Configuring an integration server vault

You can configure an integration server vault to store credentials, which can then be used by the integration server to access secured resources.

Before you begin

Read Configuring an IBM App Connect Enterprise vault.

About this task

An integration server vault is an App Connect Enterprise vault that can be used by a specific integration server. The vault is created in the integration server's work directory and can be accessed only by that integration server.

Procedure

You can configure an integration server vault by using one of the following methods.

  • Using the IBM App Connect Enterprise Toolkit

    You can use the IBM App Connect Enterprise Toolkit to manage credentials in an integration server vault. The Integration Explorer view of the Toolkit provides options to create, update, or delete a credential in an integration server vault. The credentials that are stored in an integration server vault are listed in a section called Credentials, which is shown under each integration server in the Integration Explorer view. You can create credentials in the vault by right-clicking Credentials and then clicking Create credential. You can update or delete a credential by selecting it from the list of credentials in the vault and then using the Update credential or Delete credential options.

  • Using the Connector Discovery wizard

    When you configure a discovery connector request node or input node by using the Connector Discovery wizard, you specify the vault that will be used to store the credentials for connecting to the endpoint application (such as Salesforce or Trello). By default, these credentials are stored in an external directory vault, which is an IBM App Connect Enterprise vault that can be used by any integration server. Alternatively, you can choose to store the credentials in an integration server vault, which is created in the integration server's work directory and can be used only by that integration server.

    Complete the following steps to configure an integration server vault during connector discovery:
    1. Ensure that the integration server is not running. If you attempt to run connector discovery when the integration server is running, you will need to stop it before launching the Connector Discovery wizard again (in step 3).
    2. By default, credentials are stored in an external directory vault, rather than an integration server vault. If you want to specify an integration server vault during connector discovery, you must first enable the option by completing the following steps:
      1. In the IBM App Connect Enterprise Toolkit, select Window > Preferences > Integration development > Vault settings.
      2. Select Enable use of an integration server vault.
      3. Click Apply and close.

        The option to use an integration server vault is now enabled and will be visible in the Connector Discovery wizard the next time it is started (see step 3).

    3. Start the Connector Discovery wizard by clicking Launch connector discovery in the property editor for the connector node that you want to configure. For more information, see Discovery connector nodes.
    4. Select Use an integration server vault, click Browse and select the integration server's work directory folder.

    For more information about configuring connector request or input nodes by using connector discovery, see Discovery connector nodes.

  • Using the ibmint security commands
    You can use the ibmint security commands to create or delete a vault, to change or verify a vault key, and to manage the credentials that are stored in the vault. The vault stores the records in encrypted form. An integration server vault is created in the integration server's work directory, and the credentials that are stored in an integration server vault can be accessed only by that integration server. For more information, see the command topics that are listed in the following table.
    Table 1. Security ibmint commands
    Command name Topic reference
    ibmint create vault ibmint create vault command
    ibmint delete vault ibmint delete vault command
    ibmint display credentials ibmint display credentials command
    ibmint display credential-types ibmint display credential-types command
    ibmint export credentials ibmint export credentials command
    ibmint import credentials ibmint import credentials command
    ibmint set credential ibmint set credential command
    ibmint unset credential ibmint unset credential command
    ibmint update vault-key ibmint update vault-key command
    ibmint update vaultrc ibmint update vaultrc command
  • Using the mqsivault command

    You can use the mqsivault command to create or destroy a vault, to change or verify a vault key, or to retrieve credentials from the vault. The vault stores the records in encrypted form. An integration server vault is created in the integration server's work directory, and credentials that are stored in an integration server vault can be accessed only by that integration server.

    You can copy the contents of a vault into another vault by using the import and export options of the mqsivault command. You can use the --export parameter to copy the contents of a vault into a temporary archive (.zip file) and then use the --import parameter to import the contents of the archive file into the target vault. The vault entries are stored in the archive using an archive key to symmetrically encrypt and decrypt the values.

    For more information about using the mqsivault command to configure a vault, see mqsivault command and Configuring encrypted security credentials.

    For information about creating, updating, retrieving, or deleting the security credentials, see mqsicredentials command.