Skip to main content
Table of contents

This is for internal use by the PaaS team. Public-facing documentation is located at

ADR040: BOSH access without SOCKS5 or SSH


To comply with PCI Requirements we will remove the use of shared credentials anywhere in the platform.

We will use Single Sign On (SSO) to avoid credential sharing.

To enable SSO we will expose some of the APIs on the BOSH instance without using a SOCKS5 proxy. This is due to the SOCKS5 proxy not playing nicely with the VPN, which in turn creates a support risk

Discussion has taken place with both IA and with Cyber on the proposed methods after reviewing the RFC created as part of #169915408


We will remove the reliance on SOCKS5 or SSH tunnels for the UAA API endpoint so that we can remove the use of shared credentials.

With these in place we are unable to complete an SSO journey from one of our existing IDPs as the BOSH instance is not broswer accessible.

The current method will be replaced with Single Sign On in order to obtain a UAA token. This token is then used to interact with the rest of the APIs on the BOSH instance.


In the initial implementation we will place UAA on the bosh director in the internet using the IP allow list and using Google for SSO

Access to both BOSH and Credhub will remain via SSH Tunnels during this phase of implementation.


By using this method we are retaining the benefit of using IP allow lists whilst removing the shared credential that is in use.




We will no longer rely on IP allow lists or SSH tunnels and have individual credentials for accessing UAA on the BOSH Director.

Full alerting can be undertaken by Cyber for this component.

We will not be using SSH tunnels to obtain UAA tokens.