Set up a Credential store
Introduction
The credential store provides a way to use passwords without exposing these to developers.
The server administrator is responsible for setting up the credential store and filling it with passwords. The server administrator should provide a list of available credentials to developers. These developers can use the identifier of a password.
There are two available ways to store passwords:
- a
jsonfile on disk; - in the Azure Key Vault.
note
You can only use one of the methods simultaneously.
Prerequisites
An Azure environment should be available for Azure Key Vault.
Setting up a file-based Credential store
The file-based credential store is a json file that resides on disk, called credential_store.json. This file must contain a single object, containing a set of key-value pairs, where:
- key is the identifier that developers should use,
- value contains the actual password.
Follow these steps to create a file-based credential store containing one password, with PasswordIdentifer as an identifier.
| Step | Action |
|---|---|
| 1 | Create a new text file in the <PLATFORMDIR>\databases with the name credential_store.json. |
| 2 | Open credential_store.json using a text editor. |
| 3 | Enter the following information in the file: { "PasswordIdentifier": "s3cr3tp4ssw0rd" } |
| 4 | Save the file. |
| 5 | Go to the Superadmin Settings tab. |
| 6 | Add the following entry to the Server settings: "CredentialStore": { "Type": "File" } |
The identifier PasswordIdentifier can now be used by developers and, when used, will result in the password s3cr3tp4ssw0rd.
Below is an example of a credential_store.json file for a credential store with multiple passwords.
{
"passwordIdentifier": "secr3tp4ssw0rd"
, "ldapServerPassword": "BBx^W2Vh(7!r]@>!%"
, "oracleDatabasePassword": "~5u4$8HtCE]3mXpV"
, ...
}
Setting up an encrypted file-based Credential store
It is also possible to create an encrypted file-based credential store. In this case, you set the Type to Encrypted in the CredentialStore entry in the Server Settings. It is only possible to add entries in the encrypted credential store using the DataServer command -AddEncryptedPassword.
-dataserver -AddEncryptedPassword <key> <password>
Follow these steps to create an encrypted file-based credential store containing one password, with PasswordIdentifer as an identifier.
| Step | Action |
|---|---|
| 1 | Go to the Superadmin Settings tab. |
| 2 | Add the following entry to the Server settings: "CredentialStore": { "Type": "Encrypted" } |
| 3 | Open a Windows command line prompt and go to the [PLATFORMDIR]\builds folder. |
| 4 | Enter the following command: processgold.bat -dataserver -AddEncryptedPassword PasswordIdentifier s3cr3tp4ssw0rd. |
Added password entries cannot be removed.
The -AddEncryptedPassword command will overwrite existing password values without notification.