1.0.0

Announcing CredHub release 1.0.0! 🎉🎈

Version 1.0.x is a long term support release. Bug fix and security patch releases will be issued for 9 months following release. See more here.

Features

• Get, set, generate, delete credentials by type
  • value
  • password
  • user
  • certificate
  • ssh
  • rsa
  • json
• Authentication via UAA
• Software-based AES256-GCM encryption provider
• Encryption provider key rotation
• Data storage via MySQL and PostgreSQL
• Access and change logging via CEF file and database
• Storage of historical credential values and metadata
• BOSH config server compliant API

Limitations

• Authenticated users have full access to all resources
• High availability configuration not supported

Compatibility

• This release must use BOSH version 261 or later
• CLI version 1.0.0+ must be used with this release
• Version 9.4+ must be used if using PostgreSQL database

---

Changes from v0.8.0

• Application commit log
• Release commit log

0.8.0

Compatibility

• This release must use BOSH version 261 or later.
• CLI version 0.8.0 must be used with this release
• CredHub requires PostgreSQL 9.4+

Notices

• You are advised to backup your database prior to upgrade.
• Internal encryption provider dev_key is no longer supported. You are must migrate from an existing dev_key to an encryption_password prior to upgrading to this version.

New Features

• BBR scripts for backup and restore now enabled
• Preliminary work on mutual TLS authentication
• Preliminary work on authorization

Bug fix

• Extended key usage 'timestamping' no longer provides error
• Server version appropriately returned on /info endpoint
• JRE bumped to 1.8.0_131 for CVEs
• Spring Boot bumped to 1.4.6 for Tomcat CVEs

---

Changes from v0.7.0

• Application commit log
• Release commit log

0.7.0

Compatibility

• This release must use BOSH version 261 or later.
• CLI version 0.7.0 must be used with this release
• CredHub requires PostgreSQL 9.4+

Notices

• You are advised to backup your database prior to upgrade.
• Internal encryption provider dev_key is now deprecated. You are advised to migrate from an existing dev_key to an encryption_password.
• Password generation parameter 'hex-only' has been removed

New Features

• New credential type "user" now supported
• Subject key identifier and authority key identifiers are now populated for generated certificate credentials
• Restructured audit logging to provider data access and modification logging coverage
• Preliminary work on mutual TLS authentication
• Preliminary work on authorization

---

Changes from v0.6.1

• Application commit log
• Release commit log

0.6.1

Bug fix

• Connections to MySQL databases with require_tls: true will fail with error 'java.sql.SQLNonTransientConnectionException: Failed to find trustStore file.' Related to mariadb-connector-j issue described here.

---

Changes from v0.6.0

• Application commit log
• Release commit log

0.6.0

Known issues

• Connections to MySQL databases with require_tls: true will fail with error 'java.sql.SQLNonTransientConnectionException: Failed to find trustStore file.' This issue is resolved in version 0.6.1. Related to mariadb-connector-j issue described here.
• The format of password credential generation parameters changed in version 0.6.0, causing data from versions 0.5.1 and prior to fail regeneration and encryption key rotation. If you have stored data from release 0.5.1 and prior, you must upgrade to 0.7.1 and perform encryption key rotation prior to upgrading to 0.8.0 or later.

Compatibility

• This release must use BOSH version 261 or later.
• CLI version 0.6.0 must be used with this release
• CredHub requires PostgreSQL 9.4+

Notices

• You are advised to backup your database prior to upgrade.
• Encryption provider dev_internal has been renamed internal
• Internal encryption provider dev_key is now deprecated. You are advised to migrate from an existing dev_key to an encryption_password.

Bug fix

• HSM migration issue when upgrading from 0.3.1 to 0.5.1 has been resolved in this release

New Features

• Internal encryption provider now uses PBKDF2 to derive an encryption key from a user-provided value.
• The encryption_password key with the internal provider now uses AES256-GCM data encryption
• Added support for storing arbitrary JSON as json-type credential
• Added /vcap endpoint to support future service broker credential delivery workflow
• Added SHA256 fingerprint attribute to SSH credential responses
• Preliminary work on mutual TLS authentication
• Preliminary work on authorization

---

Changes from v0.5.1

• Application commit log
• Release commit log

0.5.1

Known Issue

• Upgrading from 0.3.x to 0.5.x with an HSM encryption provider will fail. We recommend that you do not upgrade to 0.5.x if using an HSM and instead using 0.6.0. This issue does not affect fresh installs or the dev_internal encryption provider.

