forked from cloudfoundry/java-buildpack
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Container Security Provider Documentation
This change adds container security provider documentation.
- Loading branch information
Showing
2 changed files
with
38 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,37 @@ | ||
| # Container Security Provider | ||
| The Container Security Provider Framework adds a Security Provider to the JVM that automatically includes BOSH trusted certificates and Diego identity certificates and private keys. | ||
|
|
||
| <table> | ||
| <tr> | ||
| <td><strong>Detection Criterion</strong></td> | ||
| <td>Unconditional</td> | ||
| </tr> | ||
| <tr> | ||
| <td><strong>Tags</strong></td> | ||
| <td><tt>container-security-provider=<version></tt></td> | ||
| </tr> | ||
| </table> | ||
| Tags are printed to standard output by the buildpack detect script | ||
|
|
||
| ## Configuration | ||
| For general information on configuring the buildpack, including how to specify configuration values through environment variables, refer to [Configuration and Extension][]. | ||
|
|
||
| The framework can be configured by modifying the [`config/container_security_provider.yml`][] file in the buildpack fork. The framework uses the [`Repository` utility support][repositories] and so it supports the [version syntax][] defined there. | ||
|
|
||
| | Name | Description | ||
| | ---- | ----------- | ||
| | `repository_root` | The URL of the Container Customizer repository index ([details][repositories]). | ||
| | `version` | The version of Container Customizer to use. Candidate versions can be found in [this listing][]. | ||
|
|
||
| ## Security Provider | ||
| The [security provider][] added by this framework contributes two types, a `TrustManagerFactory` and a `KeyManagerFactory`. The `TrustManagerFactory` adds an additional new `TrustManager` after the configured system `TrustManager` which reads the contents of `/etc/ssl/certs/ca-certificates.crt` which is where [BOSH trusted certificates][] are placed. The `KeyManagerFactory` adds an additional `KeyManager` after the configured system `KeyManager` which reads the contents of the files specified by `$CF_INSTANCE_CERT` and `$CF_INSTANCE_KEY` which are set by Diego to give each container a unique cryptographic identity. These `TrustManager`s and `KeyManager`s are used transparently by any networking library that reads standard system SSL configuration and can be used to enable system-wide trust and [mutual TLS authentication][]. | ||
|
|
||
|
|
||
| [`config/container_security_provider.yml`]: ../config/container_security_provider.yml | ||
| [BOSH trusted certificates]: https://bosh.io/docs/trusted-certs.html | ||
| [Configuration and Extension]: ../README.md#configuration-and-extension | ||
| [mutual TLS authentication]: https://en.wikipedia.org/wiki/Mutual_authentication | ||
| [repositories]: extending-repositories.md | ||
| [security provider]: https://github.com/cloudfoundry/java-buildpack-security-provider | ||
| [this listing]: http://download.pivotal.io.s3.amazonaws.com/container-security-provider/index.yml | ||
| [version syntax]: extending-repositories.md#version-syntax-and-ordering |