Creating secrets to protect sensitive configuration data

Edit online

A secret is an object that contains a small amount of sensitive data such as a password, a token, or a key. Before you install IBM Business Automation Workflow, you must create secrets manually for LDAP, Business Automation Workflow, IBM Business Automation Application Engine, Resource Registry, IBM FileNet® Content Manager, and IBM Business Automation Navigator.

About this task

All values under data in each secret must be Base64 encoded. To get a Base64-encoded string, run the following command:

echo -n "<sample_string>" | base64

The output is the Base64-encoded result.

Important: Make sure each secret has fewer than 20 characters.

Procedure

An LDAP server is required before you install Business Automation Workflow. Create required secrets for LDAP.
1. Save the following content in a YAML file named, for example, ldap-bind-secret.yaml.
  LDAP secret:
```
apiVersion: v1
kind: Secret
metadata:
  name: ldap-bind-secret
type: Opaque
data:
  ldapUsername: <LDAP_BIND_DN>
  ldapPassword: <LDAP_PASSWORD>
```
  where:
  - ldapUsername corresponds to the bindDN property of your LDAP server, Base64-encoded
  - ldapPassword corresponds to the bindPassword property of your LDAP server, Base64-encoded
2. On the OpenShift main node, run the following command for the YAML file:
```
oc apply -f YAML_file_name
```
3. In your custom resource file:
  - Specify the hostname of your LDAP server as the ldap_configuration.lc_ldap_server property.
  - Specify the secret name that you created above as the ldap_configuration.lc_bind_secret property.
Create required secrets for Business Automation Workflow.
1. Save the following content in a separate YAML file for each secret.
  Shared encryption key secret:
```
apiVersion: v1
kind: Secret
metadata:
  name: icp4a-shared-encryption-key
type: Opaque
data:
  encryptionKey: <ENCRYPTION_KEY>
```
  To ensure that the confidential information is shared only between the components that hold the key, use the encryptionKey to encrypt the confidential information at the Resource Registry. Ensure the <ENCRYPTION_KEY> is Base64-encoded.
  Business Automation Workflow database secret:
```
apiVersion: v1
kind: Secret
metadata:
  name: ibm-baw-wfs-server-db-secret
type: Opaque  
data:
  dbUser: <DB_USER>
  password: <DB_USER_PASSWORD>
```
  where dbUser and password are the database username and password. Ensure all values under data are Base64 encoded.
  Optional: Process Federation Server secret:
  If you set the Process Federation Server admin secret name in pfs_configuration.admin_secret_name, the operator creates this secret automatically. However, if you want to create it manually, use the following content:
```
apiVersion: v1
kind: Secret
metadata:
  name: ibm-pfs-admin-secret
type: Opaque
data:
  ltpaPassword: <LTPA_PASSWORD>
  sslKeyPassword: <SSL_KEY_PASSWORD>
```
  - ltpaPassword is used to set the LTPA password
  - sslKeyPassword is used as the keystore and truststore password
  - All values under data are Base64-encoded.
  Optional: Workflow server admin secret. This secret is used to integrate with other servers, such as UMS. You must set the Workflow Server admin secret name in baw_configuration[x].admin_secret_name and the operator creates it automatically. However, if you want to create the secret manually, use the following content:
```
apiVersion: v1
kind: Secret
metadata:
name: ibm-baw-admin-secret
type: Opaque
data:
sslKeyPassword: <SSL_KEY_PASSWORD>
```
  where:
  - sslKeyPassword is used as the keystore and truststore password
  - All values under data are Base64-encoded.
2. On the OpenShift master node, run the following command for each YAML file:
```
oc apply -f YAML_file_name
```
Create required secrets for Application Engine by following the instructions in Creating secrets to protect sensitive configuration data. These instructions also include creating a secret for Resource Registry.
Create required secrets for IBM Business Automation Navigator by following the instructions in Creating secrets to protect sensitive Business Automation Navigator configuration data.
Create required secrets for IBM FileNet Content Manager by following the instructions in Creating secrets to protect sensitive IBM FileNet Content Manager configuration data.

What to do next

There are optional steps you can do next.

To run IBM Business Automation Workflow with Business Automation Insights, see Preparing to install Business Automation Insights.
To prepare for customizations, such as custom case widgets and custom case extensions, see Preparing your environment for customizations.
To see a visual representation of the extended history for a case, see, such as custom case widgets and custom case extensions, see Optional: Enabling the Timeline Visualizer widget to display Business Automation Workflow process activity flow.

After you've done any optional steps and prepared for each capability that you want to install, deploy the custom resource (CR) file. See Creating a production deployment.