Using encrypted keys (optional)

For security, the integration server includes a utility to add all of the keyring-based values from your app.config file to your system's compatible keyring backend, such as a KeyStore system. The utility uses the Python Keyring library to store passwords. For information on Python Keyring library, see https://pypi.org/project/keyring/.

To use the utility, see Keyring utility.

To assist in choosing a compatible and secure keyring backend, the following sections in this guide provide recommendations and basic configuration information for these keyring backends:

Free Desktop Secret Service. Requires the RHEL or CentOS operating system, and Python 3.6.4 or later.
keyrings.cryptfile.cryptfile.CryptFileKeyring. Requires the RHEL or CentOS operating system, and Python 3.6.4 or later.
Windows Credential Locker. Requires the Windows operating system, and can run on Python 3.6.4 or later.

NOTE: The keyrings.alt backend is the least secure backend and is not recommended for use in production systems. Credentials are stored in a plain text file. keyrings.alt backend does not have a password to access the keyring storage. For information, see https://pypi.org/project/keyrings.alt/.

If using an integration server on a Linux® platform, you can use the following command to view any keyring backends installed on your system. For example:

keyring --list-backends
keyrings.cryptfile.file.EncryptedKeyring (priority: 0.6)
keyrings.cryptfile.cryptfile.CryptFileKeyring (priority: 2.5)
keyring.backends.chainer.ChainerBackend (priority: 10)
keyrings.cryptfile.file.PlaintextKeyring (priority: 0.5)
keyring.backends.fail.Keyring (priority: 0)

In this example, keyrings.cryptfile.cryptfile.CryptFileKeyring is listed as the backend with highest priority (2.5) after ChainerBackend, which determines which backend to invoke.

Keyring utility

The integration server includes a utility to store passwords or other authentication values used by an app package.

The utility stores these credentials as key, value pairs. You enter the key in the app.config file as ^<key>. When run, Resilient® Circuits gets the value for the key from the keyring. In the following example, resilient_secret is the key.

[resilient]
api_key_secret=^resilient_secret

Once you have created the keys in your app.config file, run res-keyring and you are prompted to create the secure values to store. In the following example, Free Desktop Secret Service is the keyring backend.

res-keyring 
Configuration file: /Users/kexample/.resilient/app.config
Secrets are stored with 'keyring.backends.SecretService'
[resilient] resilient_secret: <not set>
Enter new value (or <ENTER> to leave unchanged):

Free Desktop Secret Service

On a RHEL or Centos platform, the most secure backend is Free Desktop Secret Service run in a Python 3 environment.

The procedures in this section is for informational purposes only. You supply and configure your own keyring backend. You may need to consult the keyring backend documentation for details.

Use the following procedure to use the Secret Service backend without an X11 server available.

Install the GNOME Keyring daemon:
```
sudo yum install gnome-keyring
```

Start a D-Bus session:

dbus-run-session -- sh
sh-4.2$ gnome-keyring-daemon --unlock
Passw0rd
<CTRL-d>
SSH_AUTH_SOCK=/run/user/1000/keyring/ssh

At the prompt, start the GNOME keyring daemon.
```
sh-4.2$ gnome-keyring-daemon --unlock
```
Enter your password for ResilientKeyringPassword followed by the enter key then Ctrl-d.
```
ResilientKeyringPassword
<CTRL-d>
SSH_AUTH_SOCK=/run/user/1000/keyring/ssh
```
If gnome-keyring-daemon --unlock is run and there is no keyring, the GNOME keyring daemon creates a keyring with the provided password. The GNOME keyring information is stored in the following directory:
```
~/.local/share/keyrings/ 
```
List the keyring backends to verify that Secret Service is installed. For example:
```
sh-4.2$ keyring --list-backends
keyring.backends.SecretService.Keyring (priority: 5)
keyring.backends.chainer.ChainerBackend (priority: 10)
keyring.backends.fail.Keyring (priority: 0)
```
In this example, the Secret Service backend is listed as the backend with highest priority after ChainerBackend which determines which backend to invoke.
Once the GNOME keyring is created, run the res-keyring utility to store the app.config credentials in the keystore, as described in Keyring utility.
When done, run Resilient Circuits on the command line in the D-bus session, which allows the integration server to access the credentials from the GNOME keyring.
The GNOME keyring is unlocked while in the D-bus session, so you are not prompted for a keyring password when executing "resilient-circuits run" on the command line.

Once you have setup the GNOME keyring using res-keyring on the command line, you can run the integration server as a system service. However, you need to edit the service to make sure that the system can pass the keyring password to the systemd service for unlocking.

Edit service file /etc/systemd/system/resilient_circuits.service as follows to use the Secret Service backend:

Description=Resilient-Circuits Service
[Service]
Type=simple
User=integrations
WorkingDirectory=/home/integrations/resilient-circuits-py3
Environment=RES_KEYRING_PASSWORD=ResilientKeyringPassword
ExecStart=/usr/bin/res-circuits.sh
Restart=always
TimeoutSec=10
Environment=APP_CONFIG_FILE=/home/integrations/.resilient/app.config
Environment=APP_LOCK_FILE=/home/integrations/.resilient/resilient_circuits.lock

[Install]
WantedBy=multi-user.target

NOTE: The /etc/systemd/system/resilient_circuits.service file is owned by root. Only those users with privileges can view the password in the file.

