SlideShare a Scribd company logo

Configuring a more secure BOSH

S
Saman Alvi

As BOSH evolves, grows, and improves, it allows you to focus on making your deployments more secure. The addition of config server allows you to generate, store, and update credentials easily and securely for your deployments. It also allows you to share credentials between deployments, as it is possible to have hundreds for all components to talk to each other. It will also help prevent poor credential choices, which can create security breaches. This talk will go into details about how config server works, how credential generation and storage is handled, and how you can use the reference implementation to choose your own credential generation and storage strategy.

Engineering
1 of 39
Download to read offline
Title / Subtitle Here Configuring  a  more  secure  BOSH Core  Project  Updates Saman  Alvi  &  Dale  Wick  -­‐  Core  BOSH  Contributors
• Saman Alvi • salvi@pivotal.io • @err_sage • Dale Wick • dwick@pivotal.io • @hardhatpsp Who are we?
What problems are we solving? How does it work? How do you use it? Integration with legacy systems Future Securing your BOSH Deployments with Variables
Securing your BOSH Deployments with Variables What problems are we solving? How does it work? How do you use it? Integration with legacy systems Future
Sensitive / secret information stored in manifests Problem #1
Weak passwords, reused certificates Problem #2
Static manifests for different staging environments Test Dev Prod Problem #3
Difficult and error prone to rotate sensitive information Problem #4
No separation between credential and deployment management Problem #5
config-server-api
What problems are we solving? How does it work? How do you use it? Integration with legacy systems Future
• Passwords, Properties • A value you do not want in plain text • A value that is subject to change A variable is a named parameter that has a value Variables
Variables can have a type A type may require options (eg. certificate) Variable Types
password: “s3cr3t!” password: password
At deploy time 3. Substitutes values into manifest Operator 1. Specifies variables and values cli 2. Parses variables Director Deployment Runtime Cloud Config Variable values can be specified by the operator via CLI Variable Values
At deploy time 2. request variable values 3. return generated or existing values 1. Parse variables Director Deployment Runtime Cloud Config Variable values can be generated by the Config Server Config Server * stores generated values Variable Values
What problems are we solving? How does it work? How do you use it? Integration with legacy systems Future
Latest BOSH release and new BOSH CLI properties: director: config_server: enabled: true url: ... uaa: ... Config Server Release How do you use it?
jobs: - name: db: release: postgres properties: username: “((db_user))” password: “((db_password))“ - name: director: release: bosh properties: ssl: key: “((private_key))” cert: “((certificate))” The variable that will be substituted goes inside the (( )) Variable Values
$ bosh -e dev -d my_dep -v internal_ip=192.168.50.6 -v max_conn=10 networks: … static: [((internal_ip))] … properties: redis: max_connections: “((max_conn))” Specify variable values using command line flags Variable Values
Generate variable values via the Config Server bosh deploy db_password jobs: - name: db: release: postgres properties: username: “admin” password: “((db_password))“ variables: - name: db_password type: password Variable Values
Variables with nested values will require the use of a “.” Certificates, SSH & RSA keys Variable Values
Generate variables bosh deploy ssl variables: - name: ssl type: certificate jobs: - name: director: release: bosh properties: ssl: key: “((ssl.private_key))” cert: “((ssl.certificate))” "id": "22", "value": { “certificate”: “CA Certificate…”, "private_key": “Private Key…”, “ca": “CA…” } options: is_ca: true, common_name: “bosh.io” Variable Values
Generating certificates & certificate chaining variables: - name: default_ca type: certificate options: is_ca: true common_name: “bosh” jobs: - name: director: release: bosh properties: ssl: key: “((director_ssl.private_key))” cert: “((director_ssl.certificate))” bosh deploy default_ca director_ssl - name: director_ssl type: certificate options: ca: default_ca common_name: ((internal_ip)) Variable Values
Share variables across deployments name: deployment_1 jobs: - name: datadog-agent: release: datadog-agent properties: api_key: “((/dd_api_key))” Variables beginning with ‘/’ can be shared across multiple deployments name: deployment_2 jobs: - name: datadog-agent: release: datadog-agent properties: api_key: “((/dd_api_key))” name: deployment_3 jobs: - name: datadog-agent: release: datadog-agent properties: api_key: “((/dd_api_key))” Variable Values
Operator $ bosh -e dev -d dep.yml --vars-store ./creds.yml nats_password: qdbzr3marbv0x2jp6ihs ssl: ca: | —-BEGIN CERTIFICATE …. private_key: | —-BEGIN RSA PRIVATE KEY … certificate: | —- BEGIN CERTIFICATE … jobs: - nats: release: bosh properties: username: “admin” password: “((nats_password))“ - director: release: bosh properties: ssl.key: “((ssl.private_key))” ssl.certificate: “((ssl.certificate))” variables: - name: nats_password type: password - name: ssl type: certificate vars-store - Your local Config Server
$ bosh create-env ~/workspace/bosh-deployment/bosh.yml --state ./state.json --vars-store ./creds.yml -v director_name="Bosh Lite Director" -v internal_ip=192.168.50.6 -v internal_gw=192.168.50.1 -v internal_cidr=192.168.50.0/24 -v outbound_network_name=NatNetwork $ bosh create-env
$ bosh -e dev -d my_dep variables ID Name 22 /director_name/deployment_name/variable_name 23 /director_name/deployment_name/variable_name2 * subject to change to guid in the future, do not rely on this format Only variables referenced by Config Server show up in this list Variables
What problems are we solving? How does it work? How do you use it? Integration with legacy systems Future
BOSH uses the Config Server API to communicate with Config Server API implements talks to System Integrations
Credhub • Recommended production implementation • Implements Config Server API • Encryption through HSM Credhub
YOURS! Credhub
What problems are we solving? How does it work? How do you use it? Integration with legacy systems Future
• String • Number • Object • Array • Boolean • Null 1. Set validated types for variables • Generated certificates belonging to jobs
 will have their SANs and Common Name be
 managed by BOSH 2. Certificate DNS names and jobs Future * releases as well
Credhub
Get started with… Credhub • github.com/cloudfoundry/config-server-release • github.com/cloudfoundry/config-server/blob/master/docs/api.md • bosh.io/docs/cli-int.html • github.com/cloudfoundry/bosh-deployment • github.com/cloudfoundry-incubator/credhub
In Conclusion… variables = s +
DEMO
• Saman Alvi • salvi@pivotal.io • @err_sage • Dale Wick • dwick@pivotal.io • @hardhatpsp Questions?

