堆栈内存溢出
  简体   繁体   English

如何安全地为Cloud Foundry应用程序提供私有SSL密钥?

[英]How to securely provide private SSL keys to Cloud Foundry apps?

 原文  2017-05-10 16:35:38       security/ ssl-certificate/ ibm-cloud/ cloudfoundry

问题描述

I have an app that I want to run in Cloud Foundry (specifically, in IBM Bluemix). 我有一个应用程序,我想在Cloud Foundry中运行(特别是在IBM Bluemix中)。 This app will call out to a number of third-party services/APIs, most of which are not managed via CF services. 此应用程序将调用许多第三方服务/ API,其中大多数不通过CF服务进行管理。 One of these APIs requires my app to use an SSL key to authenticate, so my app needs access to a private SSL key. 其中一个API要求我的应用程序使用SSL密钥进行身份验证,因此我的应用程序需要访问私有SSL密钥。

My app is deployed from an automated pipeline (specifically, IBM Bluemix DevOps Pipelines) based off of source from a GitHub repo and some small scripts saved in the pipeline config. 我的应用程序是基于GitHub存储库的源代码和管道配置中保存的一些小脚本从自动管道(特别是IBM Bluemix DevOps Pipelines)部署的。

It seems like a bad idea to keep the private key file in the source control, and I don't believe there's anywhere to keep it in the pipeline config, so what are my options for making it available to the app while keeping it secure? 将私钥文件保存在源代码控制中似乎是一个坏主意,我不相信有任何地方可以将它保留在管道配置中,那么在保持其安全性的同时将其提供给应用程序的选项是什么?

I've read this article: Keeping secrets – how your cloud application should access credentials and other private data which says that secrets, passwords, etc, can be made available via environment variables or Cloud Foundry user-provided services . 我读过这篇文章: 保守秘密 - 您的云应用程序应如何访问凭据和其他私有数据 ,这些数据表明可以通过环境变量或Cloud Foundry 用户提供的服务提供机密,密码等。

Googling to find out if this is a suitable option for SSL keys, I find this Cloud Foundry Page: Understanding Cloud Foundry Security which says "Store SSL keys securely to prevent disclosure, and promptly replace lost or compromised keys.", but doesn't say anything about how to store them securely and make them available to your apps. 谷歌搜索以确定这是否适合SSL密钥选项,我找到了这个Cloud Foundry页面: 了解Cloud Foundry Security ,其中说“安全地存储SSL密钥以防止泄露,并迅速更换丢失或受损的密钥。”但是没有说出如何安全地存储它们并将它们提供给您的应用程序。

So what options are available to me for storing the private key and making it available to my CF app while not storing it in my source control? 那么我可以使用哪些选项来存储私钥并使其可用于我的CF应用程序而不将其存储在我的源代码管理中?

Note: I believe I do not want the cf ssh functionality, as that is for connecting in to an app (if I understand it correctly), not for an app connecting out. 注意:我相信我想要cf ssh功能,因为这是连接到应用程序(如果我理解正确),而不是连接的应用程序。

2 个解决方案

解决方案1
 1 已采纳  2017-05-10 17:18:16

Agreed - keeping your key in source control is bad practice. 同意 - 保持密钥在源代码管理中是不好的做法。

Bluemix has a service called Key Protect that should provide exactly what you're looking for. Bluemix有一项名为Key Protect的服务,它应该提供您正在寻找的服务。

Docs here 文档在这里

Alternatively there are a number of other 3rd party providers you could use to do this. 或者,您可以使用许多其他第三方提供商来执行此操作。

解决方案2
 1  2017-09-21 17:41:59

You can use custom VCAP_SERVICES environment variables to store your secure data. 您可以使用自定义VCAP_SERVICES环境变量来存储安全数据。 There is a doc how to use it. 有一个doc如何使用它。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Cloud Foundry后端和公共应用 - Cloud Foundry back-end and public apps 在 Android(颤振)应用程序中安全保存 API 密钥 - Securely Saving API Keys In Android (flutter) Apps 如何从运行在Google Cloud上的Java应用程序安全地引用.json私钥文件 - How to securely reference a .json private key file from a Java app running on Google Cloud Google Cloud Functions - 使用 Google Source Repository 时如何安全地存储服务帐户私钥? - Google Cloud Functions - How to securely store service account private key when using Google Source Repository? 如何为Node.js https模块分配SSL私钥 - How to distribute ssl private keys for nodejs https module 从Windows密钥库安全处理私钥 - Securely Handling Private Keys from Windows Key Store 如何安全地存储公钥/私钥 - How to store public/private key securely 如何确保Cloud Foundry上的日志流失? - How to secure a Log Drain on Cloud Foundry? 如何在android中安全地存储加密密钥? - how to securely store encryption keys in android? 安全地存储私人图像 - Securely storing private images
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM