Configuration for a Vault Connection

The following table lists the keys to add to the configuration variables template (application.properties) for setting up a connection with the vault. For more information on how to use the application.properties file, see Using Configuration Variables Templates with

Key Name	Key Value
`vault.aliasName.type`	`com.webmethods.is.vault.hashicorp.HashiCorpVaultConnection` Specifies the vault provider. Integration Server supports only HashiCorp vault. This property cannot be empty.
`vault.aliasName.enabled`	`true` or `false` Specifies whether the vault connection is enabled or not. The default value is `true`.
`vault.aliasName.primary`	`true` or `false` Specifies whether Integration Server uses the vault as the primary secrets provider. To use the vault connection, set this property to `true`. When set to `true`, Integration Server automatically stores the outbound passwords in the vault at startup. The default value is `false`.
`vault.aliasName .secretsCache.enabled`	`true` or `false` Specifies whether the secrets that are retrieved from the vault are cached in memory or not. Integration Server uses the cache to quickly retrieve frequently accessed secrets. The default value is `true`.
`vault.aliasName .secretsCache.maxEntries`	Specifies the number of entries that the cache can hold. This limit helps to control memory usage. When the cache reaches this limit, Integration Server evicts least recently used entries to make space for new entries. The default value is `1000`.
`vault.aliasName .secretsCache.ttlSeconds`	Specifies the maximum time-to-live for cache entries. After this period, the cached entry expires, and Integration Server removes the cached entries from the cache. This property keeps the data in the cache relatively fresh and reduces the risk of serving stale data. The default value is `300`.
`vault.aliasName .properties.SECRET_MOUNT_PATH`	Specifies the path to a secret in the vault. Note: Configure this path when you set up your vault server and provide the path as the value for this property. For more information, see HashiCorp documentation. For example, if you specify the path as mysec, the connection stores and retrieves the key-value pairs from secret/mysec in the vault. Here, secret is the secrets engine. The default value is secret/esb.
`vault.aliasName .properties.ENCRYPTION_KEY`	Specifies the encryption key that is stored in the transits secret engine of your vault. Note: Create this key while you set up your vault server and provide the same key as the value for this property. For more information, see HashiCorp documentation. For example, if you specify the key as myKey, the connection looks for myKey under transit/keys in the vault, where transit is the transit secrets engine and keys in the path for the encryption key. The default key is `esb`.
`vault.aliasName.properties.VAULT_ADDR`	Specifies the address of the vault server. You can provide the server address directly or as an environment variable. For example, http://localhost:8200 or $env{`VAULT_ADDR`}. Here, $env indicates that an environment variable is the provider of the value. `VAULT_ADDR` is the environment variable that has the server address. Starting the vault server displays the vault server address. This property cannot be empty.
`vault.aliasName.properties.VAULT_TOKEN`	Specifies the path to the client token that Integration Server must use to access the vault. The vault server returns the client token after authenticating Integration Server. You can provide the client token path directly or as an environment variable. For example, if the path to the token file on your system is C:\vault\token_file, set the value in one of the following ways: $file{/vault/token_file}, where $file indicates that a file is the provider of the value. $env{`VAULT_TOKEN`}, where $env indicates that an environment variable is the provider of the value and `VAULT_TOKEN` is the environment variable. This property cannot be empty. Note: Do not pass the token as the value.
`vault.aliasName .properties.TLS_CERT_FILE`	Specifies the fully qualified path to a CA-signed certificate that Integration Server uses to establish a secure connection with the vault. This parameter is optional and is necessary only if the vault server's certificate is not in the default Java truststore.

A sample configuration-variables-template to configure a vault connection alias.

vault.hashiCorpVault.type=com.webmethods.is.vault.hashicorp.HashiCorpVaultConnection
vault.hashiCorpVault.enabled=true
vault.hashiCorpVault.primary=true
vault.hashiCorpVault.secretsCache.enabled=true
vault.hashiCorpvault.secretsCache.maxEntries=10
vault.hashiCorpvault.secretsCache.ttlSeconds=0
vault.hashiCorpvault.properties.SECRET_MOUNT_PATH=esb
vault.hashiCorpvault.properties.ENCRYPTION_KEY=esb
vault.hashiCorpvault.properties.VAULT_ADDR=$env{VAULT_ADDR}
vault.hashiCorpvault.properties.VAULT_TOKEN=$file{/vault/token_file}
vault.hashiCorpvault.properties.TLS_CERT_FILE=$file{/vault/vault-cert.crt}

Similarly, you can configure a vault connection alias for a user-defined package in the following format:

vault.packageName.vault_connection_alias.propertyName = value

The configuration variables template can be used to create multiple vault connection aliases, including a primary and multiple non-primary connection aliases. However, when Integration Server processes the template at startup, only the vault connection alias that is configured as primary is chosen to manage secrets in the vault. Non-primary connection aliases support an implementation with multiple vaults.

Creating Assets from a Vault

You can retrieve data from a vault to dynamically create Integration Server assets. For example, you can create global variables as follows:

globalvariable.dbPackage.dbUsername.value=$vault{Username}	
globalvariable.dbPackage.dbPassword.value=$vault{Password}
globalvariable.dbPackage.dbPassword.isSecure=true

Here, dbUsername and dbPassword are the global variables that are defined for the package dbPackage. $vault shows that a vault is the provider of the values for the global variables. Username and Password are keys, whose values are retrieved from the vault