Recommended

Getting Started with Couchbase Ruby
Getting Started with Couchbase RubyGetting Started with Couchbase Ruby
Getting Started with Couchbase RubySergey Avseyev
 
Intro to Scala.js - Scala UG Cologne
Intro to Scala.js - Scala UG CologneIntro to Scala.js - Scala UG Cologne
Intro to Scala.js - Scala UG CologneMarius Soutier
 
Azure Expert Leading Camp UA - 2015
Azure Expert Leading Camp UA - 2015Azure Expert Leading Camp UA - 2015
Azure Expert Leading Camp UA - 2015Oleg Chorny
 
Powerhsell dsc for chef veterans
Powerhsell dsc for chef veteransPowerhsell dsc for chef veterans
Powerhsell dsc for chef veteransDamien Caro
 
Intro to sbt-web
Intro to sbt-webIntro to sbt-web
Intro to sbt-webMarius Soutier
 
HTML5 Hacking - Yahoo! Open Hack Day
HTML5 Hacking - Yahoo! Open Hack DayHTML5 Hacking - Yahoo! Open Hack Day
HTML5 Hacking - Yahoo! Open Hack DayTed Drake
 
PowerShell v4 Desired State Configuration
PowerShell v4 Desired State ConfigurationPowerShell v4 Desired State Configuration
PowerShell v4 Desired State ConfigurationJason Stangroome
 
Deep Dive - Advanced Usage of the AWS CLI
Deep Dive - Advanced Usage of the AWS CLIDeep Dive - Advanced Usage of the AWS CLI
Deep Dive - Advanced Usage of the AWS CLIAmazon Web Services
 

Recommended

Getting Started with Couchbase Ruby
Getting Started with Couchbase RubyGetting Started with Couchbase Ruby
Getting Started with Couchbase RubySergey Avseyev
 
Intro to Scala.js - Scala UG Cologne
Intro to Scala.js - Scala UG CologneIntro to Scala.js - Scala UG Cologne
Intro to Scala.js - Scala UG CologneMarius Soutier
 
Azure Expert Leading Camp UA - 2015
Azure Expert Leading Camp UA - 2015Azure Expert Leading Camp UA - 2015
Azure Expert Leading Camp UA - 2015Oleg Chorny
 
Powerhsell dsc for chef veterans
Powerhsell dsc for chef veteransPowerhsell dsc for chef veterans
Powerhsell dsc for chef veteransDamien Caro
 
Intro to sbt-web
Intro to sbt-webIntro to sbt-web
Intro to sbt-webMarius Soutier
 
HTML5 Hacking - Yahoo! Open Hack Day
HTML5 Hacking - Yahoo! Open Hack DayHTML5 Hacking - Yahoo! Open Hack Day
HTML5 Hacking - Yahoo! Open Hack DayTed Drake
 
PowerShell v4 Desired State Configuration
PowerShell v4 Desired State ConfigurationPowerShell v4 Desired State Configuration
PowerShell v4 Desired State ConfigurationJason Stangroome
 
Deep Dive - Advanced Usage of the AWS CLI
Deep Dive - Advanced Usage of the AWS CLIDeep Dive - Advanced Usage of the AWS CLI
Deep Dive - Advanced Usage of the AWS CLIAmazon Web Services
 
Varnish Cache and its usage in the real world!
Varnish Cache and its usage in the real world!Varnish Cache and its usage in the real world!
Varnish Cache and its usage in the real world!Ivan Chepurnyi
 
Automating OSD and Post-OSD Configuration with Powershell and Orchestrator
Automating OSD and Post-OSD Configuration with Powershell and OrchestratorAutomating OSD and Post-OSD Configuration with Powershell and Orchestrator
Automating OSD and Post-OSD Configuration with Powershell and OrchestratorDigicomp Academy AG
 
Developing, deploying and monitoring Java applications using Google App Engine
Developing, deploying and monitoring Java applications using Google App EngineDeveloping, deploying and monitoring Java applications using Google App Engine
Developing, deploying and monitoring Java applications using Google App EngineIndicThreads
 
BP-6 Repository Customization Best Practices
BP-6 Repository Customization Best PracticesBP-6 Repository Customization Best Practices
BP-6 Repository Customization Best PracticesAlfresco Software
 
