By default, IBM Z ChatOps stores the encryption key in a file, you can use system keyring
to store the encryption key for more security. Follow the steps below to store the encryption key
using system keyring.
About this task
Before you can use the keyring to store the encryption key, you must install the following
packages. And your zchatops server also requires internet access. The IBM Z ChatOps container is
based on RedHat UBI 8.6, the default yum repo does not provide the following package list, so if you
use a container to install IBM Z ChatOps, you must configure your own yum repository and install the
following packages in the IBM Z ChatOps container.
Procedure
-
Unlock the keyring.
- For native user, issue the following commands to unlock the
keyring.
export $(dbus-launch)
gnome-keyring-daemon -r --unlock --components=secrets
Note: The
gnome-keyring-daemon will prompt you to specify your login password.
Press
Ctrl+D twice after you specify the password. If you are not asked to
specify the password, you can use the following command to pass the
password.
echo -n <your login password> | gnome-keyring-daemon -r --unlock --components=secrets
- For container user,
- Run the following command to open an interactive bash shell on the IBM Z ChatOps container that
is running.
./bnzContainer.sh shell
- Issue the following commands to unlock the keyring The dbus-run-session will open sh shell, the
following steps and commands must be executed inside that shell, especially the bnzsvr restart
command.
dbus-run-session -- sh
echo -n "$" | gnome-keyring-daemon -r -d --unlock
Note: If
you use keyring to store the encryption key in container, you must always run this commands before
you use bnzsvr command to start Z ChatOps. And you can also use the
bnzContainer.sh script to restart Z ChatOps by running command
./bnzContainer.sh restart.
- Follow the Configuring Z ChatOps server and update the
encryptionKeyStore to keyring.
- If you configured SMU data provider, you must update the encrypted
userPassword and adminUserPassword with real passwords in
$ZCHATOPS_HOME/config/smu-server.yaml.
- If you configured ZWS data provider, you must update the encrypted
userPassword with real passwords in
$ZCHATOPS_HOME/config/zws-server.yaml.
- Update the encrypted passwords or tokens with real passwords in your chat tool
configuration file which is located in
$ZCHATOPS_HOME/config/chattools/<chat_tool>.yaml.
- Use the following command to reset the credential.json with empty
array.
echo "[]" > $ZCHATOPS_HOME/config/.credential.json
Note: This will clear all your saved credentials. You need to specify the password and save it
again when IBM Z ChatOps restarts.
- Restart IBM Z ChatOps.
bnzsvr restart
Note: If you fail to restart IBM Z ChatOps and you see the following error in
$ZCHATOPS_HOME/logs/nohup.out:
Failed to get the secret
Error: /opt/ibm/zchatops/node_modules/keytar/build/Release/keytar.node: invalid ELF header
at Object.Module._extensions..node (node:internal/modules/cjs/loader:1189:18)
at Module.load (node:internal/modules/cjs/loader:981:32)
at Function.Module._load (node:internal/modules/cjs/loader:822:12)
at Module.require (node:internal/modules/cjs/loader:1005:19)
at require (node:internal/modules/cjs/helpers:102:18)
at Object.<anonymous> (/opt/ibm/zchatops/node_modules/keytar/lib/keytar.js:1:14)
at Module._compile (node:internal/modules/cjs/loader:1105:14)
at Object.Module._extensions..js (node:internal/modules/cjs/loader:1159:10)
at Module.load (node:internal/modules/cjs/loader:981:32)
at Function.Module._load (node:internal/modules/cjs/loader:822:12)
This is because the preinstalled keytar is not compatible with your system, you will
need to issue the following commands to reinstall the packages and restart IBM Z ChatOps. This
requires internet
access.
cd $ZCHATOPS_HOME
rm -rf node_modules/
npm install
bnzsvr restart
Note: If
you use container, you can run exit command to exit the dubs session after your Z ChatOps run
as expected.