Using Instance Identity Credentials
This topic describes enabling the Instance Identity system for your Cloud Foundry (CF) deployment. The Instance Identity system provides each app instance with a unique PEM-encoded X.509 certificate and PKCS#1 RSA private key pair that encodes its identity in the CF deployment.
The environment variable
CF_INSTANCE_CERT contains the absolute path to the certificate. The environment variable
CF_INSTANCE_KEY contains the absolute path to the key file. The provided certificate has the following properties:
Common Nameproperty is set to the instance GUID for the given app instance.
- The certificate contains an IP SAN set to the container IP address for the given app instance.
- The certificate contains a DNS SAN set to the instance GUID for the given app instance.
Organizational Unitproperty in the certificate’s Subject Distinguished Name contains the values
APP-GUIDare set to the GUIDs for the organization, space, and app as assigned by Cloud Controller.
By default, the certificate is valid for 24 hours after the container is created. The CF platform operator can decrease this duration to as little as 1 hour by setting the
diego.executor.instance_identity_validity_period_in_hours BOSH property.
The Diego cell rep supplies a new certificate and private key pair to the app instance before the end of the validity period. The new pair of files replaces the existing pair at the same path locations, with each file replaced atomically.
- If the validity period exceeds 4 hours, the pair regenerates between 1 hour and 20 minutes before the end of the validity period.
- If the validity period is less than or equal to 4 hours, the pair regenerates between ¼ and 1/12 of the time to the end of the period.
For more information about enabling and configuring the Instance Identity system in Cloud Foundry, see Enabling Instance Identity.