Backup and Restore SQL Server Databases in Microsoft Azure
Backup and Restore SQL Server Databases in Microsoft AzureBackup and Restore SQL Server Databases in Microsoft Azure
Backup and Restore SQL Server Databases in Microsoft AzureDatavail
 
JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redo...
JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redo...JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redo...
JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redo...HUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
Masterclass Advanced Usage of the AWS CLI
Masterclass Advanced Usage of the AWS CLIMasterclass Advanced Usage of the AWS CLI
Masterclass Advanced Usage of the AWS CLIDanilo Poccia
 
Deep Dive into AWS CLI - the command line interface
Deep Dive into AWS CLI - the command line interfaceDeep Dive into AWS CLI - the command line interface
Deep Dive into AWS CLI - the command line interfaceJohn Varghese
 
More Cache for Less Cash
More Cache for Less CashMore Cache for Less Cash
More Cache for Less CashMichael Collier
 
MonkeyMan – a Perl5 framework for Apache CloudStack automation
MonkeyMan – a Perl5 framework for Apache CloudStack automation MonkeyMan – a Perl5 framework for Apache CloudStack automation
MonkeyMan – a Perl5 framework for Apache CloudStack automation Cloud IaaS Provider Tucha
 
SenchaCon 2016: Upgrading an Ext JS 4.x Application to Ext JS 6.x - Mark Linc...
SenchaCon 2016: Upgrading an Ext JS 4.x Application to Ext JS 6.x - Mark Linc...SenchaCon 2016: Upgrading an Ext JS 4.x Application to Ext JS 6.x - Mark Linc...
SenchaCon 2016: Upgrading an Ext JS 4.x Application to Ext JS 6.x - Mark Linc...Sencha
 
Django Multi-DB in Anger
Django Multi-DB in AngerDjango Multi-DB in Anger
Django Multi-DB in AngerLoren Davie
 
Fluent 2012 v2
Fluent 2012 v2Fluent 2012 v2
Fluent 2012 v2Shalendra Chhabra
 
Becoming a Command Line Expert with the AWS CLI (TLS304) | AWS re:Invent 2013
Becoming a Command Line Expert with the AWS CLI (TLS304) | AWS re:Invent 2013Becoming a Command Line Expert with the AWS CLI (TLS304) | AWS re:Invent 2013
Becoming a Command Line Expert with the AWS CLI (TLS304) | AWS re:Invent 2013Amazon Web Services
 
Introduction to Desired State Configuration (DSC)
Introduction to Desired State Configuration (DSC)Introduction to Desired State Configuration (DSC)
Introduction to Desired State Configuration (DSC)Jeffery Hicks
 
harry presentation
harry presentationharry presentation
harry presentationthembhani mapengo
 
Sql bits creating a meta data driven ssis solution with biml
Sql bits creating a meta data driven ssis solution with bimlSql bits creating a meta data driven ssis solution with biml
Sql bits creating a meta data driven ssis solution with bimlMarco Schreuder
 
ansible why ?
ansible why ?ansible why ?
ansible why ?Yashar Esmaildokht
 
CouchDB for Web Applications - Erlang Factory London 2009
CouchDB for Web Applications - Erlang Factory London 2009CouchDB for Web Applications - Erlang Factory London 2009
CouchDB for Web Applications - Erlang Factory London 2009Jason Davies
 
NodeHack #2 - MVP
NodeHack #2 - MVPNodeHack #2 - MVP
NodeHack #2 - MVPRuben Tan
 
DB proxy server test: run tests on tens of virtual machines with Jenkins, Vag...
DB proxy server test: run tests on tens of virtual machines with Jenkins, Vag...DB proxy server test: run tests on tens of virtual machines with Jenkins, Vag...
DB proxy server test: run tests on tens of virtual machines with Jenkins, Vag...Timofey Turenko
 
Introduction to Infrastructure as Code & Automation / Introduction to Chef
Introduction to Infrastructure as Code & Automation / Introduction to ChefIntroduction to Infrastructure as Code & Automation / Introduction to Chef
Introduction to Infrastructure as Code & Automation / Introduction to ChefNathen Harvey
 

More Related Content

What's hot

Varnish Cache and its usage in the real world!
Varnish Cache and its usage in the real world!Varnish Cache and its usage in the real world!
Varnish Cache and its usage in the real world!Ivan Chepurnyi
 
Automating OSD and Post-OSD Configuration with Powershell and Orchestrator
Automating OSD and Post-OSD Configuration with Powershell and OrchestratorAutomating OSD and Post-OSD Configuration with Powershell and Orchestrator
Automating OSD and Post-OSD Configuration with Powershell and OrchestratorDigicomp Academy AG
 
Developing, deploying and monitoring Java applications using Google App Engine
Developing, deploying and monitoring Java applications using Google App EngineDeveloping, deploying and monitoring Java applications using Google App Engine
Developing, deploying and monitoring Java applications using Google App EngineIndicThreads
 
BP-6 Repository Customization Best Practices
BP-6 Repository Customization Best PracticesBP-6 Repository Customization Best Practices
BP-6 Repository Customization Best PracticesAlfresco Software
 
Backup and Restore SQL Server Databases in Microsoft Azure
Backup and Restore SQL Server Databases in Microsoft AzureBackup and Restore SQL Server Databases in Microsoft Azure
Backup and Restore SQL Server Databases in Microsoft AzureDatavail
 
