Integrating HashiCorp Secure Vault with WSO2 Micro Integrator
Today’s digital enterprises need to pay special attention to security concerns because corporate data, internal applications, deployments, etc. are so important to their day-to-day operations. Therefore, secret management is one of the major security tasks that developers are concerned about. So what is a secret and why do we need it? Let’s sort it out first.
Simply non-human privilege credentials are often called secrets and we use these secrets to protect any kind of sensitive and important information in tools, applications, containers, cloud-native environments and DevOps. Secrets act as a key to lock and unlock the data whenever we need to access it. Managing these secrets we called it Secret Management. Nowadays HashiCorp Vault is the most popular open-source secret management tool among developers due to its features.
A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, and more. — Vault Documentation
In this blog, I will be explaining how WSO2 Micro Integrator helps you to protect your secrets by integrating HashiCorp secure vault and how you can manage them in your integration solutions with different authentication methods.
First of all, let’s see how to install and start the HashiCorp vault server in your environment. HashiCorp Vault runs as a client/server application. It is the only part of the Vault architecture that interacts with the data storage and backend. We can use their Vault CLI to do all its operations.
Starting the Dev Server
To set up the development server, perform the following steps:
- Download and Unzip the package for your system. To see more specific recommendations for your operating system, check out the official documentation.
- Set the environment variable VAULT_ADDR:
$ export VAULT_ADDR=’http://127.0.0.1:8200’3. Start the vault dev server:
4. Verify the server is running:
Manage Secrets
There are multiple ways to insert and retrieve secrets(manage) in the HashiCorp secure vault. It has an HTTP API to interact with the server programmatically, a command-line interface(CLI tool) also a web-based GUI. Here I’ll show you how to create and view secrets with help of CLI.
We can use vault kv put command to create a secret in a specific file path with a specific key. The below example will create a secret name with the value sajithaliyanage, and store it by the secret/sajitha path.
We can use vault kv get command to fetch secrets from the specified location.
Congratulations! 👏 You’ve started the HashiCorp Vault server and managed secrets successfully. Now we can configure the WSO2 Micro Integrator server to connect with the HashiCorp vault server.
Authentication Methods
HashiCorp secure vault supports multiple authentication methods that make the most sense for the business use cases. Among these, WSO2 Micro Integrator supports the following methods which are popular and widely used.
- Static Token Authentication
- AppRole Authentication
- LDAP Authentication
Static Token Authentication
In the HashiCorp vault, tokens are the core method for authentication. In the previous section, when you start the Vault server you probably notice that vault server -dev command outputs an initial token named “Root Token”. This is the basic authentication method for the vault and it is also the only auth method that cannot be disabled. These root tokens are tokens that have the root policy attached to them. Root tokens can do anything in Vault.
In order to static authentication, add the following configurations to the deployment.toml file located inside the <MI_HOME>/conf directory of the Micro Integrator.
AppRole Authentication
This is the recommended authentication method as per the HashiCorp team. The AppRole authentication method allows applications to authenticate with Vault-defined roles. This approach uses SecretID and RoleID for login. The RoleID and SecretID are like a username and password that an application uses to authenticate. Once the login is successful it returns a client token which can be used to fetch secrets from the Vault. Further, this method provides the option of limiting the number of times the SecretID token can be used which extends security aspects further.
Please follow the below steps in order to enable AppRole authentication in the HashiCorp server and configure the Micro Integrator.
- Enable the AppRole auth method:
$ vault auth enable approle
Success! Enabled approle auth method at: approle/2. Create a policy named sample-policy with a definition:
$ vault policy write sample-policy -<<EOF
# Read-only permission on secrets stored at 'secret/data/*'
path "secret/data/*" {
capabilities = [ "read" ]
}
EOF
Success! Uploaded policy: sample-policy3. Creates a role named my-role with the sample-policy policy attached:
$ vault write auth/approle/role/my-role
token_policies="sample-policy"\
secret_id_ttl=10m \
token_num_uses=10 \
token_ttl=20m \
token_max_ttl=30m \
secret_id_num_uses=40
Success! Data written to: auth/approle/role/my-roleNote: If the token issued by your approle needs the ability to create child tokens, you will need to set token_num_uses to 0. Otherwise, SecretId will be expired once it reached the secret_id_num_uses occurrences.
4. Fetch the RoleID of the AppRole:
$ vault read auth/approle/role/my-role/role-idKey Value
--- -----
role_id 675a50e7-cfe0-be76-e35f-49ec009731ea
5. Get a SecretID issued against the AppRole:
$ vault write -force auth/approle/role/my-role/secret-id Key Value
--- -----
secret_id ed0a642f-2acf-c2da-232f-1b21300d5f29
secret_id_accessor a240a31f-270a-4765-64bd-94ba1f65703c
6. Add the following configurations to the deployment.toml of Micro Integrator
LDAP Authentication
The LDAP auth method allows authentication using an existing LDAP server and username and password credentials. This allows Vault to be integrated into environments using LDAP without duplicating the username and password pieces of information in multiple places. Follow the below steps to configure.
- Enable the LDAP auth method:
$ vault auth enable ldap2. Connect LDAP server with HashiCorp vault:
$ vault write auth/ldap/config \
url="ldap://ldap.example.com" \
userattr=sAMAccountName \
userdn="ou=Users,dc=example,dc=com" \
groupdn="ou=Users,dc=example,dc=com" \
groupfilter="(&(objectClass=person)(uid={{.Username}}))" \
groupattr="memberOf" \
binddn="cn=vault,ou=users,dc=example,dc=com" \
bindpass='My$ecrt3tP4ss' \
certificate=@ldap_ca_cert.pem \
insecure_tls=false \
starttls=true3. Add the following configurations to the deployment.toml of Micro Integrator
Accessing HashiCorp Secrets in Micro Integrator
Once you configured the Micro Integrator to connect with the HashiCorp vault, you can use the following Synapse Xpath function to access HashiCorp secrets from your Synapse Configurations.
Given below is a sample synapse property that uses a HashiCorp secret:
Awesome! Now you know how it works well with WSO2 Micro Integrator. I hope you really enjoyed this blog. Also, if you have any questions, please leave a comment below. Cheers! 🍻
