Striim 4.0.4 documentation

Using vaults

You can use a vault to secure any property value, including passwords, tokens, and keys. This sensitive information is stored as key-value pairs with the value encrypted. Those keys can then be used as variables in TQL without the programmer being able to see the cleartext value.

Note

Striim automatically encrypts values when the property type is com.webaction.security.Password (see Encrypted passwords), but if desired you may specify vault keys for those values.

Striim's native vault stores key-value pairs in the metadata repository (see Configuring Striim's metadata repository). If you are using Oracle JDK 8 or OpenJDK 8 version 1.8.0_161 or later, Striim will encrypt the values using AES-256. With earlier JDKs, it will use AES-128.

Alternatively, you may store key-value pairs in Hashicorp Vault's KV Secrets Engine Version 2.

Tip

When handing off applications from development to QA, or from QA to production, create vaults with the same name in different namespaces. If vaults' entries have the same names but different values, the applications can use different connection URLs, user names, passwords, keys, and so on with no need to revise the TQL.

Creating a vault

Note

In this release, this and the following commands are available only in the console. There is no web UI counterpart.

To create a Striim native vault:

CREATE VAULT <vault_name>;

To create a vault component that makes an existing Hashicorp vault available for use in Striim:

CREATE VAULT <vaultName> USING VAULTSPEC (
  VaultType: "HASHICORPVAULT", 
  AccessToken: "<rootToken>",
  ConnectionURL: "<connection_url>",
  Port: "<port>",
  EngineName: "<name>",
  PathToSecret: "<path>"
);

For example:

CREATE VAULT myvault USING VAULTSPEC (
  VaultType: "HASHICORPVAULT", 
  AccessToken: "**************************",
  ConnectionURL: "https//198.51.100.20",
  Port: "8200",
  EngineName: "secret",
  PathToSecret: "my-secret"
);

Adding an entry to a vault

To add an entry to a Striim native vault:

WRITE INTO <vaultName> (
  vaultKey: "<key>",
  vaultValue : "<value>"[, valueType: "FILE" ]
);

If valueType: "FILE" is specified, value must be a fully-qualified file name accessible by Striim. Otherwise, value must be a string.

You cannot add an entry to a Hashicorp vault in Striim. See Hashicorp's Vault Documentation for instructions on adding entries to KV Secrets Engine Version 2.

Using vault keys as variables in TQL

Specify vault entries in TQL adapter properties with double square brackets. For example:

Username: '[[myvault.myusername]]',
Password: '[[myvault.mypassword]]',

If you are using Hashicorp Vault and the property expects a value to specify a file, indicate that as follows:

ServiceAccountKey: '[[myvault.my-sa-key, "FILE"]]'

, "FILE" is not required in TQL when using Striim's native vault.

Other vault commands

ALTER VAULT <vault_name> (<property_name>: "<value>");

For a Striim native vault, changes the value of any property.

For a Hashicorp vault, use this command to update the Stiim component with any changes you make in Hashicorp Vault.

When a property's value is updated, any Striim applications that use that property it must be restarted to update the value.

DESCRIBE <vault_name>;

Returns a description of the specified vault component.

DROP VAULT [<namespace>].<vault_name>;

For a Striim native vault, deletes the vault and all its entries.

For a Hashicorp vault, makes it inaccessible by Striim, but has no effect in Hashicorp Vault.

LIST VAULTS;

Returns a list of vaults usable by the current user.

READ ALL FROM <vault_name>;

Returns the encrypted values for all keys in the vault.

READ [ALL] FROM <vault_name> WHERE vaultKey="<key>";

Returns the encrypted value for the specified key.