Compatibility -

• This release must use BOSH version 261 or later.
• CLI version 0.5.x must be used with this release

Notices -

• You are advised to backup your database prior to upgrade.

Bug fix release -

• Resolves 500 error which occurred when setting a credential which held an existing value

0.5.0

Compatibility -

• This release must use BOSH version 261 or later.
• CLI version 0.5.x must be used with this release

Notices -

• You are advised to backup your database prior to upgrade.

New Features -

• Ability to rotate encryption key used to secure data
• Support for interface with HA configuration of Luna HSM
• CA set and generate operations are now done in same namespace as credentials
• Ability to generate intermediate CA certificates
• Ability to define key usage extension values
• Update password generation defaults - length: 30, special characters: excluded
• Updated OpenJDK for CVEs

Breaking changes -

• Deployment configuration 'user_management' renamed to 'authentication' for clarity
• Due to the change in special character default, an error will occur when regenerating previously generated credentials that used the exclude_special=true setting. You may generate the value again with the desired parameters to resolve this issue.

[Release has been removed, as it is no longer recommended. Please install subsequent version.]

0.3.1

Compatibility -

• This release must use BOSH version 260.x or prior. For version 261 and later, you must use 0.4.0+.
• CLI version 0.3.0 must be used with this release

Patch release to 0.3.0 to resolve 500 errors in long running HSM deployments. CredHub will now attempt to re-establish a connection to the HSM in the event that a connection fails.

The following events will be logged if a failure and reconnect has occurred.

user:/home# tail -f /var/vcap/sys/log/credhub/credhub.log | grep EncryptionServiceImpl
2017-01-23T23:23:52.177Z [https-jsse-nio-8844-exec-6] ....  INFO --- EncryptionServiceImpl: Exception thrown: Could not process input data: function 'C_Decrypt' returns 0x30
2017-01-23T23:23:52.177Z [https-jsse-nio-8844-exec-6] ....  INFO --- EncryptionServiceImpl: Failed to decrypt secret. Trying to log in.
2017-01-23T23:23:52.404Z [https-jsse-nio-8844-exec-6] ....  INFO --- EncryptionServiceImpl: Reconnected to the HSM

0.4.0

Compatibility -

• This release must use BOSH version 261 or later.
• CLI version 0.4.0 must be used with this release

Notice -

• You are advised to backup your database prior to upgrade.
• UAA client name for the CredHub CLI is now credhub_cli. You must update your UAA client name from credhub to credhub_cli.
• Deployment properties structure for credhub.encryption has changed. You must update your manifest to use the separate keys and providers structure as shown here.
• dev_internal encryption provider no longer includes a default key value

New Features -

• Major performance optimizations for generating rsa, ssh and certificate credentials [4096 generation now ~1.5 seconds, from 20-30+ seconds previously]
• Storing all historical credential values
• Changes to API to simplify BOSH integration and clarify resources for authorization work
• Restructured encryption provider deployment properties to allow future encryption key rotation feature
• Regenerate credentials in same form as previously generated
• Experimental support for Dyadic DSM encryption provider
• Credential name added to credential response
• Capturing credential/CA name explicitly in audit logs
• Define extended key usage extension values when generating certificates
• Bump OpenJDK for CVEs
• Resolved github issue #2 - 5-10 minute delay in startup on GCP
• Resolved github issue #4 - Inconsistency in parallel operations

[Release has been removed, as it is no longer recommended. Please install subsequent version.]

0.3.0

Compatibility -

• This release must use BOSH version 260.x or prior. For version 261 and later, you must use 0.4.0+.
• CLI version 0.3.0 must be used with this release

New features -

• Fixed CVE 2016-6655: Utility script command injection #131930061 details here
• CEF audit logging
• logging enhancements
• user-provided AES key for internal encryption
• RSA credential type (e.g. UAA JWT keys)
• SSH credential type

[Release has been removed, as it is no longer recommended. Please install subsequent version.]