Masterclass Advanced Usage of the AWS CLI
Masterclass Advanced Usage of the AWS CLIMasterclass Advanced Usage of the AWS CLI
Masterclass Advanced Usage of the AWS CLIDanilo Poccia
 
Deep Dive into AWS CLI - the command line interface
Deep Dive into AWS CLI - the command line interfaceDeep Dive into AWS CLI - the command line interface
Deep Dive into AWS CLI - the command line interfaceJohn Varghese
 
More Cache for Less Cash
More Cache for Less CashMore Cache for Less Cash
More Cache for Less CashMichael Collier
 
MonkeyMan – a Perl5 framework for Apache CloudStack automation
MonkeyMan – a Perl5 framework for Apache CloudStack automation MonkeyMan – a Perl5 framework for Apache CloudStack automation
MonkeyMan – a Perl5 framework for Apache CloudStack automation Cloud IaaS Provider Tucha
 
SenchaCon 2016: Upgrading an Ext JS 4.x Application to Ext JS 6.x - Mark Linc...
SenchaCon 2016: Upgrading an Ext JS 4.x Application to Ext JS 6.x - Mark Linc...SenchaCon 2016: Upgrading an Ext JS 4.x Application to Ext JS 6.x - Mark Linc...
SenchaCon 2016: Upgrading an Ext JS 4.x Application to Ext JS 6.x - Mark Linc...Sencha
 
Django Multi-DB in Anger
Django Multi-DB in AngerDjango Multi-DB in Anger
Django Multi-DB in AngerLoren Davie
 
Becoming a Command Line Expert with the AWS CLI (TLS304) | AWS re:Invent 2013
Becoming a Command Line Expert with the AWS CLI (TLS304) | AWS re:Invent 2013Becoming a Command Line Expert with the AWS CLI (TLS304) | AWS re:Invent 2013
Becoming a Command Line Expert with the AWS CLI (TLS304) | AWS re:Invent 2013Amazon Web Services
 
Introduction to Desired State Configuration (DSC)
Introduction to Desired State Configuration (DSC)Introduction to Desired State Configuration (DSC)
Introduction to Desired State Configuration (DSC)Jeffery Hicks
 
Sql bits creating a meta data driven ssis solution with biml
Sql bits creating a meta data driven ssis solution with bimlSql bits creating a meta data driven ssis solution with biml
Sql bits creating a meta data driven ssis solution with bimlMarco Schreuder
 
CouchDB for Web Applications - Erlang Factory London 2009
CouchDB for Web Applications - Erlang Factory London 2009CouchDB for Web Applications - Erlang Factory London 2009
CouchDB for Web Applications - Erlang Factory London 2009Jason Davies
 
NodeHack #2 - MVP
NodeHack #2 - MVPNodeHack #2 - MVP
NodeHack #2 - MVPRuben Tan
 

What's hot (20)

Varnish Cache and its usage in the real world!
Varnish Cache and its usage in the real world!Varnish Cache and its usage in the real world!
Varnish Cache and its usage in the real world!
 
Automating OSD and Post-OSD Configuration with Powershell and Orchestrator
Automating OSD and Post-OSD Configuration with Powershell and OrchestratorAutomating OSD and Post-OSD Configuration with Powershell and Orchestrator
Automating OSD and Post-OSD Configuration with Powershell and Orchestrator
 
Developing, deploying and monitoring Java applications using Google App Engine
Developing, deploying and monitoring Java applications using Google App EngineDeveloping, deploying and monitoring Java applications using Google App Engine
Developing, deploying and monitoring Java applications using Google App Engine
 
BP-6 Repository Customization Best Practices
BP-6 Repository Customization Best PracticesBP-6 Repository Customization Best Practices
BP-6 Repository Customization Best Practices
 
Backup and Restore SQL Server Databases in Microsoft Azure
Backup and Restore SQL Server Databases in Microsoft AzureBackup and Restore SQL Server Databases in Microsoft Azure
Backup and Restore SQL Server Databases in Microsoft Azure
 
JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redo...
JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redo...JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redo...
JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redo...
 
Masterclass Advanced Usage of the AWS CLI
Masterclass Advanced Usage of the AWS CLIMasterclass Advanced Usage of the AWS CLI
Masterclass Advanced Usage of the AWS CLI
 
Deep Dive into AWS CLI - the command line interface
Deep Dive into AWS CLI - the command line interfaceDeep Dive into AWS CLI - the command line interface
Deep Dive into AWS CLI - the command line interface
 
More Cache for Less Cash
More Cache for Less CashMore Cache for Less Cash
More Cache for Less Cash
 
MonkeyMan – a Perl5 framework for Apache CloudStack automation
MonkeyMan – a Perl5 framework for Apache CloudStack automation MonkeyMan – a Perl5 framework for Apache CloudStack automation
MonkeyMan – a Perl5 framework for Apache CloudStack automation
 
SenchaCon 2016: Upgrading an Ext JS 4.x Application to Ext JS 6.x - Mark Linc...
SenchaCon 2016: Upgrading an Ext JS 4.x Application to Ext JS 6.x - Mark Linc...SenchaCon 2016: Upgrading an Ext JS 4.x Application to Ext JS 6.x - Mark Linc...
SenchaCon 2016: Upgrading an Ext JS 4.x Application to Ext JS 6.x - Mark Linc...
 
