Creating secrets to protect sensitive configuration data

A secret is an object that contains a small amount of sensitive data such as a password, a token, or a key. Before you install IBM Business Automation Workflow, you must create secrets manually for LDAP, Business Automation Workflow, User Management Service (UMS), Business Automation Studio, Application Engine, Resource Registry, IBM FileNet® Content Manager, and IBM Business Automation Navigator.

About this task

All values under data in each secret must be Base64 encoded. To get a Base64-encoded string, run the following command:
echo -n "<sample_string>" | base64
The output is the Base64-encoded result.
Important: Make sure each secret has fewer than 20 characters.

Procedure

  1. An LDAP server is required before you install Business Automation Workflow. Create required secrets for LDAP.
    1. Save the following content in a YAML file named, for example, ldap-bind-secret.yaml.
      LDAP secret:
      apiVersion: v1
kind: Secret
metadata:
  name: ldap-bind-secret
type: Opaque
data:
  ldapUsername: <LDAP_BIND_DN>
  ldapPassword: <LDAP_PASSWORD>
      where:
      • ldapUsername corresponds to the bindDN property of your LDAP server, Base64-encoded
      • ldapPassword corresponds to the bindPassword property of your LDAP server, Base64-encoded
    2. On the OpenShift main node, run the following command for the YAML file: 
      oc apply -f YAML_file_name
    3. In your custom resource file:
      • Specify the hostname of your LDAP server as the ldap_configuration.lc_ldap_server property.
      • Specify the secret name that you created above as the ldap_configuration.lc_bind_secret property.
  2. Create required secrets for Business Automation Workflow.
    1. Save the following content in a separate YAML file for each secret.
      All values under data in the secret must be Base64 encoded.
      Business Automation Workflow database secret:
      apiVersion: v1
kind: Secret
metadata:
  name: ibm-baw-wfs-server-db-secret
type: Opaque  
data:
  dbUser: <DB_USER>
  password: <DB_USER_PASSWORD>
      where dbUser and password are the database username and password. Ensure all values under data are Base64 encoded.

      Optional: Process Federation Server secret:

      If you don't create this secret, the operator generates a secret with random values during installation.

      apiVersion: v1
kind: Secret
metadata:
  name: ibm-pfs-admin-secret
type: Opaque
data:
  ltpaPassword: <LTPA_PASSWORD>
  oidcClientPassword: <OIDC_CLIENT_PASSWORD>
  sslKeyPassword: <SSL_KEY_PASSWORD>
      • ltpaPassword is used to set the LTPA password
      • oidcClientPassword is registered at UMS as the OIDC client password
      • sslKeyPassword is used as the keystore and truststore password
      • All values under data are Base64-encoded.
      Optional: Workflow server admin secret. This secret is used to integrate with other servers, such as UMS. You must set the Workflow Server admin secret name in workflow_authoring_configuration.admin_secret_name and the operator creates it automatically. However, if you want to create the secret manually, use the following content:
      apiVersion: v1
kind: Secret
metadata:
name: ibm-baw-admin-secret
type: Opaque
data:
sslKeyPassword: <SSL_KEY_PASSWORD>
oidcClientPassword: <OIDC_CLIENT_PASSWORD>
      where:
      • sslKeyPassword is used as the keystore and truststore password
      • oidcClientPassword is used as the OIDC client password
      • All values under data are Base64-encoded.
    2. On the OpenShift master node, run the following command for each YAML file: 
      oc apply -f YAML_file_name
  3. Create required secrets for UMS by following the steps in Creating the UMS database admin secret.
  4. Create required secrets for Business Automation Studio and Application Engine playback engine by following the instructions in Creating secrets to protect sensitive configuration data.
  5. Create required secrets for Application Engine by following the instructions in Creating secrets to protect sensitive configuration data. These instructions also include creating a secret for Resource Registry.
  6. Create required secrets for IBM Business Automation Navigator by following the instructions in Creating secrets to protect sensitive Business Automation Navigator configuration data.
  7. Create required secrets for IBM FileNet Content Manager by following the instructions in Creating secrets to protect sensitive IBM FileNet Content Manager configuration data.