forked from cloudfoundry/docs-cf-admin
-
Notifications
You must be signed in to change notification settings - Fork 0
/
instance-identity.html.md.erb
49 lines (26 loc) · 3.43 KB
/
instance-identity.html.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
---
title: Enabling Instance Identity
owner: Diego
---
<% if vars.platform_code == 'CF' %>
This topic describes enabling the Instance Identity system for your <%= vars.app_runtime_first %> deployment. The Instance Identity system provides each app instance with a unique PEM-encoded [X.509](https://tools.ietf.org/html/rfc5280) certificate and [PKCS#1](https://tools.ietf.org/html/rfc3447) RSA private key pair that encodes its identity in the <%= vars.app_runtime_abbr %> deployment.
## <a id="enabling"></a> Enabling Instance Identity
Instance Identity is enabled by default in [cf-deployment](https://github.com/cloudfoundry/cf-deployment).
To enable this feature in <%= vars.app_runtime_abbr %> deployments not based on cf-deployment, generate a PEM-encoded CA certificate and private key for the Diego Cell reps to use to issue certificates with the characteristics listed below in [Requirements](#requirements). Next, set the following properties in the BOSH deployment manifest on the `rep` job on the Diego Cells:
* `diego.executor.instance_identity_ca_cert`: PEM-encoded CA certificate used to issue Instance Identity credentials
* `diego.executor.instance_identity_key`: PEM-encoded private key used to issue instance identity credentials
Operators may also wish to install the Instance Identity CA certificate as a trusted system certificate for apps, so that app instances trust each others' Instance Identity credentials automatically. For more information about installing this CA certificate, see [Configuring Trusted System Certificates for Apps](../running/trusted-system-certificates.html).
For information about how developers can use the Instance Identity credentials in apps on <%= vars.app_runtime_abbr %>, see [Using Instance Identity Credentials](../devguide/deploy-apps/instance-identity.html).
## <a id="configuring"></a> Configuring Instance Identity Validity Period
By default, the certificate is valid for 24 hours after the container is created. The <%= vars.app_runtime_abbr %> operator can control this validity period by modifying the `diego.executor.instance_identity_validity_period_in_hours` BOSH property in the `rep` job. The smallest allowed validity duration is 1 hour.
The Diego Cell rep supplies a new certificate and private key pair to the app instance before the end of the validity period. The new pair of files replaces the existing pair at the same path locations, with each file replaced atomically.
* If the validity period exceeds 4 hours, the pair regenerates between 1 hour and 20 minutes before the end of the validity period.
* If the validity period is less than or equal to 4 hours, the pair regenerates between 1/4 and 1/12 of the time to the end of the period.
## <a id="requirements"></a> Requirements
The CA certificate that the Diego Cell rep uses to issue Instance Identity credentials must have all the properties required to sign other certificates:
* The `Subject Key Identifier` must be set.
* The `KeyUsage` must include `KeyCertSign`.
* If the Diego Cell rep is configured with an intermediate CA certificate, the certificate should have either an empty `ExtendedKeyUsage` extension or one with the `any` property.
<% else %>
The information in this topic does not apply in this context. For information about enabling the Instance Identity system in a Cloud Foundry deployment, see [Enabling Instance Identity](https://docs.cloudfoundry.org/adminguide/instance-identity.html) in the Cloud Foundry documentation.
<% end %>