Vault client
Vault client configuration is based on Spring EnvironmentVaultConfiguration
| Property | Description | Example |
|---|---|---|
vault.uri | URL of the Vault Instance | https://my.domain.com:8200 |
vautl.ssl.key-store | Path (Spring Resource format) of the Keystore containing the key for mTLS | file:D:\\mid-server\\agent\\properties\\client.domain.com.jks |
vault.ssl.key-store-password | Keystore password | changeit |
vautl.ssl.trust-store | Path (Spring Resource format) of the TrusStore containing the authorities of Vault instance (if needed) | file:D:\\mid-server\\agent\\properties\\vaultTrustStore.jks |
vault.ssl.trust-store-password | TrusStore password | changeit |
vault.authentication | Vault Authentication method | APPROLE |
According to the Vault authentication method choosen, properties have to be defined. By example, for the APPROLE authentication method :
| Property | Description | Example |
|---|---|---|
vault.app-role.app-role-path | App role path | approle |
vault.app-role.role-id | Vault role id | e13f69ca-3a87-098d-ac01-237dcf82ce97 |
vault.app-role.secret-id | Vault secret id | e09a08d9-3a87-e41f-3134-59ab21572fa4 |
A best practice with the App Role authentication method is to separate the role-id and secret-id.
- secret-id must be associated with the jar file when it is installed. So the value must be declared into the properties file.
- role-id must be associated with the context of execution. The value must be configured as an environment variable or with the MID Server Properties. For example, it can be : snc:vault.app-role.role-id with a property vault.app-role.role-id configured into the MID Server (through ServiceNow Web Interface).
Create TrustStore file
To create the Vault TrustStore, we need :
- JDK (8+)
- A root CA Certificate : root_ca_cert.crt
- An intermediate CA Certificate : intermediate.cert.pem
We want to create un trustStore named vaultTrustStore.jks and import the Root CA.
$JAVA_HOME/bin/keytool.exe -import -trustcacerts -alias <caAlias> -file <rootCACertificate> -keystore <trustStoreName> -storepass <password> Then type yes to add the certificate to the trustStore.
With our inputs, the command line is :
$JAVA_HOME/bin/keytool.exe -import -trustcacerts -alias root_ca -file root_ca_cert.crt -keystore vaultTrustStore.jks -storepass myStrongPassword
The same command is used for the intermediate CA :
$JAVA_HOME/bin/keytool.exe -import -trustcacerts -alias intermediate_ca -file intermediate.cert.pem -keystore vaultTrustStore.jks -storepass myStrongPassword
Create KeyStore file
To create the KeyStore for mTLS with Vault, we need :
- JDK (8+)
- A client certificate : client.domain.com.cer
- A client private key : client.domain.com.key
First at all, we have to create a file in PKCS#12 format.
openssl pkcs12 -export -in <certificate> -inkey <private_key> -name <friendlyName> -out <outputP12File> -password pass:<password>
With our inputs, the command line is :
openssl pkcs12 -export -in client.domain.com.cer -inkey client.domain.com.key -name client.domain -out client.domain.com.p12 -password pass:myStrongPassword
The keystore can be created from the PKCS#12 certificate.
The command line is :
$JAVA_HOME/bin/keytool.exe -importkeystore -srckeystore <sourceCertificate.p12> -srcstoretype pkcs12 --srcstorepass <sourcePassword> -destkeystore <destKeyStore.jks> -deststoretype pkcs12 -deststorepass <destPassword>
Once resolved, the command is :
$JAVA_HOME/bin/keytool.exe -importkeystore -srckeystore <client.domain.com.p12> -srcstoretype pkcs12 --srcstorepass myStrongPassword -destkeystore client.domain.com.jks -deststoretype pkcs12 -deststorepass myOtherStrongPassword