Add the environment variable containing the GNOME keyring password:
```
Environment=RES_KEYRING_PASSWORD=ResilientKeyringPassword
```

Look for the ExecStart line:

ExecStart=/usr/local/bin/resilient-circuits run

Edit it to start Resilient Circuits from a shell script:
```
ExecStart=/usr/bin/resilient-circuits.sh
```

The following resilient-circuits.sh script starts a dbus session and calls another script to unlock the keyring and start Resilient Circuits:

#!/bin/bash
dbus-run-session -- "/usr/bin/resilient-circuits-unlock-keyring.sh"

The /usr/bin/resilient-circuits-unlock-keyring.sh is as follows:

#!/bin/bash
echo $RES_KEYRING_PASSWORD | gnome-keyring-daemon --unlock
resilient-circuits run

NOTE: You must run Resilient Circuits in the context of the working directory or you must specify the explicit path in resilient-circuits-unlock-keyring.sh.

Keyrings cryptfile

The procedures in this section is for informational purposes only. You supply and configure your own keyring backend. You may need to consult the keyring backend documentation for details.

The keyrings.cryptfile backend is a project in PyPi that is mainly targeted on a sufficiently secure storage for plain text passwords (keyring) in a simple portable file. For more information, see https://pypi.org/project/keyrings.cryptfile/.

Use the following procedure to use the keyrings.cryptfile backend:

Install the keyrings.cryptfile backend.
```
pip3 install keyrings.cryptfile
```

List the keyring backends to verify that keyrings.cryptfile is installed. For example:

keyring --list-backends
keyrings.cryptfile.file.EncryptedKeyring (priority: 0.6)
keyrings.cryptfile.cryptfile.CryptFileKeyring (priority: 2.5)
keyring.backends.chainer.ChainerBackend (priority: 10)
keyrings.cryptfile.file.PlaintextKeyring (priority: 0.5)
keyring.backends.fail.Keyring (priority: 0)

Run the res-keyring utility to store the app.config credentials in the keystore, as described in Keyring utility.

The newly created cryptfile keyring is stored in the following location:

~/.local/share/python_keyring/cryptfile_pass.cfg

When you run resilient-circuits on the command line, you are prompted for the keyrings.cryptfile keyring password:

$ resilient-circuits run
Please enter password for encrypted keyring:

NOTE: The python getpass utility used by keyring looks for password input when running from a terminal but looks for it on stdin when running as a systemd service.

After you enter the keyrings.cryptfile password, Resilient Circuits accesses the credentials from the keyrings.cryptfile keystore.

Once you have setup the keyring using res-keyring on the command line, you can run the integration server as a system service. However, you need to edit the service to make sure that the system can pass the keyring password to the systemd service for unlocking.

Edit service file /etc/systemd/system/resilient_circuits.service as follows to use the keyrings.cryptfile backend:

Description=Resilient-Circuits Service
[Service]
Type=simple
User=integrations
WorkingDirectory=/home/integrations/resilient-circuits-py3
Environment=RES_KEYRING_PASSWORD=ResilientKeyringPassword
ExecStart=/usr/bin/res-circuits.sh
Restart=always
TimeoutSec=10
Environment=APP_CONFIG_FILE=/home/integrations/.resilient/app.config
Environment=APP_LOCK_FILE=/home/integrations/.resilient/resilient_circuits.lock

[Install]
WantedBy=multi-user.target

NOTE: The /etc/systemd/system/resilient_circuits.service file is owned by root. Only those users with privileges can view the password in the file.

Add the environment variable containing the keyring password:
```
Environment=RES_KEYRING_PASSWORD=ResilientKeyringPassword
```

Look for the ExecStart line:

ExecStart=/usr/local/bin/resilient-circuits run

Edit it to start Resilient Circuits from a shell script:
```
ExecStart=/usr/bin/res-circuits.sh
```

The /usr/bin/res-circuits.sh is as follows:

#!/bin/bash
echo $RES_KEYRING_PASSWORD | resilient-circuits run

NOTE: You must run Resilient Circuits in the context of the working directory or you must specify the explicit path in res-circuits.sh.

Windows Credential Locker

The procedures in this section are for information purposes only. You supply and configure your own keyring backend. You might need to consult the keyring backend documentation for details.

When running the integration server on Windows, the Windows Credential Locker backend is the recommended most secure backend. You do not need to pip install the Windows Credential Locker backend, it is there by default when Python Keyring is installed with Resilient Circuits.

For more information on the Windows Credential Locker, see:

https://docs.microsoft.com/en-us/windows/uwp/security/credential-locker

After installing Resilient Circuits, you can check that the Windows Credential Locker is in use:

keyring --list-backends
keyring.backends.chainer.ChainerBackend (priority: 0)
keyring.backends.Windows.WinVaultKeyring (priority: 5)
keyring.backends.fail.Keyring (priority: 0)

Then run res-keyring utility to store the app.config credentials in the Windows keystore:

res-keyring
Configuration file: C:\Users\integrations\.resilient\app.config
Secrets are stored with 'keyring.backends.Windows'
Please enter password for encrypted keyring: 
[resilient] password: ^res_password
  Enter new value (or <ENTER> to leave unchanged): Passw0rd
  Confirm new value: Passw0rd
Value set.
Done.

To run the integration server as a service on Windows, see Installing Resilient circuits. Note that the user account that is used to run Resilient Circuits as a service should be the same account from which res-keyring utility is executed to store the credentials.