Data Governance Server Documentation Index
Configuration Reference Home

Vault Cipher Stream Provider

Note: this component is designated "advanced", which means that objects of this type are not expected to be created or altered in most environments. If you believe that such a change is necessary, you may want to contact support in order to understand the potential impact of that change.

The Vault Cipher Stream Provider is used to obtain a passphrase from a HashiCorp Vault server. That passphrase will be used to generate the encryption key that will protect the contents of the encryption settings database.

Note that this Vault Cipher Stream Provider will only interact with Vault once when the server is started or when launching a tool that needs to access the encryption settings database. Upon retrieving the secret passphrase from Vault, an encryption key will be generated, and that key will be cached in memory so that it will not be necessary to retrieve the passphrase from Vault while the server or tool remains running.

Parent Component
Relations from This Component
Properties
dsconfig Usage

Parent Component

The Vault Cipher Stream Provider component inherits from the Cipher Stream Provider

Relations from This Component

The following components have a direct aggregation relation from Vault Cipher Stream Providers:

Properties

The properties supported by this managed object are as follows:


Basic Properties: Advanced Properties:
↓ description  None
↓ enabled
↓ vault-server-base-uri
↓ vault-authentication-method
↓ vault-secret-path
↓ vault-secret-field-name
↓ vault-encryption-metadata-file
↓ trust-store-file
↓ trust-store-pin
↓ trust-store-type

Basic Properties

description

Description
A description for this Cipher Stream Provider
Default Value
None
Allowed Values
A string
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

enabled

Description
Indicates whether this Cipher Stream Provider is enabled for use in the Data Governance Server.
Default Value
None
Allowed Values
true
false
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action

vault-server-base-uri

Description
The base URL needed to access the Vault server. The base URL should consist of the protocol ("http" or "https"), the server address (resolvable name or IP address), and the port number. For example, "https://vault.example.com:8200/". If multiple vault base server URLs are configured, the specified Vault servers will be tried in the order listed until the desired secret is obtained.
Default Value
None
Allowed Values
An absolute URL, or a relative URL
Multi-Valued
Yes
Required
Yes
Admin Action Required
None. Modification requires no further action

vault-authentication-method

Description
The mechanism used to authenticate to the Vault server.
Default Value
None
Allowed Values
The DN of any Vault Authentication Method.
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action

vault-secret-path (Read-Only)

Description
The path to the desired secret in the Vault service. This will be appended to the value of the base-url property for the associated Vault external server.
Default Value
None
Allowed Values
A string
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action

vault-secret-field-name (Read-Only)

Description
The name of the field in the Vault secret record that contains the passphrase to use to generate the encryption key.
Default Value
None
Allowed Values
A string
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action

vault-encryption-metadata-file (Read-Only)

Description
The path to a file that will hold metadata about the encryption performed by this Vault Cipher Stream Provider. When initially configuring this cipher stream provider, the metadata file should not exist (although its parent directory must exist). The first time the provider is initialized and the secret key is successfully retrieved from Vault, a new metadata file will be generated with an appropriate set of properties for generating the cipher to use to interact with the encryption settings database. On subsequent uses, the existing metadata file will be read to determine these settings so that the existing encryption settings database can be opened.
Default Value
config/vault-encryption-metadata.json
Allowed Values
A filesystem path
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action

trust-store-file

Description
The path to a file containing the information needed to trust the certificate presented by the Vault servers. A trust store file may be configured if any of the Vault server base URIs have a protocol of "https". If no trust store file is configured, then the JVM's default trust store will be used.
Default Value
None
Allowed Values
A filesystem path
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

trust-store-pin

Description
The passphrase needed to access the contents of the trust store. This is only required if a trust store file is required, and if that trust store requires a PIN to access its contents.
Default Value
None
Allowed Values
A string
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

trust-store-type

Description
The store type for the specified trust store file. The value should likely be one of "JKS" or "PKCS12".
Default Value
JKS
Allowed Values
A string
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action


dsconfig Usage

To list the configured Cipher Stream Providers:

dsconfig list-cipher-stream-providers
     [--property {propertyName}] ...

To view the configuration for an existing Cipher Stream Provider:

dsconfig get-cipher-stream-provider-prop
     --provider-name {name}
     [--tab-delimited]
     [--script-friendly]
     [--property {propertyName}] ...

To update the configuration for an existing Cipher Stream Provider:

dsconfig set-cipher-stream-provider-prop
     --provider-name {name}
     (--set|--add|--remove) {propertyName}:{propertyValue}
     [(--set|--add|--remove) {propertyName}:{propertyValue}] ...

To create a new Vault Cipher Stream Provider:

dsconfig create-cipher-stream-provider
     --provider-name {name}
     --type vault
     --set enabled:{propertyValue}
     --set vault-server-base-uri:{propertyValue}
     --set vault-authentication-method:{propertyValue}
     --set vault-secret-path:{propertyValue}
     --set vault-secret-field-name:{propertyValue}
     [--set {propertyName}:{propertyValue}] ...

To delete an existing Cipher Stream Provider:

dsconfig delete-cipher-stream-provider
     --provider-name {name}