Container Security Provider
February 15, 2018 ยท View on GitHub
The Container Security Provider Framework adds a Security Provider to the JVM that automatically includes BOSH trusted certificates and Diego identity certificates and private keys.
| Detection Criterion | Unconditional |
| Tags | container-security-provider=<version> |
Configuration
For general information on configuring the buildpack, including how to specify configuration values through environment variables, refer to Configuration and Extension.
The framework can be configured by modifying the config/container_security_provider.yml file in the buildpack fork. The framework uses the Repository utility support and so it supports the version syntax defined there.
| Name | Description |
|---|---|
repository_root | The URL of the Container Customizer repository index (details). |
version | The version of Container Customizer to use. Candidate versions can be found in this listing. |
key_manager_enabled | Whether the container KeyManager is enabled. Defaults to true. |
trust_manager_enabled | Whether the container TrustManager is enabled. Defaults to true. |
Security Provider
The security provider added by this framework contributes two types, a TrustManagerFactory and a KeyManagerFactory. The TrustManagerFactory adds an additional new TrustManager after the configured system TrustManager which reads the contents of /etc/ssl/certs/ca-certificates.crt which is where BOSH trusted certificates are placed. The KeyManagerFactory adds an additional KeyManager after the configured system KeyManager which reads the contents of the files specified by $CF_INSTANCE_CERT and $CF_INSTANCE_KEY which are set by Diego to give each container a unique cryptographic identity. These TrustManagers and KeyManagers are used transparently by any networking library that reads standard system SSL configuration and can be used to enable system-wide trust and mutual TLS authentication.