Configuring Password Vault

Before you begin

  • The system administrator secures the DB password in a secure vault, ensuring that it can be accessed via script execution.
  • Appropriate access rights are granted to allow the Control Center to execute the script.
  • The script must always return the latest DB password. When the DB password is rotated, the script is responsible for returning the new password.
Supported Script File Extensions
• Windows – Batch script (.bat) and power shell script (.ps1)
• Unix – Shell script (.sh)

About this task

Use the password vault configuration page to enable and configure the Password Vault feature with Control Center.

Procedure

  1. Password Vault Configuration for DB Connections
    1. When the configCC script is run during the DB configuration step, the system initially prompts the user to choose whether to use the password vault. The default option is set to N. In subsequent configCC executions, the selected value is remembered. 
      Do you want to use password vault for DB connection? (Y/N): [N] Y
      • If the user selects "N": The configuration steps remain the same as before. The password vault feature for DB connections will not be used, and the user must manually enter the DB password in subsequent prompts.
        Do you want to use password vault for DB connection? (Y/N) : [N]n
Do you want to configure a secure connection to your database? (Y/N) [N] :
Provide the database host name [127.0.0.1] : 172.20.186.192
Provide the database port number [1433] :
Provide the database user name [] : sa
Database Password (no blanks):
 
Re-enter Database Password :
 
Provide the database name [] : dev_db1
      • If the user selects "Y": The configuration steps will differ, and the user will be prompted with the following questions in addition to the existing DB configuration questions , except for the Database Password and Re-enter Database Password prompts.
        Do you want to use password vault for DB connection? (Y/N) : [N]y
Specify the script location : []C:\db_pass.bat
Specify the script timeout in seconds : [60]
Specify the script retries count : [10]
Specify the script retry wait time in seconds: [15]
Do you want to configure a secure connection to your database? (Y/N) [N] :
Provide the database host name [127.0.0.1] : 172.20.186.192
Provide the database port number [1433] :
Provide the database user name [] : sa
Provide the database name [] : dev_inst
      Password Vault Configuration Parameters
      Table 1.
      Parameter name Description Default Value Minimum Value Maximum Value
      Use password vault for DB connection Select Y to enable password vault, else N to not enable it N - -
      Script location Path of the script file blank - -
      Script timeout in seconds Duration in seconds for script execution to wait before getting timed-out. 60 30 120
      Script retries count Number of retry attempts in case of error/exception/timeout 10 6 20
      Script retries wait time in seconds Duration in seconds for system to wait before attempting next try. 15 10 60
  2. Steps to Reconfigure Password Vault
    As a Control Center administrator, you can reconfigure the password vault parameters if needed. By running the configCC script, you can modify password vault options during the DB configuration step. The system will display previously configured values as default for the password vault prompts.
    Do you want to use password vault for DB connection? (Y/N): [Y] Y
Specify the script location: [C:\db_pass.bat]
Specify the script timeout in seconds: [60]
Specify the script retries count: [10]
Specify the script retry wait time in seconds: [15]

  3. Steps to Perform on Password Rotation
    1. Whenever the DB password rotates or changes, the Control Center’s DB connection will fail. Control Center (CC) will automatically execute the script to fetch the new password. No manual steps are required.
    2. The Control Center web UI will restart automatically. During the restart, users may experience a brief disconnection (typically 3-5 minutes). It is recommended to schedule a few minutes of downtime in advance to enhance user experience.
    3. Without scheduled downtime, if the password changes and the Web UI restarts automatically, there could be potential data loss if a user is actively using the Web UI.
  4. Steps for Multi Event Processor (EP) Environment
    1. Configure one EP instance as described above, then follow the same steps for other EP instances.
    2. Since no DB credentials are stored, the user must reenter the same configuration values on each EP instance.
    Recommendations
    • Schedule a brief downtime whenever the DB password changes to avoid data loss.
    • In a Multi EP environment, the system allows password vault enablement on one EP instance and non-password vault (classic) configuration on others. However, it is recommended to use the same configuration (either password vault or non-password vault) across all EP instances.

    Separate Log file

    When the password vault feature is enabled, logs for the DB connection are maintained in the DBServerConnectionChecker**.log file.

    The log level can be configured by modifying the DBServerConnectionChecker logger in the EngineLogger.xml file. The default log level is set to INFO.