Disabling the internal vault for the Cloud Pak for Data web client

A Red Hat® OpenShift® Container Platform project administrator can optionally disable the Cloud Pak for Data internal vault for the Cloud Pak for Data web client.

About this task

If you plan to use vaults to store sensitive data, it is strongly recommended that you use an enterprise-grade vault solution, such as CyberArk or HashiCorp.

After you enable the web client to connect to external vaults, you can optionally disable the internal vault to ensure that users use secrets from your existing vault.

You can disable the internal vault, for example, if you want to restrict the use of vault to an organization's approved vault vendors only. Disabling the internal vault occurs after product installation.

Permissions you need for this task
You must be a Red Hat OpenShift Container Platform project or cluster administrator.
When you need to complete this task
You can complete this task anytime after Cloud Pak for Data is installed.
Important: When you disable the internal vault, all of the secrets that are stored in the vault are also deleted.

Procedure

  1. Log in to your Red Hat OpenShift Container Platform cluster as a user with sufficient permissions to complete the task: 
    oc login OpenShift_URL:port
  2. Change to the project where Cloud Pak for Data is installed: 
    oc project Project_name
  3. Run the following command to edit the Cloud Pak for Data product-configmap file: 
    oc edit configmap product-configmap
  4. Change the value of VAULT_DISABLE_INTERNAL_VAULT parameter to true. 
    VAULT_DISABLE_INTERNAL_VAULT:true
  5. Save your changes to the product-configmap file. For example, if you are using vi, hit esc and enter :wq.
  6. Restart the watcher pod. 
    oc delete pods -l component=zen-watcher