Guide to Secret Management
Secret Utility (secretutil) is a password management tool used to store, manage, and retrieve passwords. Secret Utility returns the passwords in plain text.
The following sections describe the configuration of Secret Utility, which is installed as part of the Clarity LIMS-SecretUtil RPM.
Installing Integration Packages on Clarity LIMS
Integration Package | Clarity LIMS Version | Secret Util Mode | Installation Steps |
---|---|---|---|
Packages that require Clarity LIMS-SecretUtil. | Illumina Cloud Hosted v5.4 and later | Vault | Secret Utility would have been configured during installation of Illumina cloud hosted deployments of Clarity LIMS v5.4 and later. For details on installing and configuring the integration package, see the related installation guide. |
Packages that do not require Clarity LIMS-SecretUtil. | Illumina Cloud Hosted v5.4 and later | Vault | Clarity LIMS v5.4 and later do not support these integration packages. |
Packages that require Clarity LIMS-SecretUtil. | Illumina Cloud Hosted/On Premise v5.3 and earlier | File | Clarity LIMS-SecretUtil installs Secret Utility. Before continuing with the configuration of the integration package, complete the following steps:
|
Packages that do not require ClarityLIMS-SecretUtil. | Illumina Cloud Hosted/On Premise v5.3 and earlier | - | Refer to the integration package installation guide for more information on installing and configuring the integration package. |
Configuration Script
If Secret Utility has not been configured, the 05_configure_claritylims_secretutil.sh script is created in the /opt/gls/clarity/config/pending folder.
To reconfigure Secret Utility:
Remove the hidden file /opt/gls/clarity/tools/secretutil/.configured
Run the Secret Utility configuration script as follows: /opt/gls/clarity/config/configure_claritylims_secretutil.sh
The following table describes the entries prompted by the configure_claritylims_secretutil.sh script.
Configuration Script Entries
Prompts | Default | Description |
---|---|---|
Enter required value for Secret Utility Mode. | vault | Configure the mode for Secret Utility. Possible values: vault, file |
Enter required value for Clarity Tenant Hostname. | localhost | Vault mode only Configure the Tenant hostname to be used as part of the vault path. |
Enter required value for Vault Engine Path. | secret | Vault Mode only Configure the secret engine path. |
Enter required value for Vault URI. | Vault Mode only Configure the Vault Server target. | |
Vault Enterprise (Y/N) | N | Vault Mode only Configure whether the Vault Server is an enterprise version. |
Enter required value for Vault Namespace. | Vault Enterprise only Configure the Vault namespace. | |
Enter required value for Vault Authentication Mode. | Vault Mode only Configure the authentication method. Possible values: token, approle | |
Enter required value for Vault Token. | Token Authentication only | |
Enter required value for Vault AppRole Role-Id. | AppRole Authentication only | |
Enter required value for Vault AppRole Secret-Id. | AppRole Authentication only | |
Enter required value for app.ftp.password Enter required value for app.ldap.managerPass Enter required value for app.rabbitmq.password Enter required value for db.tenant.password Enter required value for db.clarity.password Enter required value for db.lablink.password Enter required value for db.reporting.password | File Mode only Sets the secrets (encrypted with CLARITYSECRET_ENCRYPTION_KEY env variable) into conf/secret.properties | |
Enter required value for Username for API user | apiuser | File Mode only Sets the username of the API user to be used when applications require an API user. |
Enter required password for API user | File Mode only Sets the password for the API user configured. |
Managing the passwords (Vault Mode)
If Secret Utility is configured as Vault Mode, the passwords are stored and retrieved from Vault Enterprise.
To use Secret Utility and perform the following steps, you must first remote into the instance before performing any of the following steps.
To use the Vault user interface (UI) and perform the following steps, you must have the appropriate role and access control list (ACL) policies.
Managing the Passwords (File Mode)
If Secret Utility is configured as File mode, the passwords are encrypted and stored in /opt/gls/clarity/tools/secretutil/conf/secrets.properties. Encryption is based on the CLARITYSECRET_ENCRYPTION_KEY environment variable.
To manage the passwords and perform the following steps, you must first remote into the instance.
Last updated