Django Multi-DB in Anger
Django Multi-DB in AngerDjango Multi-DB in Anger
Django Multi-DB in Anger
 
Fluent 2012 v2
Fluent 2012 v2Fluent 2012 v2
Fluent 2012 v2
 
Becoming a Command Line Expert with the AWS CLI (TLS304) | AWS re:Invent 2013
Becoming a Command Line Expert with the AWS CLI (TLS304) | AWS re:Invent 2013Becoming a Command Line Expert with the AWS CLI (TLS304) | AWS re:Invent 2013
Becoming a Command Line Expert with the AWS CLI (TLS304) | AWS re:Invent 2013
 
Introduction to Desired State Configuration (DSC)
Introduction to Desired State Configuration (DSC)Introduction to Desired State Configuration (DSC)
Introduction to Desired State Configuration (DSC)
 
harry presentation
harry presentationharry presentation
harry presentation
 
Sql bits creating a meta data driven ssis solution with biml
Sql bits creating a meta data driven ssis solution with bimlSql bits creating a meta data driven ssis solution with biml
Sql bits creating a meta data driven ssis solution with biml
 
ansible why ?
ansible why ?ansible why ?
ansible why ?
 
CouchDB for Web Applications - Erlang Factory London 2009
CouchDB for Web Applications - Erlang Factory London 2009CouchDB for Web Applications - Erlang Factory London 2009
CouchDB for Web Applications - Erlang Factory London 2009
 
NodeHack #2 - MVP
NodeHack #2 - MVPNodeHack #2 - MVP
NodeHack #2 - MVP
 

Similar to Configuring a more secure BOSH

DB proxy server test: run tests on tens of virtual machines with Jenkins, Vag...
DB proxy server test: run tests on tens of virtual machines with Jenkins, Vag...DB proxy server test: run tests on tens of virtual machines with Jenkins, Vag...
DB proxy server test: run tests on tens of virtual machines with Jenkins, Vag...Timofey Turenko
 
Introduction to Infrastructure as Code & Automation / Introduction to Chef
Introduction to Infrastructure as Code & Automation / Introduction to ChefIntroduction to Infrastructure as Code & Automation / Introduction to Chef
Introduction to Infrastructure as Code & Automation / Introduction to ChefNathen Harvey
 
Service discovery and configuration provisioning
Service discovery and configuration provisioningService discovery and configuration provisioning
Service discovery and configuration provisioningSource Ministry
 
Can you keep a secret? (XP Days 2017)
Can you keep a secret? (XP Days 2017)Can you keep a secret? (XP Days 2017)
Can you keep a secret? (XP Days 2017)Valerii Moisieienko
 
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012Scott Sutherland
 
Seguranca em APP Rails
Seguranca em APP RailsSeguranca em APP Rails
Seguranca em APP RailsDaniel Lopes
 
(ARC402) Deployment Automation: From Developers' Keyboards to End Users' Scre...
(ARC402) Deployment Automation: From Developers' Keyboards to End Users' Scre...(ARC402) Deployment Automation: From Developers' Keyboards to End Users' Scre...
(ARC402) Deployment Automation: From Developers' Keyboards to End Users' Scre...Amazon Web Services
 
MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...
MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...
MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...MongoDB
 
Introduction to InSpec and 1.0 release update
Introduction to InSpec and 1.0 release updateIntroduction to InSpec and 1.0 release update
Introduction to InSpec and 1.0 release updateAlex Pop
 
PVS-Studio: analyzing pull requests in Azure DevOps using self-hosted agents
PVS-Studio: analyzing pull requests in Azure DevOps using self-hosted agentsPVS-Studio: analyzing pull requests in Azure DevOps using self-hosted agents
PVS-Studio: analyzing pull requests in Azure DevOps using self-hosted agentsAndrey Karpov
 
Better encryption & security with MariaDB 10.1 & MySQL 5.7
Better encryption & security with MariaDB 10.1 & MySQL 5.7Better encryption & security with MariaDB 10.1 & MySQL 5.7
Better encryption & security with MariaDB 10.1 & MySQL 5.7Colin Charles
 
MariaDB Server & MySQL Security Essentials 2016
MariaDB Server & MySQL Security Essentials 2016MariaDB Server & MySQL Security Essentials 2016
MariaDB Server & MySQL Security Essentials 2016Colin Charles
 
SharePoint Security in an Insecure World - AUSPC 2012
SharePoint Security in an Insecure World - AUSPC 2012SharePoint Security in an Insecure World - AUSPC 2012
SharePoint Security in an Insecure World - AUSPC 2012Michael Noel
 
Evolutionary Database Design
Evolutionary Database DesignEvolutionary Database Design
Evolutionary Database DesignAndrei Solntsev
 
Software as a Service workshop / Unlocked: the Hybrid Cloud 12th May 2014
Software as a Service workshop / Unlocked: the Hybrid Cloud 12th May 2014Software as a Service workshop / Unlocked: the Hybrid Cloud 12th May 2014
Software as a Service workshop / Unlocked: the Hybrid Cloud 12th May 2014Rackspace Academy
 
SQL KONFERENZ 2020 Azure Key Vault, Azure Dev Ops and Azure Data Factory how...
SQL KONFERENZ 2020 Azure Key Vault, Azure Dev Ops and Azure Data Factory how...SQL KONFERENZ 2020 Azure Key Vault, Azure Dev Ops and Azure Data Factory how...
SQL KONFERENZ 2020 Azure Key Vault, Azure Dev Ops and Azure Data Factory how...Erwin de Kreuk
 

Similar to Configuring a more secure BOSH (20)

DB proxy server test: run tests on tens of virtual machines with Jenkins, Vag...
DB proxy server test: run tests on tens of virtual machines with Jenkins, Vag...DB proxy server test: run tests on tens of virtual machines with Jenkins, Vag...
DB proxy server test: run tests on tens of virtual machines with Jenkins, Vag...
 
