Creating secrets to protect sensitive configuration data

Before you install IBM Business Automation Studio, create secrets manually to protect the configuration data you are going to enter.

Procedure

  1. To create the required secrets for Business Automation Studio, the Application Engine playback server, and IBM Resource Registry, copy the following examples into files and edit the files based on your requirements.
    Note: To customize the name of the secret, you can replace icp4adeploy with your value. Then, update the custom resource YAML file.
    For Business Automation Studio:
    apiVersion: v1
    kind: Secret
    metadata:
      name: icp4adeploy-bas-admin-secret
    type: Opaque
    stringData:
      dbUsername: "Your Studio database username"
      dbPassword: "Your Studio database password"
    For the Application Engine playback server:
    apiVersion: v1
    kind: Secret
    metadata:
      name: playback-server-admin-secret
    type: Opaque
    stringData:
      AE_DATABASE_PWD: "Your App Engine database password"
      AE_DATABASE_USER: "Your App Engine database username"
      REDIS_PASSWORD: "password"
    
    where REDIS_PASSWORD is required if you are using Redis for session persistence. Otherwise, it is ignored.
    Notes:
    • The secret name of the Application Engine playback server must be different from the Application Engine secret name.
    • If you are using PostgreSQL client authentication, you can remove dbPassword from the Business Automation Studio file and AE_DATABASE_PWD from the Application Engine playback server secret file.
    Optional: For Resource Registry:
    apiVersion: v1
    kind: Secret
    metadata:
      name: icp4adeploy-rr-admin-secret
    type: Opaque
    stringData:
      rootPassword: "passw0rd"
      readUser: "reader"
      readPassword: "readerpwd"
      writeUser: "writer"
      writePassword: "writerpwd"
    Notes:
    • readUser and writeUser don't need to be your LDAP user.
    • If you didn't create this secret, the operator generates a secret with random values during installation.
    Optional: For encryption keys:
    apiVersion: v1
    kind: Secret
    metadata:
      name: ibm-iaws-shared-key-secret
    type: Opaque
    stringData:
      encryptionKey: ""
      aeEncryptionKey: ""
      aeEncryptionSalt: ""
    where:
    • encryptionKey and aeEncryptionKey must contain ASCII letters, and the length must be greater than or equal to 16. If the length of encryptionKey does not meet the requirement, the operator replaces the value you set with a random string of characters that meet the length requirement.
    • aeEncryptionSalt must contain ASCII letters, and the length must be greater than or equal to 6.
    Note:
    • If you want to compress and export an application project to Business Automation Studio, specify the encryption key (aeEncryptionKey) and encryption salt value (aeEncryptionSalt) in shared_configuration.encryption_key_secret. These values are used to encrypt the information of the exported file.
    • You can either create the secret before installation and provide the name of the secret as the value of encryption_key_secret, or modify the existing secret to add aeEncryptionKey and aeEncryptionSalt after installation.
  2. Save the files as YAML files, for example, rr.yaml, ae.yaml, and bas.yaml. Make sure that you edit the files based on your requirements.
  3. For each file, run the following command to create the secrets:
    oc create -f xxx.yaml
  4. Optional: If you want to connect to your database server by SSL, create a secret for your database server for Business Automation Studio and Application Engine playback server.
    Note: Before you begin, make sure that your database is configured to connect by SSL:
    • For Db2:
      1. Export your certification by running the following command on your local or remote database server. For example, the following GSKCapiCmd command extracts the certificate to a file called mydbserver.crt:
        gsk8capicmd_64 -cert -extract -db "mydbserver.kdb" -pw "myServerPassw0rdpw0" -label "myselfsigned" -target "mydbserver.crt" -format ascii
      2. Copy your database certification mydbserver.crt to any directory of your cluster, and create the secret for your database server by running the following command on your cluster:
        kubectl create secret generic <your-secret-name> --from-file=tls.crt=<your-database-certification-path>/mydbserver.crt
      3. Put the secret <your-secret-name> into the configuration parameters:
    • For Oracle:
      1. Database Server Wallet Secret for Business Automation Studio and Application Engine playback server:
        1. Export your certification by running the following command on your local or remote database server (the following example is for Linux®):
          orapki wallet export -wallet <the-path-to-your-wallet-file> -pwd <your-wallet-file-password> -dn "CN=`hostname`" -cert /tmp/<your-certification-name>.crt
        2. Copy your certification that is exported in the previous step to your cluster, and create the secret for your database server by running the following command on your cluster:
          kubectl create secret generic <your-secret-name> --from-file=tls.crt=<your-certification-name>.crt
        3. Put the secret <your-secret-name> into the configuration parameters:
      2. Database Server Wallet SSO Secret only for Application Engine playback server:
        1. Get the wallet SSO file cwallet.sso on your local or remote database server. You can find it in the wallet installation directory on your database server.
        2. Copy this wallet SSO file to any directory of your cluster, and create a secret by running the following command on your cluster:
          kubectl create secret generic <your-oracle-sso-secret-name> --from-file=cwallet.sso=<your-oracle-sso-wallet-file-path>/cwallet.sso
        3. Put the secret <your-secret-name> into bastudio_configuration.playback_server.database.db_cert_secret_name for Application Engine playback server. See Application Engine configuration parameters.
      Note: For the Oracle SSL configuration, you must create an Auto-Login Wallet (cwallet.sso) that is associated with a PKCS#12 wallet. See the Oracle documentation Managing Public Key Infrastructure (PKI) Elements for more details on how to create an auto-login wallet that is associated with a PKCS#12 wallet.
    • For PostgreSQL:
      • Server Authentication:
        1. Get your database certification on your local or remote database server. You can get it with the parameter ssl_cert_file from /var/lib/pgsql/<version>/data/postgresql.conf.
        2. Copy your database certification mydbserver.crt to any directory of your cluster, and create the secret for your database server by running the following command on your cluster:
          kubectl create secret generic <your-secret-name> --from-file=tls.crt=<your-database-certification-path>/mydbserver.crt
          Note: For your database certification mydbserver.crt, keep only the following information:
          -----BEGIN CERTIFICATE-----
          MIIDHzCCAgegAwIBAgIUQM8TxJNP8kAEwAzJxBmMl4qIRe8wDQYJKoZIhvcNAQEL
          BQAwHzEdMBsGA1UEAwwUZ3JpcHBlMS5meXJlLmlibS5jb20wHhcNMjAwOTA4MDMy
          ……
          ……
          -----END CERTIFICATE-----
          
