Creating and managing secrets

Store secrets in the universal connector keystore to achieve higher security, instead of writing the passwords in plain text within a connector configuration. Store secrets before you add a connector configuration that is using a secret. Restart the universal connector to make the new or updated secrets available for universal connector configurations.

Procedure

  1. Create a secret. Log in to the Guardium CLI and create the key by using the following grdapi command.
    grdapi universal_connector_keystore_add key=<key_name> password=<key_value
    Note: Spaces are not allowed after and before = in this grdapi command.
  2. Verify whether the keys are entered successfully by using the following command.
    grdapi universal_connector_keystore_list
  3. Add a key as an environment variable in the connector configuration.
    1. Log in to Guardium and then go to the Configure Universal Connector page.
    2. Upload jdbc driver (JAR file)
    3. Add or edit a connector configuration to use a secret. Instead of writing the secret in plain text, type the key that you created as an environment variable.
      For example:
        jdbc {    ...   jdbc_connection_string => "jdbc:..."   jdbc_user =>
              "${MYSQL_USERX_NAME}"    jdbc_password => "${MYSQL_USERX_PASSWORD}"    ... }
              jdbc_password =>         "${MYSQL_USERX_PASSWORD}"
    4. Save the configuration.
    Note: To use the JDBC input plug-in, you need to upload a driver (JAR file) and then add the configuration.
  4. To update a secret, you need to remove the key, add it again, and then restart the universal connector with overwriting old instance option.
    1. To remove the key, run the following command.
      grdapi universal_connector_keystore_remove key=<key_name>
      
    2. To make sure that the key is no longer available to configurations, force the universal connector to fully restart, run the following command.
      grdapi run_universal_connector overwrite_old_instance="true"
    3. Listing the secret keys. To retrieve your updated list of the secrets after adding, removing, and updating keys, run the following command.
      grdapi universal_connector_keystore_list