Secure Storage Vaults

A Credential Vault (or Key Vault) is a secure storage location for database credentials in AMT.

Available Secure Storage Vaults

AMT Java supports the following types of vaults:

• Azure
• Google Cloud Platform (GCP)
• HashiCorp
• CyberArk
• Custom
• Simple

Azure

By using the environment credential option, the runtime gets access to the Key Vault by the way of an app registration in the Azure tenant.

To enable use of the Azure vault, you must first set the following environment variables:

AZURE_CLIENT_ID (required)
Enter the Azure client ID.

AZURE_CLIENT_SECRET (required)
Enter the Azure client secret.

AZURE_TENANT_ID (required)
Enter the Azure tenant ID.

The Control Center or Application configuration file must then be updated to point to the Azure Key Vault.

secureStorages:
  - id: azure
    vaultType: Azure
    vaultConfiguration:
      azureCredentialType: <your_environment_name>
      azureVaultName: <your_key_vault_name>

Google Cloud Platform

To enable use of the GCP vault, you must first set the following environment variables:

GOOGLE_APPLICATION_CREDENTIALS (required)
Enter the path to the service account JSON key file.

The Control Center or Application configuration file must then be updated to point to the GCP Secret Manager.

secureStorages:
  - id: gcp
    vaultType: GCP
    vaultConfiguration:
      gcpProjectId: <your_gcp_project_id>

HashiCorp

To enable use of the HashiCorp vault, you must first set the following environment variables:

VAULT_ADDR (required)
The server address of the vault provider.

VAULT_TOKEN (required)
The root token for authenticating with the HashiCorp Vault.

VAULT_OPEN_TIMEOUT
Timeout in minutes. For example: 5

VAULT_READ_TIMEOUT
Timeout in minutes. For example: 30

secureStorages:
  - id: hashi
    vaultType: HashiCorp
    vaultConfiguration:
      securePath: secret/amt

Optionally, the engine version of the HashiCorp Vault can be configured: engineVersion: 1.

CyberArk

Secrets are retrieved through HTTP via the REST API. There must be an established endpoint on the client side.

To enable use of the CyberArk vault, you must first set the following environment variables:

CYBERARK_URI (required)
Base URI of the CyberArk PVWA REST API endpoint. Example: https://pvwa.example.com/passwordvault/api

CYBERARK_APP_ID (required)
Application ID registered in CyberArk that identifies and authorizes this application to retrieve secrets.

Additional optional environment variables:

• CYBERARK_SAFE: Name of the Safe containing the target account.
• CYBERARK_FOLDER: Folder within the Safe where the account is stored.
• CYBERARK_USERNAME: Username of the target account to retrieve.
• CYBERARK_ADDRESS: Host or IP of the target system associated with the account.
• CYBERARK_DATABASE: Database name when retrieving database credentials.
• CYBERARK_POLICY_ID: Policy identifier used for access and retrieval rules.
• CYBERARK_REASON: Audit reason message logged with the retrieval request.
• CYBERARK_CONNECTION_TIMEOUT: Connection timeout for REST API requests.
• CYBERARK_QUERY: Filter expression to select the desired account.
• CYBERARK_QUERY_FORMAT: Format of the query expression used by CYBERARK_QUERY.
• CYBERARK_FAIL_REQUEST_ON_PASSWORD_CHANGE: Whether to fail if the password is being changed.

Key Vault File

The Key Vault file contains information about databases in the environment, such as usernames, passwords, or URLs.

Good to know
All database settings can be stored in the Key Vault file.

On startup, the given values in this secrets file are encrypted, at which point these values should no longer be manually modified. Should the secrets file be manually updated, then please create a new Key Vault file. The secrets file is analyzed for an (invisible) null character followed by a binary marker: at the end of the file to verify that it is encrypted.

Important to note:

• Keys and values are separated by a := sign.
• Comment lines must start with # or //.

Examples

The following is an unencrypted sample of a Key Vault file:

# System database
systemDatabaseUser:=amtjava
systemDatabasePassword:=amtjava
systemDatabaseURL:=jdbc:postgresql://localhost/amtjava
# Application database custmanibm
custmanibmUser:=amtjava
custmanibmPassword:=amtjava
custmanibmURL:=jdbc:postgresql://localhost/custmanibm

The following is a sample of an encrypted Key Vault file:

# System database
gksystemDatabaseUser:=XXZW/zw1fn274rWjAGHHJg==
gksystemDatabasePassword:=XXZW/zw1fn274rWjAGHHJg==
gksystemDatabaseURL:=lPu0xEsVxm2iUUUnaaQDj5U/Jw26FDAMQ0Zl8IoSeloA88+7EjK7nkxpUccHU8SQ
# Application database custmanibm
gkcustmanibmUser:=aNplS0c7Vx5A3wX1VTuTdA==
gkcustmanibmPassword:=aNplS0c7Vx5A3wX1VTuTdA==
gkcustmanibmURL:=N4xGiYRQyy0pNv0SZFJKKg==
閂