Using HashiCorp Vault for Credential Management Service

HashiCorp Vault is used to integrate with TIBCO BusinessWorks Container Edition for the credential management system to retrieve passwords from the vault to use them within the application at runtime when the password is required. This avoids adding any passwords in the deployment configuration and redeploying the application.

A new HashiCorp Vault provider is added for the credential management for the property of type password.

HashiCorp Vault has the following fields:

  • Secret Name: Path of the secret.
  • Secret Key: Key of the secret in the KeyValue engine.
  • Mount Path: Path where the KeyValue engine is enabled.

On TIBCO Business Studio for BusinessWorks, the format is stored as #Secret_Name::Secret_key::Mount_Path#

You can use HashiCorp Vault as a credential management service for module properties. When using it to export the profile as a properties file, the property value uses the following format:

HashiCorpVault::secretName::secretKey::mountPath

Note: While creating a ConfigMap from the deployment.yml file, ensure that the value of the property must be in the format HashiCorpVault::secretName::secretKey::mountPath.

 

To enable the HashiCorp Vault credential management system, pass the following environment variables at runtime:

  • HASHICORP_VAULT_ADDR
  • HASHICORP_VAULT_AUTH
  • VAULT_AUTH_PATH
  • HASHICORP_VAULT_KV_VERSION
  • APP_CONFIG_PROFILE

To use the name of the namespace, pass the HASHICORP_VAULT_NAMESPACE environment variable.

For more information on the environment variables, see Environment Variables.

The authentication methods supported for HashiCorp Vault are Token, AppRole, and Userpass.

Authentication Method Description Environment Variables to enable the Authentication Method
Token This authentication method enables users to authenticate using a token. HASHICORP_VAULT_TOKEN
AppRole This authentication method enables machines or applications to authenticate with vault-defined roles. The default path is approle/. If this authentication method is enabled at a different location, the following environment variables are used to enable this authentication method:
  • HASHICORP_VAULT_ROLE_ID
  • HASHICORP_VAULT_SECRET_ID
Userpass This authentication method enables users to authenticate with the vault using username and password combinations. The username and password combinations are configured directly to the authentication method with the users or path.
  • HASHICORP_VAULT_USERNAME
  • HASHICORP_VAULT_PASSWORD

Note: You can increase the security of the authentication methods by encrypting the parameters and passing them as environment variables.

For example, instead of passing username and password as plain text, you can encrypt the string and pass the string as an environment variable using the BWOfuscator Utility. For more information, see Password Obfuscator Utility.

In addition, to secure the string further, encrypt it using the custom key encryption feature of BWObfuscator Utility. In this case, you can pass the custom key to the application using the CUSTOM_ENCRYPTION_KEY environment variable. For more information, see Environment Variables for Docker.

Secrets engines are components that store, generate, or encrypt data. Some secrets engines simply store and read data while others connect to services and generate dynamic credentials on demand. Other secrets engines also provide encryption as a service. Secrets engines are enabled at a "path" in the Vault. When a request comes to the Vault, the router automatically routes anything with the route prefix to the secrets engine. The supported secrets engine is the Key Value Engine.

The KeyValue (KV) engine is the supported secret engine for HashiCorp Vault. The default engine used is the KeyValue (KV) engine version 2. If the HASHICORP_VAULT_KV_VERSION environment variable is set to 1, KeyValue (KV) engine version 1 is used.

 

HTTPS Support:

The HASHICORP_CACERT environment variable needs to be set to the path of the certificate.

In TIBCO Business Studio for BusinessWorks provide the path of the certificate in the HASHICORP_CACERT environment variable.

In Docker, place the certificate in the /resources/addons/certs/ folder.

 

Note:
  • The HashiCorp Vault is supported only on the Docker and Kubernetes platform.
  • All the passwords fetched from the HashiCorp Vault are obfuscated.