Creating secrets to protect sensitive configuration data

A secret is an object that contains a small amount of sensitive data such as a password, a token, or a key. Before you install IBM Business Automation Workflow, you must create secrets manually for LDAP, Business Automation Workflow, Application Engine, Resource Registry, IBM FileNet® Content Manager, and IBM Business Automation Navigator.

About this task

All values under data in each secret must be Base64 encoded. To get a Base64-encoded string, run the following command:
echo -n "<sample_string>" | base64
The output is the Base64-encoded result.

Procedure

  1. An LDAP server is required before you install Business Automation Workflow. Create required secrets for LDAP.
    1. Save the following content in a YAML file named, for example, ldap-bind-secret.yaml.
      LDAP secret:
      apiVersion: v1
      kind: Secret
      metadata:
        name: ldap-bind-secret
      type: Opaque
      data:
        ldapUsername: <LDAP_BIND_DN>
        ldapPassword: <LDAP_PASSWORD>
      where:
      • ldapUsername corresponds to the bindDN property of your LDAP server, Base64-encoded
      • ldapPassword corresponds to the bindPassword property of your LDAP server, Base64-encoded
    2. On the OpenShift main node, run the following command for the YAML file:
      oc apply -f YAML_file_name
    3. In your custom resource file:
      • Specify the hostname of your LDAP server as the ldap_configuration.lc_ldap_server property.
      • Specify the secret name that you created above as the ldap_configuration.lc_bind_secret property.
  2. Create required secrets for Business Automation Workflow.
    1. Save the following content in a separate YAML file for each secret.
      Optional: Shared encryption key secret - the operator creates it automatically. However, if you want to create the secret manually, use the following content:
      apiVersion: v1
      kind: Secret
      metadata:
        name: icp4a-shared-encryption-key
      type: Opaque
      data:
        encryptionKey: <ENCRYPTION_KEY>
      To ensure that the confidential information is shared only between the components that hold the key, use the encryptionKey to encrypt the confidential information at the Resource Registry. Ensure the <ENCRYPTION_KEY> is Base64-encoded.
      Business Automation Workflow database secret:
      apiVersion: v1
      kind: Secret
      metadata:
        name: ibm-baw-wfs-server-db-secret
      type: Opaque  
      data:
        dbUser: <DB_USER>
        password: <DB_USER_PASSWORD>
      where dbUser and password are the database username and password. Ensure all values under data are Base64 encoded.
      Optional: Workflow server admin secret. This secret is used to integrate with other servers, such as UMS. You must set the Workflow Server admin secret name in baw_configuration[x].admin_secret_name and the operator creates it automatically. However, if you want to create the secret manually, use the following content:
      apiVersion: v1
      kind: Secret
      metadata:
      name: ibm-baw-admin-secret
      type: Opaque
      data:
      sslKeyPassword: <SSL_KEY_PASSWORD>
      where:
      • sslKeyPassword is used as the keystore and truststore password.
      • All values under data are Base64-encoded.
    2. On the OpenShift master node, run the following command for each YAML file:
      oc apply -f YAML_file_name
  3. Create required secrets for Application Engine by following the instructions in Creating secrets to protect sensitive configuration data. These instructions also include creating a secret for Resource Registry.
  4. Create required secrets for IBM Business Automation Navigator by following the instructions in Creating secrets to protect sensitive Navigator configuration data.
  5. Create required secrets for IBM FileNet Content Manager by following the instructions in Creating secrets to protect sensitive IBM FileNet Content Manager configuration data.

What to do next

To prepare the required storage, see Preparing storage.