Creating secrets to protect sensitive configuration data
Before you install IBM Business Automation Studio, create secrets manually to protect the configuration data you are going to enter.
Procedure
-
To create the required secrets for Business Automation
Studio, the Application
Engine playback server, and IBM Resource Registry, copy the following
examples into files and edit the files based on your requirements.
Note: To customize the name of the secret, you can replace icp4adeploy with your value. Then, update the custom resource YAML file.For Business Automation Studio:
apiVersion: v1 kind: Secret metadata: name: icp4adeploy-bas-admin-secret type: Opaque stringData: dbUsername: "Your Studio database username" dbPassword: "Your Studio database password"
For the Application Engine playback server:
whereapiVersion: v1 kind: Secret metadata: name: playback-server-admin-secret type: Opaque stringData: AE_DATABASE_PWD: "Your App Engine database password" AE_DATABASE_USER: "Your App Engine database username" REDIS_PASSWORD: "password"
REDIS_PASSWORD
is required if you are using Redis for session persistence. Otherwise, it is ignored.Notes:- The secret name of the Application Engine playback server must be different from the Application Engine secret name.
- If you are using PostgreSQL client authentication, you
can remove
dbPassword
from the Business Automation Studio file andAE_DATABASE_PWD
from the Application Engine playback server secret file.
Optional: For Resource Registry:apiVersion: v1 kind: Secret metadata: name: icp4adeploy-rr-admin-secret type: Opaque stringData: rootPassword: "passw0rd" readUser: "reader" readPassword: "readerpwd" writeUser: "writer" writePassword: "writerpwd"
Notes:readUser
andwriteUser
don't need to be your LDAP user.- If you didn't create this secret, the operator generates a secret with random values during installation.
Optional: For encryption keys:
where:apiVersion: v1 kind: Secret metadata: name: ibm-iaws-shared-key-secret type: Opaque stringData: encryptionKey: "" aeEncryptionKey: "" aeEncryptionSalt: ""
encryptionKey
andaeEncryptionKey
must contain ASCII letters, and the length must be greater than or equal to 16. If the length ofencryptionKey
does not meet the requirement, the operator replaces the value you set with a random string of characters that meet the length requirement.aeEncryptionSalt
must contain ASCII letters, and the length must be greater than or equal to 6.
Note:- If you want to compress and export an application project to Business Automation
Studio, specify the encryption key
(
aeEncryptionKey
) and encryption salt value (aeEncryptionSalt
) inshared_configuration.encryption_key_secret
. These values are used to encrypt the information of the exported file. - You can either create the secret before installation and provide the name of the secret as the
value of
encryption_key_secret
, or modify the existing secret to addaeEncryptionKey
andaeEncryptionSalt
after installation.
- Save the files as YAML files, for example, rr.yaml, ae.yaml, and bas.yaml. Make sure that you edit the files based on your requirements.
-
For each file, run the following command to create the secrets:
oc create -f xxx.yaml
- Optional: If you want to connect to your database server by SSL, create a
secret for your database server for Business Automation
Studio
and Application
Engine playback server. Note: Before you begin, make sure that your database is configured to connect by SSL:
- For Db2®, see Encryption of data in transit.
- For Oracle, see the Oracle document Enabling Secure Sockets Layer for how to configure SSL/TLS encrypted connections.
- For Db2:
- Export your certification by running the following command on your local or remote database
server. For example, the following
GSKCapiCmd
command extracts the certificate to a file called mydbserver.crt:gsk8capicmd_64 -cert -extract -db "mydbserver.kdb" -pw "myServerPassw0rdpw0" -label "myselfsigned" -target "mydbserver.crt" -format ascii
- Copy your database certification mydbserver.crt to any directory of your
cluster, and create the secret for your database server by running the following command on your
cluster:
kubectl create secret generic <your-secret-name> --from-file=tls.crt=<your-database-certification-path>/mydbserver.crt
- Put the secret
<your-secret-name>
into the configuration parameters:bastudio_configuration.database.certificate_secret_name
for Business Automation Studio (see IBM Business Automation Studio configuration parameters).bastudio_configuration.playback_server.database.db_cert_secret_name
for Application Engine playback server (see IBM Business Automation Studio parameters).
- Export your certification by running the following command on your local or remote database
server. For example, the following
- For Oracle:
- Database Server Wallet Secret for Business Automation
Studio and Application
Engine playback server:
- Export your certification by running the following command on your local or remote database
server (the following example is for Linux®):
orapki wallet export -wallet <the-path-to-your-wallet-file> -pwd <your-wallet-file-password> -dn "CN=`hostname`" -cert /tmp/<your-certification-name>.crt
- Copy your certification that is exported in the previous step to your cluster, and create the
secret for your database server by running the following command on your
cluster:
kubectl create secret generic <your-secret-name> --from-file=tls.crt=<your-certification-name>.crt
- Put the secret
<your-secret-name>
into the configuration parameters:bastudio_configuration.database.certificate_secret_name
for Business Automation Studio. See IBM Business Automation Studio configuration parameters.bastudio_configuration.playback_server.database.db_cert_secret_name
for Application Engine playback server. See IBM Business Automation Studio parameters.
