|
Tags | luna-security-provider=<version> |
When binding to the Luna Security Provider using a user-provided service, it must have name or tag with luna
in it. The credential payload can contain the following entries:
Name | Description |
---|---|
client |
A hash containing client configuration |
servers |
An array of hashes containing server configuration |
groups |
An array of hashes containing group configuration |
Name | Description |
---|---|
certificate |
A PEM encoded client certificate |
private-key |
A PEM encoded client private key |
Name | Description |
---|---|
certificate |
A PEM encoded server certificate |
name |
A host name or address |
Name | Description |
---|---|
label |
The label for the group |
members |
An array of group member serial numbers |
{
"client": {
"certificate": "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----",
"private-key": "-----BEGIN RSA PRIVATE KEY-----\n...\n-----END RSA PRIVATE KEY-----"
},
"servers": [
{
"name": "test-host-1",
"certificate": "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----"
},
{
"name": "test-host-2",
"certificate": "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----"
}
],
"groups": [
{
"label": "test-group-1",
"members": [
"test-serial-number-1",
"test-serial-number-2"
]
},
{
"label": "test-group-2",
"members": [
"test-serial-number-3",
"test-serial-number-4"
]
}
]
}
In order to create the credentials payload, you should collapse the JSON payload to a single line and set it like the following
$ cf create-user-provided-service luna -p '{"client":{"certificate":"-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----","private-key":"-----BEGIN RSA PRIVATE KEY-----\n...\n-----END RSA PRIVATE KEY-----"},"servers":[{"name":"test-host-1","certificate":"-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----"},{"name":"test-host-2","certificate":"-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----"}],"groups":[{"label":"test-group-1","members":["test-serial-number-1","test-serial-number-2"]},{"label":"test-group-2","members":["test-serial-number-3","test-serial-number-4"]}]}'
For general information on configuring the buildpack, including how to specify configuration values through environment variables, refer to Configuration and Extension.
The framework can be configured by modifying the config/luna_security_provider.yml
file in the buildpack. The framework uses the Repository
utility support and so it supports the version syntax defined there.
Name | Description |
---|---|
ha_logging_enabled |
Whether to enable HA logging for the Luna Security Provider. Defaults to true . |
logging_enabled |
Whether to enable the logging wrapper for the Luna Security Provider. Defaults to false . |
tcp_keep_alive_enabled |
Whether to enable the client TCP keep alive setting for the Luna Security Provider. Defaults to false . |
repository_root |
The URL of the Luna Security Provider repository index (details). |
version |
Version of the Luna Security Provider to use. |
The framework can also be configured by overlaying a set of resources on the default distribution. To do this follow one of the options below.
Configuration files are created in this order:
- Default configuration
- Buildpack fork
- Buildpack generated configuration if the bound service has both a
servers
andgroups
key - External configuration if configured
Add files to the resources/luna_security_provider
directory in the buildpack fork. For example, to override the default Chrystoki.conf
add your custom file to resources/luna_security_provider/Chrystoki.conf
.
Set LUNA_CONF_HTTP_URL
to an HTTP or HTTPS URL which points to the directory where your configuration files exist. You may also include a user and password in the URL, like https://user:pass@example.com
.
The Java buildpack will take the URL to the directory provided and attempt to download the following files from that directory:
Chrystoki.conf
server-certificates.pem
Any file successfully downloaded will be copied to the configuration directory. The buildpack does not fail if files are missing.