1.1.2

Bug fix

• Incorrect version displayed at /info endpoint

---

Changes from v1.1.1

• Application commit log (no change)
• Release commit log (no change)

NOTE: Release has been removed due to bug. Please use release version 1.2.0.

1.1.1

Bug Fix

• Fixed job template rendering error which affected bosh create-env deployments

---

Changes from v1.1.0

• Application commit log (no change)
• Release commit log

NOTE: Release has been removed due to bug. Please use release version 1.2.0.

1.1.0

Notices

• Users of Postgres databases must provide a valid tls_ca for their connection or disable TLS prior to deploying this version.
• The TLS CA of UAA must be provided in the manifest at authentication.uaa.ca_certs prior to deployment

New Features

• Mutual TLS is now supported for application authentication - more here
• ACL authorization is now supported for automation use-cases, such as the secure service credential architecture. This is currently disabled by default.
  • Supported authenticated identities
    • UAA password grant
    • UAA client credentials grant
    • Mutual TLS application
  • Supported credential operations
    • read
    • write
    • delete
    • read_acl
    • write_acl
• Multi-instance deployments are now supported
• Postgres database connections now support TLS (enabled by default)
• Tomcat chooses cipher suite order during TLS negotiation
• JVM max heap size is configurable via deployment manifest property
• Tomcat can now be configured to enable Java 7 supported CBC ciphers (disabled by default)
• Bouncy Castle updated from 1.52 to 1.57

---

Changes from v1.0.0

• Application commit log
• Release commit log

NOTE: Release has been removed due to bug. Please use release version 1.1.1.

1.0.3

Notices

• The TLS CA of UAA must be provided in the manifest at authentication.uaa.ca_certs prior to deployment

Bug fix

• Offline JWT token validation now verifies the issuer in addition to the signature (related to CVE-2017-8034). This fix was added defensively, but this should not impact the current use-case due to lack of multiple identity zones in the BOSH UAA instance.

---

Changes from v1.0.2

• Application commit log
• Release commit log

1.0.2

Bug fix

• The format of password credential generation parameters changed in version 0.6.0, causing data from versions 0.5.1 and prior to fail regeneration and encryption key rotation. This patch includes a fix to read both formats and unify to the preferred format for all new data.

New Features

• Ability to set stored CA by name for user-provided certificates

NOTE: This feature was added to ensure forward compatibility for data stored with 1.0.x releases. This is an additive change with low risk to affect existing functionality.

---

Changes from v1.0.1

• Application commit log
• Release commit log

0.7.1

Bug fix

• The format of password credential generation parameters changed in version 0.6.0, causing data from versions 0.5.1 and prior to fail regeneration and encryption key rotation.

If you have stored data from release 0.5.1 and prior, you must upgrade to 0.7.1 and perform encryption key rotation prior to upgrading to 0.8.0 or later.

---

Changes from v0.7.0

• Application commit log
• Release commit log

1.0.1

Bug fix

• Incorrect version displayed at /info endpoint

---

Changes from v1.0.0

• Application commit log (no change)
• Release commit log

1.0.0

Announcing CredHub release 1.0.0! 🎉🎈

Version 1.0.x is a long term support release. Bug fix and security patch releases will be issued for 9 months following release. See more here.

Features

• Get, set, generate, delete credentials by type
  • value
  • password
  • user
  • certificate
  • ssh
  • rsa
  • json
• Authentication via UAA
• Software-based AES256-GCM encryption provider
• Encryption provider key rotation
• Data storage via MySQL and PostgreSQL
• Access and change logging via CEF file and database
• Storage of historical credential values and metadata
• BOSH config server compliant API

Limitations

• Authenticated users have full access to all resources
• High availability configuration not supported

Compatibility

• This release must use BOSH version 261 or later
• CLI version 1.0.0+ must be used with this release
• Version 9.4+ must be used if using PostgreSQL database

---

Changes from v0.8.0

• Application commit log
• Release commit log

0.8.0

Compatibility

• This release must use BOSH version 261 or later.
• CLI version 0.8.0 must be used with this release
• CredHub requires PostgreSQL 9.4+

Notices

• You are advised to backup your database prior to upgrade.
• Internal encryption provider dev_key is no longer supported. You are must migrate from an existing dev_key to an encryption_password prior to upgrading to this version.

New Features

• BBR scripts for backup and restore now enabled
• Preliminary work on mutual TLS authentication
• Preliminary work on authorization

Bug fix

• Extended key usage 'timestamping' no longer provides error
• Server version appropriately returned on /info endpoint
• JRE bumped to 1.8.0_131 for CVEs
• Spring Boot bumped to 1.4.6 for Tomcat CVEs

---

Changes from v0.7.0

• Application commit log
• Release commit log

0.7.0

Compatibility

• This release must use BOSH version 261 or later.
• CLI version 0.7.0 must be used with this release
• CredHub requires PostgreSQL 9.4+

Notices

• You are advised to backup your database prior to upgrade.
• Internal encryption provider dev_key is now deprecated. You are advised to migrate from an existing dev_key to an encryption_password.
• Password generation parameter 'hex-only' has been removed

New Features

• New credential type "user" now supported
• Subject key identifier and authority key identifiers are now populated for generated certificate credentials
• Restructured audit logging to provider data access and modification logging coverage
• Preliminary work on mutual TLS authentication
• Preliminary work on authorization

---

Changes from v0.6.1

• Application commit log
• Release commit log