Introduction to Infrastructure as Code & Automation / Introduction to Chef
Introduction to Infrastructure as Code & Automation / Introduction to ChefIntroduction to Infrastructure as Code & Automation / Introduction to Chef
Introduction to Infrastructure as Code & Automation / Introduction to Chef
 
Service discovery and configuration provisioning
Service discovery and configuration provisioningService discovery and configuration provisioning
Service discovery and configuration provisioning
 
Can you keep a secret? (XP Days 2017)
Can you keep a secret? (XP Days 2017)Can you keep a secret? (XP Days 2017)
Can you keep a secret? (XP Days 2017)
 
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012
 
Seguranca em APP Rails
Seguranca em APP RailsSeguranca em APP Rails
Seguranca em APP Rails
 
(ARC402) Deployment Automation: From Developers' Keyboards to End Users' Scre...
(ARC402) Deployment Automation: From Developers' Keyboards to End Users' Scre...(ARC402) Deployment Automation: From Developers' Keyboards to End Users' Scre...
(ARC402) Deployment Automation: From Developers' Keyboards to End Users' Scre...
 
Deep dive into AWS fargate
Deep dive into AWS fargateDeep dive into AWS fargate
Deep dive into AWS fargate
 
MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...
MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...
MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...
 
Introduction to InSpec and 1.0 release update
Introduction to InSpec and 1.0 release updateIntroduction to InSpec and 1.0 release update
Introduction to InSpec and 1.0 release update
 
PVS-Studio: analyzing pull requests in Azure DevOps using self-hosted agents
PVS-Studio: analyzing pull requests in Azure DevOps using self-hosted agentsPVS-Studio: analyzing pull requests in Azure DevOps using self-hosted agents
PVS-Studio: analyzing pull requests in Azure DevOps using self-hosted agents
 
Making Sense out of Amazon ECS
Making Sense out of Amazon ECSMaking Sense out of Amazon ECS
Making Sense out of Amazon ECS
 
Better encryption & security with MariaDB 10.1 & MySQL 5.7
Better encryption & security with MariaDB 10.1 & MySQL 5.7Better encryption & security with MariaDB 10.1 & MySQL 5.7
Better encryption & security with MariaDB 10.1 & MySQL 5.7
 
MariaDB Server & MySQL Security Essentials 2016
MariaDB Server & MySQL Security Essentials 2016MariaDB Server & MySQL Security Essentials 2016
MariaDB Server & MySQL Security Essentials 2016
 
Ruby For Startups
Ruby For StartupsRuby For Startups
Ruby For Startups
 
Build Automation 101
Build Automation 101Build Automation 101
Build Automation 101
 
SharePoint Security in an Insecure World - AUSPC 2012
SharePoint Security in an Insecure World - AUSPC 2012SharePoint Security in an Insecure World - AUSPC 2012
SharePoint Security in an Insecure World - AUSPC 2012
 
Evolutionary Database Design
Evolutionary Database DesignEvolutionary Database Design
Evolutionary Database Design
 
Software as a Service workshop / Unlocked: the Hybrid Cloud 12th May 2014
Software as a Service workshop / Unlocked: the Hybrid Cloud 12th May 2014Software as a Service workshop / Unlocked: the Hybrid Cloud 12th May 2014
Software as a Service workshop / Unlocked: the Hybrid Cloud 12th May 2014
 
SQL KONFERENZ 2020 Azure Key Vault, Azure Dev Ops and Azure Data Factory how...
SQL KONFERENZ 2020 Azure Key Vault, Azure Dev Ops and Azure Data Factory how...SQL KONFERENZ 2020 Azure Key Vault, Azure Dev Ops and Azure Data Factory how...
SQL KONFERENZ 2020 Azure Key Vault, Azure Dev Ops and Azure Data Factory how...
 

Recently uploaded

Study on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube ExchangerStudy on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube ExchangerAnamika Sarkar
 
Sachpazis Costas: Geotechnical Engineering: A student's Perspective Introduction
Sachpazis Costas: Geotechnical Engineering: A student's Perspective IntroductionSachpazis Costas: Geotechnical Engineering: A student's Perspective Introduction
Sachpazis Costas: Geotechnical Engineering: A student's Perspective IntroductionDr.Costas Sachpazis
 
Call Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile serviceCall Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile servicerehmti665
 
main PPT.pptx of girls hostel security using rfid
main PPT.pptx of girls hostel security using rfidmain PPT.pptx of girls hostel security using rfid
main PPT.pptx of girls hostel security using rfidNikhilNagaraju
 
Heart Disease Prediction using machine learning.pptx
Heart Disease Prediction using machine learning.pptxHeart Disease Prediction using machine learning.pptx
Heart Disease Prediction using machine learning.pptxPoojaBan
 
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...srsj9000
 
complete construction, environmental and economics information of biomass com...
complete construction, environmental and economics information of biomass com...complete construction, environmental and economics information of biomass com...
complete construction, environmental and economics information of biomass com...asadnawaz62
 
