The Container Security Provider Framework adds a Security Provider to the JVM that automatically includes BOSH trusted certificates and Diego identity certificates and private keys.
| Detection Criterion | Unconditional |
| Tags | container-security-provider=<version> |
For general information on configuring the buildpack, including how to specify configuration values through environment variables, refer to Configuration and Extension.
The framework can be configured by modifying the config/container_security_provider.yml file in the buildpack fork. The framework uses the Repository utility support and so it supports the version syntax defined there.
| Name | Description |
|---|---|
repository_root |
The URL of the Container Customizer repository index (details). |
version |
The version of Container Customizer to use. Candidate versions can be found in this listing. |
key_manager_enabled |
Whether the container KeyManager is enabled. Defaults to true. |
trust_manager_enabled |
Whether the container TrustManager is enabled. Defaults to true. |
The security provider added by this framework contributes two types, a TrustManagerFactory and a KeyManagerFactory. The TrustManagerFactory adds an additional new TrustManager after the configured system TrustManager which reads the contents of /etc/ssl/certs/ca-certificates.crt which is where BOSH trusted certificates are placed. The KeyManagerFactory adds an additional KeyManager after the configured system KeyManager which reads the contents of the files specified by $CF_INSTANCE_CERT and $CF_INSTANCE_KEY which are set by Diego to give each container a unique cryptographic identity. These TrustManagers and KeyManagers are used transparently by any networking library that reads standard system SSL configuration and can be used to enable system-wide trust and mutual TLS authentication.