Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Integration with CipherTrust Manager

Configuring the HashiCorp Vault Server

search

Configuring the HashiCorp Vault Server

A HashiCorp Vault server is configured using a configuration file. You need to manually create this file at a location on your client's machine. For example, /root/Vault.hcl).

The format of the configuration file can be HCL or JSON.

Configuration Parameters

Set the following parameters in the configuration file:

  • storage (StorageBackend: <required>): Configures the storage backend where HashiCorp Vault data is stored. Refer to the storage backend documentation for the full list of the available storage backends.

    Running HashiCorp Vault in the HA mode requires coordination semantics to be supported by the backend. If the storage backend supports HA coordination, HA backend options can also be specified in this parameter block. If not, a separate ha_storage parameter should be configured with a backend that supports HA, with corresponding HA options.

  • listener (Listener: <required>): Configures how HashiCorp Vault listens for the API requests.

  • hsm (pkcs 11) parameters:

    • lib (string: <required>): Specifies the path to the PKCS#11 library.

    • slot (string: <slot or token label required>): Specify the slot number to use.

    • pin (string: <required>): Credential for HashiCorp Vault user created on the CipherTrust Manager, <cm_user:cm_user_password>.

      Note

      If the Credentials_Encrypted parameter in the IngrianNAE.properties file is set to "yes", then specify the obfuscated username and password here.

  • key_label (string: <required>): Specify the label for the key.

  • hmac_key_label (string: <required>): Specify the label for the key. This label is not required for CKM_AES_GCM.

  • mechanism (string: <best available>): Specify the encryption/decryption mechanism to be used. The mechanism is specified using a decimal or hexadecimal string (prefixed by 0x).

    Supported mechanisms are:

    • 0x1082 CKM_AES_CBC (selected by default)

    • 0x1087 CKM_AES_GCM

  • generate_key (string: "false"): Instructs HashiCorp Vault to generate a key when no key with the label "key_label" is found at HashiCorp Vault initialization time. This is a boolean expressed as a string (for example, "true").

    Note

    Currently, HashiCorp Vault supports only 256-bit HMAC keys.

Sample Configuration File

A sample configuration file (Vault.hcl) with the HSM block filled out for the CipherTrust Manager is shown below:

[root@localhost vault]# cat Vault.hcl
backend "consul"
{
    address = "127.0.0.1:8500"
    path = "vault"
}
listener "tcp"
{
    address = "127.0.0.1:8200"
    tls_disable = 1
}
storage "file"
{
    path = "/tmp/data"
}
hsm "pkcs11"
{
    lib = "/opt/hashi/64/hsm/safenet/8.3.2/libIngPKCS11.so"
    slot = "1"
    pin = "KSUserName:KSUserPassword"
    key_label = "vaulttek"
    mechanism = "0x1087" #for CKM_AES_CBC, use “0x1082”
    generate_key = "false"
}

After configuring the HashiCorp Vault server, start the HashiCorp Vault server, as described in Starting the HashiCorp Vault Server.

On this page