Connecting to external vaults

To connect to an external vault:

1. From the navigation menu, select Administration > Configurations and settings.
2. Click Vaults and secrets.
3. On the Vaults tab, click Add vault.
4. Enter a name and a description for the vault.
   The name can contain only alphanumeric characters and hyphens.
5. Select the type of vault that you want to integrate with.

   ---

   HashiCorp

   Field	Details
   Vault URL	The fully qualified URL of the vault that you want to connect to. The URL must have the following format: http://services-location.example.com:port.
   Token	Your authentication token for the vault that you want to connect to. You can generate a token from the HashiCorp vault CLI or API.

   ---

   CyberArk

   Field	Details
   Vault URL	The fully qualified URL of the vault that you want to connect to. The URL must have the following format: http://services-location.example.com:port.
   Application ID	The application ID for the IBM Software Hub platform in CyberArk Central Credential Provider. This ID tells CyberArk which application is trying to access the vault. You can get the application ID from your CyberArk administrator.
   Client key	The client key, in .key or .pem format, to use to authenticate to the vault. You can get the client key from your CyberArk administrator.
   Client certificate	The client certificate to use to authenticate to the vault, in .crt or .cer format. You can get the client certificate from your CyberArk administrator.

   ---

6. Click Next.

Add a reference to a secret that exists in the external vault. You must add the reference to one secret when you first create the new vault integration so that you can test the integration. You can add references to more secrets later.

7. Enter a name and an optional description for the secret.
   The name can contain only alphanumeric characters and hyphens.
8. Select the type of information that is stored in the secret:

   ---

   HashiCorp vault

   Secret type	Details
   Username and password	The secret is used to store a username and password for authentication.
   Key	The secret is used to store a key for authentication.
   Token	The secret is used to store a token for authentication.
   SSL certificate	The secret is used to store an SSL certificate for authentication.
   Custom	The secret is used to store custom information. The custom secret does include fields that are required by other secret types.

   ---

   CyberArk vault

   Secret type	Details
   Username and password	The secret is used to store a username and password for authentication.
   Key	The secret is used to store a key for authentication.
   Custom	The secret contains a JSON blob that contains multiple fields.

   ---

9. Enter the secret details, as follows:

   ---

   HashiCorp vault

   Field	Details
   Secret path	The path to the secret in the vault. If the vault uses namespaces for multitenancy, include the namespace in the path. For example, if the path is /secret/data/swh_access and the secret is in the /dept/marketing namespace, enter: /dept/marketing/secret/data/swh_access

   ---

   CyberArk vault

   Secret type	Details
   Safe	The safe where the secret is stored in the vault.
   Account name	The name of the account in the vault.

   ---

10. Select the users and groups that you want to share the secret with.
    Those users can access only the secret that you share. They do not have access to the vault or any other secrets in the vault.

    You cannot share secrets that are shared with you.

11. Click Create.