The following steps use the HashiCorp Vault user interface (UI) to guide you through the configuration of your HashiCorp Vault instance.
These configurations are mandatory for on premise Clarity LIMS deployments. For Illumina cloud hosted deployments, this configuration is completed by Illumina.
Detailed information and instructions for HashiCorp Vault are available on the HashiCorp website: www.hashicorp.com.
You are planning to install Clarity LIMS v6.0.0 and newer.
You have installed the latest version of either HashiCorp Vault Open Source or Enterprise.
You have read the Getting Started tutorials for Vault on the HashiCorp website and/or possess a basic knowledge of HashiCorp Vault.
You have system administrator permissions to perform the necessary operations to your HashiCorp Vault instance.
You have allowed the necessary port 443 from the Clarity LIMS instance to your HashiCorp Vault instance.
You have access to all the passwords required to be configured in your HashiCorp Vault instance.
To enable a new KV Secret Engine, refer to the Versioned Key/Value Secrets Engine tutorial provided on the HashiCorp Vault website.
The following table lists the secrets required for Clarity LIMS. To use the paths shown in the table, replace $host
with your fully qualified domain name (FQDN).
When configuration is complete, these secrets are listed in the Vault user interface.
AppRole is the recommended authentication method to use with the Clarity LIMS Secret Utility tool.
To enable the AppRole authentication method, refer to the AppRole Pull Authentication tutorial provided on the HashiCorp Vault website.
When AppRole is enabled, create an AppRole with the appropriate Access Control List (ACL) policy (see the following section).
Make a note of the Role ID and Secret ID. You need these IDs when configuring Secret Utility.
Secret Utility does not manage your Role ID and Secret ID for you (eg, renewing, revoking, and so on). It accepts the Role ID and Secret ID as-is, and attempts to authenticate with Vault.
Alternatively, the Clarity LIMS Secret Utility tool also works with the token authentication method.
To learn more about tokens, see the Tokens documentation on the HashiCorp Vault website.
Secret Utility does not manage your tokens for you (eg, renewing, revoking, and so on). It accepts the token as-is, and attempts to authenticate with Vault.
After enabling the AppRole authentication method, create ACL policies to access the Secret Engine.
IMPORTANT: Replace "claritylims" with your Secret Engine path.
You might need to update or create additional ACL policies for your System Administrator to rotate the credentials, when required.
To create the ACL policy, refer to the Vault Policies tutorial provided on the HashiCorp Vault website.
SSH into the Clarity LIMS instance.
After installing Clarity LIMS and configuring Secret Utility using the instructions provided in Guide to Secret Management, run the command to read an existing password/secret from HashiCorp Vault.
\
Path | Purpose |
---|---|
ACL Policies |
---|
$host/clarity/app.ftp.password
Password for GLSFTP user on the Clarity LIMS instance.
$host/clarity/app.rabbitmq.password
Password for RabbitMQ admin on the Clarity LIMS instance.
$host/clarity/db.clarity.password
Password for the configured Clarity LIMS database user
$host/clarity/db.lablink.password
Password for the configured LabLink DB database user.
$host/clarity/db.tenant.password
Password for the configured Tenant Lookup DB database user.
$host/clarity/app.ldap.managerPass
[Optional] Password for the User DN configured for Clarity LIMS LDAP integration
$host/integration/apiusers/apiuser
Password for the apiuser user account that is used by Automation Worker to authenticate with Clarity LIMS API.
If you have configured a different user account, create it under $host/integration/apiusers/$username
# For clarity instance to read from hashicorp vault
path "claritylims/data/+/clarity/
"
{
capabilities = ["read"]
}
# For integration to write to hashicorp vault
path "claritylims/data/+/integration/
"
{
capabilities = ["read","create","update"]
}