      • Client Authentication:
        1. Get your database certifications on your local or remote database server. You can get them from the location /var/lib/pgsql/<version>/data by default.
        2. Copy your database certifications client.crt, client.key, and root.crt to any directory of your cluster, and create the secret for your database server by running the following command on your cluster:
          kubectl create secret generic <your-secret-name> --from-file=tls.crt=client.crt --from-file=tls.key=client.key --from-file=ca.crt=root.crt --from-literal=sslmode=<require|verify-ca|verify-full>
          Note: You can select any value for sslmode. For more details, see the SSL Support Page.
      • Put the secret <your_secret_name> into the configuration parameters:
        • bastudio_configuration.database.certificate_secret_name for Business Automation Studio. See IBM Business Automation Studio configuration parameters.
        • bastudio_configuration.playback_server.database.db_cert_secret_name for Application Engine playback server. See IBM Business Automation Studio parameters.
          Note: For your database certification mydbserver.crt, keep only the following information:
          -----BEGIN CERTIFICATE-----
          MIIDHzCCAgegAwIBAgIUQM8TxJNP8kAEwAzJxBmMl4qIRe8wDQYJKoZIhvcNAQEL
          BQAwHzEdMBsGA1UEAwwUZ3JpcHBlMS5meXJlLmlibS5jb20wHhcNMjAwOTA4MDMy
          ……
          ……
          -----END CERTIFICATE-----
          
    • For Microsoft SQL Server:
      1. Get your database certification on your local or remote database server by following the document Enable encrypted connections to the Database Engine. Exchange the certification of your SQL Server database to .crt by using OpenSSL, like mydbserver.crt.
      2. Copy your database certification mydbserver.crt to any directory of your cluster, and create the secret for your database server by running the following command on your cluster:
        kubectl create secret generic <your-secret-name> --from-file=tls.crt=<your-database-certification-path>/mydbserver.crt
      3. Put the secret your_secret_name into the configuration parameters:
  5. Optional: For Business Automation Studio, to customize the Liberty configuration to include additional authData, create the following secret to include your customized data.
    1. Copy the following example into your files and update it as necessary.
      apiVersion: v1
      kind: Secret
      metadata:
          name: <your_secret_name>
      type: Opaque
          stringData:
              sensitiveCustom.xml: |+
                  <?xml version="1.0" encoding="UTF-8"?>
                  <server>
                      <logging traceSpecification="*=info:WLE.*=all"/>
                  </server>
      
    2. Create the secret by running the following command on your cluster: oc create -f xxx.yaml
    3. Put the secret <your_secret_name> into the configuration parameters. For Business Automation Studio, use the bastudio_configuration.custom_secret_name parameter. For more information, see Business Automation Studio configuration parameters.

What to do next

To set up your own persistent volume (PV) and persistent volume claim (PVC), see Implementing Storage.