Credential Vault Service
We can use the portal Credential Vault Service to configure Vault Adapter implementations that are used by the Credential Vault Service to store credential secrets.
In the WebSphere Integrated Solutions Console, the portal Credential Vault Service is listed as WP VaultService.
General Credential Vault Service properties
You can set the following general configuration properties Credential Vault Service:
- systemcred.dn
- Specifies the Distinguished name (DN) of the vault administrative user. All system credentials are stored under the user's account. This property is set to the portal administrative user by default.
- export.userDN
- This is the user DN value of the XML Access user that is allowed to import/export secrets via the XML Configuration interface. This is usually the same user DN string as defined in the same configuration file under the property systemcred.dn. This user needs authority to use the XML Configuration interface and has to be used during the import/export. Otherwise an import/export of credential secrets is not possible.
- export.cipher
- The cipher used during export for encryption. This cipher has to be available via Java JCE in the HCL WebSphere Portal system. The default value is AES.
- export.keyLength
- Number of bits used as key length for the cipher. The default value is 128 .
- export.enforceSSL
- This field controls whether credential import and export must be done via secured HTTP connection or not. If you set this property to true , credential import and export must be done via secured HTTP connection. If you set this property to false , it is allowed to import and export credentials also via an unsecured HTTP connection. The default value is true .
Vault Adapter specific properties
By default, two Vault Adapter implementations are available: default-release and default-customization. Those Vault Adapters store credential secrets in the portal server data store. For each implementation, define a unique string type, a class name, and a domain. Optionally, we can specify a configuration file, managing resources, and a read only flag.We can define the following properties for each Vault Adapter Implementation Type. To be able to differentiate the properties for each type, the properties are in the format vault.type.key . Replace type by the Vault Adapter Implementation Type, and replace key by the key. The following list shows the properties that we can append:
- class
- Specify the Vault Adapter Implementation Class Name, but without the .class extension. This property is mandatory.
- config
- Specify the path of a configuration file that your adapter may need . Optional.
- domain = (rel)
- Specify the database domain where the segment and slot configuration data is stored. In the special case of the DefaultVault, this also specifies where the actual credentials are stored. This property is mandatory. Possible values are all available database domains as specified in the Data Store Service. The default value is rel ; this specifies the release domain.
- manageresources = (false)
- Specify whether the Vault Adapter should create and delete resources. Optional.
Note: If true, the adapter must have internal support to manage resources. If you omit this property, it will default to false .
- readonly = (true)
- Specify whether the underlying vault for this adapter should be considered read only. Optional.
Note: If you set this property to true, the manageresources property is ignored. If you omit this property, it will default to true .