The ProtectApp Security Provider Framework causes an application to be automatically configured to work with a bound ProtectApp Security Service.
| Detection Criterion | Existence of a single bound ProtectApp Security Provider service. The existence of an ProtectApp Security service defined by the VCAP_SERVICES payload containing a service name, label or tag with protectapp as a substring.
|
| Tags | protect-app-security-provider=<version> |
When binding to the ProtectApp Security Provider using a user-provided service, it must have name or tag with protectapp in it. The credential payload can contain the following entries:
| Name | Description |
|---|---|
client |
The client configuration |
trusted_certificates |
An array of certs containing trust information |
NAE_IP.1 |
A list of KeySecure server ips or hostnames to be used |
*** |
(Optional) Any additional entries will be applied as a system property appended to -Dcom.ingrian.security.nae. to allow full configuration of the library. |
| Name | Description |
|---|---|
certificate |
A PEM encoded client certificate |
private_key |
A PEM encoded client private key |
One or more PEM encoded certificate
{
"client": {
"certificate": "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----",
"private_key": "-----BEGIN RSA PRIVATE KEY-----\n...\n-----END RSA PRIVATE KEY-----"
},
"trusted_certificates": [
"-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----",
"-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----"
],
"NAE_IP.1": "192.168.1.25:192.168.1.26"
}
In order to create the credentials payload, you should collapse the JSON payload to a single line and set it like the following
$ cf create-user-provided-service protectapp -p '{"client":{"certificate":"-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----","private_key":"-----BEGIN RSA PRIVATE KEY-----\n...\n-----END RSA PRIVATE KEY-----"},"trusted_certificates":["-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----","-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----"],"NAE_IP.1":"192.168.1.25:192.168.1.26"}'
You may want to use a file for this
Note the client portion is very exacting and needs line breaks in the body every 64 characters.
- The file must contain:
-----BEGIN CERTIFICATE-----on a separate line (i.e. it must be terminated with a newline). - Each line of "gibberish" must be 64 characters wide.
- The file must end with:
-----END CERTIFICATE-----and also be terminated with a newline. - Don't save the cert text with Word. It must be in ASCII.
- Don't mix DOS and UNIX style line terminations.
So, here are a few steps you can take to normalize your certificate:
- Run it through
dos2unix$ dos2unix cert.pem - Run it through
fold$ fold -w 64 cert.pem
For general information on configuring the buildpack, including how to specify configuration values through environment variables, refer to Configuration and Extension.
The framework can be configured by modifying the config/protect_app_security_provider.yml file in the buildpack. The framework uses the Repository utility support and so it supports the version syntax defined there.
| Name | Description |
|---|---|
repository_root |
The URL of the ProtectApp Security Provider repository index (details). |
version |
Version of the ProtectApp Security Provider to use. |
The buildpack includes a default IngrianNAE.properties configuration file that is embedded at compile time. This provides sensible defaults for Cloud Foundry deployments.
The default configuration file is located in src/java/resources/files/protect_app_security_provider/IngrianNAE.properties.
To customize the default ProtectApp Security Provider configuration across all applications using your buildpack:
- Fork the java-buildpack repository
- Modify the configuration file in
src/java/resources/files/protect_app_security_provider/ - Build and package your custom buildpack
- Upload the custom buildpack to your Cloud Foundry foundation
This approach is useful for operators who want to enforce organization-wide ProtectApp Security Provider settings.
All ProtectApp configuration can also be provided via:
- System properties passed through VCAP_SERVICES credentials (using the
-Dcom.ingrian.security.nae.*prefix) - The credentials payload as documented above