Architect Hassan Khalil Portfolio for 2024
Architect Hassan Khalil Portfolio for 2024Architect Hassan Khalil Portfolio for 2024
Architect Hassan Khalil Portfolio for 2024hassan khalil
 
Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)
Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)
Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)dollysharma2066
 
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptxDecoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptxJoão Esperancinha
 
Past, Present and Future of Generative AI
Past, Present and Future of Generative AIPast, Present and Future of Generative AI
Past, Present and Future of Generative AIabhishek36461
 
TechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor Catchers
TechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor CatchersTechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor Catchers
TechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor Catcherssdickerson1
 
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdf
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdfCCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdf
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdfAsst.prof M.Gokilavani
 
Churning of Butter, Factors affecting .
Churning of Butter, Factors affecting .Churning of Butter, Factors affecting .
Churning of Butter, Factors affecting .Satyam Kumar
 
Risk Assessment For Installation of Drainage Pipes.pdf
Risk Assessment For Installation of Drainage Pipes.pdfRisk Assessment For Installation of Drainage Pipes.pdf
Risk Assessment For Installation of Drainage Pipes.pdfROCENODodongVILLACER
 

Recently uploaded (20)

Study on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube ExchangerStudy on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
 
Sachpazis Costas: Geotechnical Engineering: A student's Perspective Introduction
Sachpazis Costas: Geotechnical Engineering: A student's Perspective IntroductionSachpazis Costas: Geotechnical Engineering: A student's Perspective Introduction
Sachpazis Costas: Geotechnical Engineering: A student's Perspective Introduction
 
Call Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile serviceCall Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile service
 
main PPT.pptx of girls hostel security using rfid
main PPT.pptx of girls hostel security using rfidmain PPT.pptx of girls hostel security using rfid
main PPT.pptx of girls hostel security using rfid
 
Heart Disease Prediction using machine learning.pptx
Heart Disease Prediction using machine learning.pptxHeart Disease Prediction using machine learning.pptx
Heart Disease Prediction using machine learning.pptx
 
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...
 
Exploring_Network_Security_with_JA3_by_Rakesh Seal.pptx
Exploring_Network_Security_with_JA3_by_Rakesh Seal.pptxExploring_Network_Security_with_JA3_by_Rakesh Seal.pptx
Exploring_Network_Security_with_JA3_by_Rakesh Seal.pptx
 
complete construction, environmental and economics information of biomass com...
complete construction, environmental and economics information of biomass com...complete construction, environmental and economics information of biomass com...
complete construction, environmental and economics information of biomass com...
 
Architect Hassan Khalil Portfolio for 2024
Architect Hassan Khalil Portfolio for 2024Architect Hassan Khalil Portfolio for 2024
Architect Hassan Khalil Portfolio for 2024
 
Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)
Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)
Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)
 
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptxDecoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
 
Past, Present and Future of Generative AI
Past, Present and Future of Generative AIPast, Present and Future of Generative AI
Past, Present and Future of Generative AI
 
TechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor Catchers
TechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor CatchersTechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor Catchers
TechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor Catchers
 
9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf
9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf
9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf
 
young call girls in Rajiv Chowk🔝 9953056974 🔝 Delhi escort Service
young call girls in Rajiv Chowk🔝 9953056974 🔝 Delhi escort Serviceyoung call girls in Rajiv Chowk🔝 9953056974 🔝 Delhi escort Service
young call girls in Rajiv Chowk🔝 9953056974 🔝 Delhi escort Service
 
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdf
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdfCCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdf
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdf
 
Churning of Butter, Factors affecting .
Churning of Butter, Factors affecting .Churning of Butter, Factors affecting .
Churning of Butter, Factors affecting .
 
Call Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCR
Call Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCRCall Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCR
Call Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCR
 
🔝9953056974🔝!!-YOUNG call girls in Rajendra Nagar Escort rvice Shot 2000 nigh...
🔝9953056974🔝!!-YOUNG call girls in Rajendra Nagar Escort rvice Shot 2000 nigh...🔝9953056974🔝!!-YOUNG call girls in Rajendra Nagar Escort rvice Shot 2000 nigh...
🔝9953056974🔝!!-YOUNG call girls in Rajendra Nagar Escort rvice Shot 2000 nigh...
 
Risk Assessment For Installation of Drainage Pipes.pdf
Risk Assessment For Installation of Drainage Pipes.pdfRisk Assessment For Installation of Drainage Pipes.pdf
Risk Assessment For Installation of Drainage Pipes.pdf
 

