Link Search Menu Expand Document
vault-connect

Configure Vault

This documentation is not a reference for Hashicorp Vault, but gives you some pointers to achieve your objectives. To use it on production, please follow the Hashicorp Vault guidelines.

Main steps are:

  1. Configure TLS
  2. Configure mTLS
  3. Configure AppRole
    1. Create the policy
    2. Create the role
    3. Generate the role-id
    4. Generate the secret-id
  4. Configure Active Directory
    1. Configure the secret engine
    2. Configure credentials
  5. Conclusion

Configure TLS

As decribed into Vault documentation, TLS must be configured (hcl config file).

By example:

listener "tcp" {
    tls_cert_file = "/etc/certs/vault.crt"
    tls_key_file  = "/etc/certs/vault.key"
    tls_min_version = "tls12"
}
  • tls_cert_file : Vault Certificate for TLS
  • tls_key_file : Private key of the Vault Certificate
  • tls_min_version : Minimum version of TLS. I recommend TLS 1.2, even 1.3

Configure mTLS

Mutual TLS is protecting the Vault from being called by unauthorized clients. To call Vault, each client must provide a certificate signed by a recognized Certificate Authority. The config file can be updated:

listener "tcp" {
    tls_require_and_verify_client_cert = "true"
    tls_client_ca_file  = "/usr/local/share/ca-certificates/company.crt"
}
  • tls_require_and_verify_client_cert : Force mTLS
  • tls_client_ca_file : Trusted Certificate Authority file (PEM format) from your company. It is the one that generates your certificates.

Configure AppRole

To authenticate to Vault, you have to configure an Auth method. For example, AppRole

First at all, we have to enable the approle auth method:

vault auth enable approle

Create the policy

Then create an AppRole for ServiceNow and associate it to a policy

Create a policy file: discovery-policy.hcl that gives read only permissions on the ad path

path "ad/*" {
  capabilities = [ "read" ]
}

And apply create the discovery policy

vault policy write discovery discovery-policy.hcl

Create the role

You can create a role mid-server

vault write auth/approle/role/mid-server \
    secret_id_bound_cidrs=192.168.1.12/32 \
    token_max_ttl=6h \
    token_explicit_max_ttl=24h \
    token_policies=discovery \
    token_bound_cidrs=192.168.1.12/32

with:

  • secret_id_bound_cidrs: IP Networks containing the MID Server(s). The only ones servers authorized to login with the secret_id.
  • token_bound_cidrs: IP Networks containing the MID Server(s). The only ones servers authorized to use the login token.
  • token_max_ttl: Max TTL for the token
  • token_explicit_max_ttl: Max TTL for the token even if it is renewed
  • token_policies: Policy applied to the token

Generate the role-id

Read the role-id for the mid-server role

vault read auth/approle/role/mid-server/role-id

You should get something like

Key        Value
---        -----
role_id    fa9f3df2-ecb4-4543-54e1-aa3c0e13e394

Generate the secret-id

Generate the secret-id for the mid-server role

vault write auth/approle/role/mid-server/secret-id role-id=fa9f3df2-ecb4-4543-54e1-aa3c0e13e394

You should get something like

Key                   Value
---                   -----
secret_id             c5515458-9824-401a-9041-66a0ab30965b
secret_id_accessor    00f32453-5ee3-9238-29f0-216b0f59a698

The role-id and secret-id will be used by Vault-Connect to authenticate to Vault and get a token

Configure Active Directory

The Active Directory secret engine allows you to handle your AD secrets.

Configure the secret engine

First at all, enable the AD secret engine on its default path ad

vault secrets enable ad

And then configure it

vault write ad/config \
    binddn='vault-admin@mycompany.com' \
    bindpass='myStr0ngP@sswd!!' \
    url='ldaps://our-ldap.mycompany.com' \
    userdn='dc=mycompany,dc=com'

with:

  • binddn: AD account with a reset password permission
  • bindpass: AD account password
  • url: AD directory URL (ldaps)
  • userdn: Base DN to fetch the users

Add the parameter insecure_tls=true if you are not comfortable with your ldaps certificate (just for the test, not in production environment)

Once the AD connection if configured, we can configure credentials

Configure credentials

Credentials are configured by creating a role. The account password will be rotated each time you ask the password and the TTL is overdue (e.g. after 3 hours).

We choose the name discovery-role

vault write ad/roles/discovery-role \
    service_account_name='admin-server@mycompany.com' \
    ttl=3h

with:

  • service_account_name: Account that can perform a discovery on Windows Servers (admin server). Be carreful to not use this account for other usages, the password will be rotated.
  • ttl: Password TTL.

If you want to check your configuration, call the following command to get the account password

vault read ad/creds/discovery-role

You should get something like

Key                 Value
---                 -----
current_password    ?@09AZbrG5padknEnWLBOnoOujkZHbFMODmjmL9kxgiEoWUvVoerxcENtuAPAplB
username            admin-server

Conclusion

Vault configuration is done to rotate the password of your AD credential:

  • TLS and mTLS are configured
  • Role ID and Secret ID are generated for the MID server only
  • The credential role is created to rotate the passwords

The information needed to continue are:

  • role-id : fa9f3df2-ecb4-4543-54e1-aa3c0e13e394
  • secret-id : c5515458-9824-401a-9041-66a0ab30965b
  • credential role : discovery-role

Back to top

Last updated 2020-12-29

Copyright © 2020 JFLA Consulting