- Export your certification by running the following command on your local or remote database
server (the following example is for Linux®):
- Database Server Wallet SSO Secret only for Application
Engine playback server:
- Get the wallet SSO file cwallet.sso on your local or remote database server. You can find it in the wallet installation directory on your database server.
- Copy this wallet SSO file to any directory of your cluster, and create a secret by running the
following command on your
cluster:
kubectl create secret generic <your-oracle-sso-secret-name> --from-file=cwallet.sso=<your-oracle-sso-wallet-file-path>/cwallet.sso
- Put the secret <your-secret-name> into
bastudio_configuration.playback_server.database.db_cert_secret_name
for Application Engine playback server. See Application Engine configuration parameters.
Note: For the Oracle SSL configuration, you must create an Auto-Login Wallet (cwallet.sso
) that is associated with a PKCS#12 wallet. See the Oracle documentation Managing Public Key Infrastructure (PKI) Elements for more details on how to create an auto-login wallet that is associated with a PKCS#12 wallet. - Database Server Wallet Secret for Business Automation
Studio and Application
Engine playback server:
- For PostgreSQL:
- Server Authentication:
- Get your database certification on your local or remote database server. You can get it with the
parameter
ssl_cert_file
from /var/lib/pgsql/<version>/data/postgresql.conf. - Copy your database certification mydbserver.crt to any directory of your
cluster, and create the secret for your database server by running the following command on your
cluster:
kubectl create secret generic <your-secret-name> --from-file=tls.crt=<your-database-certification-path>/mydbserver.crt
Note: For your database certification mydbserver.crt, keep only the following information:-----BEGIN CERTIFICATE----- MIIDHzCCAgegAwIBAgIUQM8TxJNP8kAEwAzJxBmMl4qIRe8wDQYJKoZIhvcNAQEL BQAwHzEdMBsGA1UEAwwUZ3JpcHBlMS5meXJlLmlibS5jb20wHhcNMjAwOTA4MDMy …… …… -----END CERTIFICATE-----
- Get your database certification on your local or remote database server. You can get it with the
parameter
- Client Authentication:
- Get your database certifications on your local or remote database server. You can get them from the location /var/lib/pgsql/<version>/data by default.
- Copy your database certifications client.crt,
client.key, and
root.crt to any directory of your cluster, and create the
secret for your database server by running the following command on your
cluster:
kubectl create secret generic <your-secret-name> --from-file=tls.crt=client.crt --from-file=tls.key=client.key --from-file=ca.crt=root.crt --from-literal=sslmode=<require|verify-ca|verify-full>
- Put the secret
<your_secret_name>
into the configuration parameters:bastudio_configuration.database.certificate_secret_name
for Business Automation Studio. See IBM Business Automation Studio configuration parameters.bastudio_configuration.playback_server.database.db_cert_secret_name
for Application Engine playback server. See IBM Business Automation Studio parameters.Note: For your database certification mydbserver.crt, keep only the following information:-----BEGIN CERTIFICATE----- MIIDHzCCAgegAwIBAgIUQM8TxJNP8kAEwAzJxBmMl4qIRe8wDQYJKoZIhvcNAQEL BQAwHzEdMBsGA1UEAwwUZ3JpcHBlMS5meXJlLmlibS5jb20wHhcNMjAwOTA4MDMy …… …… -----END CERTIFICATE-----
- Server Authentication:
- For Microsoft SQL Server:
- Get your database certification on your local or remote database server by following the document Enable encrypted connections to the Database Engine. Exchange the certification of your SQL Server database to .crt by using OpenSSL, like mydbserver.crt.
- Copy your database certification mydbserver.crt to any directory of your
cluster, and create the secret for your database server by running the following command on your
cluster:
kubectl create secret generic <your-secret-name> --from-file=tls.crt=<your-database-certification-path>/mydbserver.crt
- Put the secret
your_secret_name
into the configuration parameters:bastudio_configuration.database.certificate_secret_name
for Business Automation Studio. See IBM Business Automation Studio parameters.bastudio_configuration.playback_server.database.db_cert_secret_name
for Application Engine playback server. See IBM Business Automation Studio parameters.
- Optional: For Business Automation
Studio, to customize the Liberty
configuration to include additional
authData
, create the following secret to include your customized data.- Copy the following example into your files and update it as necessary.
apiVersion: v1 kind: Secret metadata: name: <your_secret_name> type: Opaque stringData: sensitiveCustom.xml: |+ <?xml version="1.0" encoding="UTF-8"?> <server> <logging traceSpecification="*=info:WLE.*=all"/> </server>
- Create the secret by running the following command on your cluster:
oc create -f xxx.yaml
- Put the secret
<your_secret_name>
into the configuration parameters. For Business Automation Studio, use thebastudio_configuration.custom_secret_name
parameter. For more information, see Business Automation Studio configuration parameters.
- Copy the following example into your files and update it as necessary.