Configuring a more secure BOSH

  • 1. Title / Subtitle Here Configuring  a  more  secure  BOSH Core  Project  Updates Saman  Alvi  &  Dale  Wick  -­‐  Core  BOSH  Contributors
  • 2. • Saman Alvi • salvi@pivotal.io • @err_sage • Dale Wick • dwick@pivotal.io • @hardhatpsp Who are we?
  • 3. What problems are we solving? How does it work? How do you use it? Integration with legacy systems Future Securing your BOSH Deployments with Variables
  • 4. Securing your BOSH Deployments with Variables What problems are we solving? How does it work? How do you use it? Integration with legacy systems Future
  • 5. Sensitive / secret information stored in manifests Problem #1
  • 6. Weak passwords, reused certificates Problem #2
  • 7. Static manifests for different staging environments Test Dev Prod Problem #3
  • 8. Difficult and error prone to rotate sensitive information Problem #4
  • 9. No separation between credential and deployment management Problem #5
  • 11. What problems are we solving? How does it work? How do you use it? Integration with legacy systems Future
  • 12. • Passwords, Properties • A value you do not want in plain text • A value that is subject to change A variable is a named parameter that has a value Variables
  • 13. Variables can have a type A type may require options (eg. certificate) Variable Types
  • 15. At deploy time 3. Substitutes values into manifest Operator 1. Specifies variables and values cli 2. Parses variables Director Deployment Runtime Cloud Config Variable values can be specified by the operator via CLI Variable Values
  • 16. At deploy time 2. request variable values 3. return generated or existing values 1. Parse variables Director Deployment Runtime Cloud Config Variable values can be generated by the Config Server Config Server * stores generated values Variable Values
  • 17. What problems are we solving? How does it work? How do you use it? Integration with legacy systems Future
  • 18. Latest BOSH release and new BOSH CLI properties: director: config_server: enabled: true url: ... uaa: ... Config Server Release How do you use it?
  • 19. jobs: - name: db: release: postgres properties: username: “((db_user))” password: “((db_password))“ - name: director: release: bosh properties: ssl: key: “((private_key))” cert: “((certificate))” The variable that will be substituted goes inside the (( )) Variable Values
  • 20. $ bosh -e dev -d my_dep -v internal_ip=192.168.50.6 -v max_conn=10 networks: … static: [((internal_ip))] … properties: redis: max_connections: “((max_conn))” Specify variable values using command line flags Variable Values
  • 21. Generate variable values via the Config Server bosh deploy db_password jobs: - name: db: release: postgres properties: username: “admin” password: “((db_password))“ variables: - name: db_password type: password Variable Values
  • 22. Variables with nested values will require the use of a “.” Certificates, SSH & RSA keys Variable Values
  • 23. Generate variables bosh deploy ssl variables: - name: ssl type: certificate jobs: - name: director: release: bosh properties: ssl: key: “((ssl.private_key))” cert: “((ssl.certificate))” "id": "22", "value": { “certificate”: “CA Certificate…”, "private_key": “Private Key…”, “ca": “CA…” } options: is_ca: true, common_name: “bosh.io” Variable Values
  • 24. Generating certificates & certificate chaining variables: - name: default_ca type: certificate options: is_ca: true common_name: “bosh” jobs: - name: director: release: bosh properties: ssl: key: “((director_ssl.private_key))” cert: “((director_ssl.certificate))” bosh deploy default_ca director_ssl - name: director_ssl type: certificate options: ca: default_ca common_name: ((internal_ip)) Variable Values
  • 25. Share variables across deployments name: deployment_1 jobs: - name: datadog-agent: release: datadog-agent properties: api_key: “((/dd_api_key))” Variables beginning with ‘/’ can be shared across multiple deployments name: deployment_2 jobs: - name: datadog-agent: release: datadog-agent properties: api_key: “((/dd_api_key))” name: deployment_3 jobs: - name: datadog-agent: release: datadog-agent properties: api_key: “((/dd_api_key))” Variable Values
  • 26. Operator $ bosh -e dev -d dep.yml --vars-store ./creds.yml nats_password: qdbzr3marbv0x2jp6ihs ssl: ca: | —-BEGIN CERTIFICATE …. private_key: | —-BEGIN RSA PRIVATE KEY … certificate: | —- BEGIN CERTIFICATE … jobs: - nats: release: bosh properties: username: “admin” password: “((nats_password))“ - director: release: bosh properties: ssl.key: “((ssl.private_key))” ssl.certificate: “((ssl.certificate))” variables: - name: nats_password type: password - name: ssl type: certificate vars-store - Your local Config Server
  • 27. $ bosh create-env ~/workspace/bosh-deployment/bosh.yml --state ./state.json --vars-store ./creds.yml -v director_name="Bosh Lite Director" -v internal_ip=192.168.50.6 -v internal_gw=192.168.50.1 -v internal_cidr=192.168.50.0/24 -v outbound_network_name=NatNetwork $ bosh create-env
  • 28. $ bosh -e dev -d my_dep variables ID Name 22 /director_name/deployment_name/variable_name 23 /director_name/deployment_name/variable_name2 * subject to change to guid in the future, do not rely on this format Only variables referenced by Config Server show up in this list Variables
  • 29. What problems are we solving? How does it work? How do you use it? Integration with legacy systems Future
  • 30. BOSH uses the Config Server API to communicate with Config Server API implements talks to System Integrations
  • 31. Credhub • Recommended production implementation • Implements Config Server API • Encryption through HSM Credhub
  • 33. What problems are we solving? How does it work? How do you use it? Integration with legacy systems Future
  • 34. • String • Number • Object • Array • Boolean • Null 1. Set validated types for variables • Generated certificates belonging to jobs
 will have their SANs and Common Name be
 managed by BOSH 2. Certificate DNS names and jobs Future * releases as well
  • 36. Get started with… Credhub • github.com/cloudfoundry/config-server-release • github.com/cloudfoundry/config-server/blob/master/docs/api.md • bosh.io/docs/cli-int.html • github.com/cloudfoundry/bosh-deployment • github.com/cloudfoundry-incubator/credhub
  • 38. DEMO
  • 39. • Saman Alvi • salvi@pivotal.io • @err_sage • Dale Wick • dwick@pivotal.io • @hardhatpsp Questions?