Skip to content

Latest commit

 

History

History
127 lines (106 loc) · 5.65 KB

framework-luna_security_provider.md

File metadata and controls

127 lines (106 loc) · 5.65 KB

Luna Security Provider Framework

The Luna Security Provider Framework causes an application to be automatically configured to work with a bound Luna Security Service.

Detection Criterion Existence of a single bound Luna Security Provider service. The existence of an Luna Security service defined by the VCAP_SERVICES payload containing a service name, label or tag with luna as a substring.
Tags luna-security-provider=<version>
Tags are printed to standard output by the buildpack detect script

User-Provided Service

When binding to the Luna Security Provider using a user-provided service, it must have name or tag with luna in it. The credential payload can contain the following entries:

Name Description
client A hash containing client configuration
servers An array of hashes containing server configuration
groups An array of hashes containing group configuration

Client Configuration

Name Description
certificate A PEM encoded client certificate
private-key A PEM encoded client private key

Server Configuration

Name Description
certificate A PEM encoded server certificate
name A host name or address

Group Configuration

Name Description
label The label for the group
members An array of group member serial numbers

Example Credentials Payload

{
  "client": {
    "certificate": "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----",
    "private-key": "-----BEGIN RSA PRIVATE KEY-----\n...\n-----END RSA PRIVATE KEY-----"
  },
  "servers": [
    {
      "name": "test-host-1",
      "certificate": "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----"
    },
    {
      "name": "test-host-2",
      "certificate": "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----"
    }
  ],
  "groups": [
    {
      "label": "test-group-1",
      "members": [
        "test-serial-number-1",
        "test-serial-number-2"
      ]
    },
    {
      "label": "test-group-2",
      "members": [
        "test-serial-number-3",
        "test-serial-number-4"
      ]
    }
  ]
}

Creating Credential Payload

In order to create the credentials payload, you should collapse the JSON payload to a single line and set it like the following

$ cf create-user-provided-service luna -p '{"client":{"certificate":"-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----","private-key":"-----BEGIN RSA PRIVATE KEY-----\n...\n-----END RSA PRIVATE KEY-----"},"servers":[{"name":"test-host-1","certificate":"-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----"},{"name":"test-host-2","certificate":"-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----"}],"groups":[{"label":"test-group-1","members":["test-serial-number-1","test-serial-number-2"]},{"label":"test-group-2","members":["test-serial-number-3","test-serial-number-4"]}]}'

Configuration

For general information on configuring the buildpack, including how to specify configuration values through environment variables, refer to Configuration and Extension.

The framework can be configured by modifying the config/luna_security_provider.yml file in the buildpack. The framework uses the Repository utility support and so it supports the version syntax defined there.

Name Description
ha_logging_enabled Whether to enable HA logging for the Luna Security Provider. Defaults to true.
logging_enabled Whether to enable the logging wrapper for the Luna Security Provider. Defaults to false.
tcp_keep_alive_enabled Whether to enable the client TCP keep alive setting for the Luna Security Provider. Defaults to false.
repository_root The URL of the Luna Security Provider repository index (details).
version Version of the Luna Security Provider to use.

Additional Resources

The framework can also be configured by overlaying a set of resources on the default distribution. To do this follow one of the options below.

Configuration files are created in this order:

  1. Default configuration
  2. Buildpack fork
  3. Buildpack generated configuration if the bound service has both a servers and groups key
  4. External configuration if configured

Buildpack Fork

Add files to the resources/luna_security_provider directory in the buildpack fork. For example, to override the default Chrystoki.conf add your custom file to resources/luna_security_provider/Chrystoki.conf.

External Configuration

Set LUNA_CONF_HTTP_URL to an HTTP or HTTPS URL which points to the directory where your configuration files exist. You may also include a user and password in the URL, like https://user:pass@example.com.

The Java buildpack will take the URL to the directory provided and attempt to download the following files from that directory:

  • Chrystoki.conf
  • server-certificates.pem

Any file successfully downloaded will be copied to the configuration directory. The buildpack does not fail if files are missing.