Store secrets in the universal connector keystore to achieve higher security, instead of
writing the passwords in plain text within a connector configuration. Store secrets before you add a
connector configuration that is using a secret. Restart the universal connector to make the new or
updated secrets available for universal connector configurations.
Procedure
-
Create a secret. Log in to the Guardium CLI and create the key by using the following grdapi
command.
grdapi universal_connector_keystore_add key=<key_name> password=<key_value
Note: Spaces are not allowed after and before = in this grdapi command.
- Verify whether the keys are entered successfully by using the following command.
grdapi universal_connector_keystore_list
- Add a key as an environment variable in the connector configuration.
- Log in to Guardium and then go to the
Configure Universal Connector
page.
- Upload jdbc driver (JAR file)
- Add or edit a connector configuration to use a secret. Instead of writing the secret in plain
text, type the key that you created as an environment variable.
For
example:
jdbc { ... jdbc_connection_string => "jdbc:..." jdbc_user =>
"${MYSQL_USERX_NAME}" jdbc_password => "${MYSQL_USERX_PASSWORD}" ... }
jdbc_password => "${MYSQL_USERX_PASSWORD}"
- Save the configuration.
Note: To use the JDBC input plug-in, you need to upload a driver (JAR file) and then add
the configuration.
- To update a secret, you need to remove the key, add it again, and then restart the
universal connector with overwriting old instance option.
- To remove the key, run the following command.
grdapi universal_connector_keystore_remove key=<key_name>
- To make sure that the key is no longer available to configurations, force the universal
connector to fully restart, run the following
command.
grdapi run_universal_connector overwrite_old_instance="true"
- Listing the secret keys. To retrieve your updated list of the secrets after adding, removing,
and updating keys, run the following command.
grdapi universal_connector_keystore_list