Vault

This article focuses on working with IAM vaults. It describes how to use and manage vaults with secrets and key pairs.

A vault allows you to manage generic secrets and private/public key pairs used within your IAM configuration. You can refer to secrets and keys from the medusa-configuration.xml file, which is part of an IAM configuration ZIP file. The secrets and keys in a vault are only valid for the corresponding tenant.

Prerequisites

To view and edit vaults, the roles AMC - View vault and AMC - Manage vault, respectively, are required. These roles are by default part of the SaaS Administrator role, but can also be assigned separately to an administrator. See also SaaS roles and permissions.

Managing generic secrets

A generic secret can be a password, symmetric key, and so on. You can add, refer to, and delete a generic secret.

Adding a generic secret

1. In Airlock Console, go to Configuration > Vault

2. Go to the tenant drop-down list on top of the navigation tree to the left, and select the tenant for which you want to add the secret.

3. In the Vault dialog, select the Generic secrets tab.

4. Click the Add generic secret button.

5. In the appearing popup dialog:

   • In the mandatory ID field, enter an identifier of up to 64 characters to refer to the secret. The following characters are allowed: lowercase and uppercase letters, numbers, underscores, and hyphens (no hyphens at the beginning of the ID). Do not include spaces.

   • Optionally, enter a description in the Description field.

   • Specify the secret in the Secret field.

   • Click Save to add the secret to the vault.

6. The secret is added to the list of secrets in the Generic secrets tab of the Vault dialog.

Notice
After you submit a secret, you can neither view nor edit it. To change a secret, delete it and add it again.

Referring to a secret in the vault

1. Secrets stored in the vault can be used in an IAM configuration valid for this tenant. For this, use the reference that SaaS provides in the secret settings.

2. In tAirlock Console, go to Configuration > Vault

3. Go to the tenant dropdown list on top of the navigation tree to the left, and select the relevant tenant.

4. In the Vault dialog, select the Generic secrets tab.

5. The available secrets are listed in the dialog. Click on the entry of the secret to which you want to refer in your IAM configuration.

6. The following dialog displays the settings of the secret, such as ID, creation date and the (editable) description. The Reference section shows the reference to the secret, e.g., [FILE]/secrets/my-secret (note that the secret itself is not visible). Copy this reference and paste it without modification in the relevant configuration file or IAM Config Editor.

Deleting a secret in the vault

1. In Airlock Console, go to Configuration > Vault

2. Go to the tenant dropdown list on top of the navigation tree to the left, and select the relevant tenant.

3. In the Vault dialog, select the Generic secrets tab.

4. The available secrets are listed in the dialog. Click on the entry of the secret that you want to delete.

5. The following dialog displays the settings of the secret. To delete the secret, click the (red) Delete button at the bottom of the dialog. Confirm the deletion in the following popup window.

6. The secret will be deleted.

Notice
Deleting the secret does not affect the currently active IAM configuration. To apply the change, re-activate the configuration.

Managing key pairs

Besides secrets, the vault may also contain public/private key pairs. You can generate, refer to, and delete key pairs. The private key is generated in the vault; you cannot export it. It is also possible to add a signed certificate to a key pair.

Generating a key pair

1. In Airlock Console, go to Configuration > Vault

2. Go to the tenant dropdown list on top of the navigation tree to the left, and select the tenant for which you want to add the secret.

3. In the Vault dialog, select the Key pairs tab.

4. Click the Generate key pair button.

5. In the appearing popup dialog:

   • In the mandatory ID field, enter an identifier of up to 64 characters to refer to the key pair. The following characters are allowed: lowercase and uppercase letters, numbers, underscores, and hyphens (no hyphens at the beginning of the ID). Do not include spaces.

   • Optionally, enter a description in the Description field.

   • In the Algorithm section, select the algorithm used to generate the key pair.

   • Click Save to generate the key pair.

6. The key pair is generated. Upon successful generation of the key pair, its settings are displayed in the following dialog, including the public key, the path to the keystore and the private key alias. See below to add a signed certificate to a key pair.

Adding a signed certificate to a key pair

1. In Airlock Console, go to Configuration > Vault

2. Go to the tenant dropdown list on top of the navigation tree to the left, and select the relevant tenant.

3. In the Vault dialog, select the Key pairs tab.

4. The available key pairs are listed in the dialog. Click on the entry of the key pair to which you want to add a signed certificate.

5. In the following dialog, scroll to the Certificate section. Click on Create CSR to create a certificate signing request (CSR).

6. In the following popup window, enter a relevant PEM-encoded template in the CSR template field. Click on Create & download to generate the CSR.

7. The CSR will be generated and downloaded to your local pc as a .pem file.

8. Make a trusted certificate authority sign the CSR.pem certificate.

9. Once the certificate has been signed, return to the Certificate section in the key pair's settings dialog. Copy the content of the signed certificate in the Signed certificate field. It should look like this:

   -----BEGIN CERTIFICATE----- MIIFlTCCA30CFHmER2PUiiOBvF0M2d6kCqVQjWCMMA0GCSqGSIb3DQEBCwUAMIGG MQswCQYDVQQGEwJYWDESMBAGA1UECAwJU3RhdGVOYW1lMREwDwYDVQQHDAhDaXR5 TmFtZTEUMBIGA1UECgwLQ29tcGFueU5hbWUxGzAZBgNVBAsMEkNvbXBhbnlTZWN0 aW9uTmFtZTEdMBsGA1UEAwwUQ29tbW9uTmFtZU9ySG9zdG5hbWUwHhcNMjQxMjEw MTE0NDM3WhcNMjUxMjA1MTE0NDM3WjCBhjELMAkGA1UEBhMCRU4xDTALBgNVBAgM BG5vbmUxDTALBgNVBAcMBG5vbmUxEjAQBgNVBAoMCVdpa2lwZWRpYTENMAsGA1UE CwwEbm9uZTEYMBYGA1UEAwwPKi53aWtpcGVkaWEub3JnMRwwGgYJKoZIhvcNAQkB Fg1ub25lQG5vbmUuY29tMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA tsR/RQzqmYf5QUXPWB8WTC/GN1QlcO6D16Er7aah+ZyxasJas29V2uCvw2QLEFdP kMn/X/nMRXhd7NBqhlzdzvzmDzPF3cTsewnGptXPksApLong08vSbh36Ols+n+Gp NcPkWqtElY6GrKcDJwX3pID9NFKJuTAVH+fsXRt8VXDmEkaM7zUkT8453+Ynx+FB YbPmV/5QEc5kav5ypM5y0UR6zZkmEsTjETCmNmRjE4Hn1kdFQBdnE3Ceq8rwqiOx JIIQdsiZkLt7F6jmVZAee8ey1+5oQOssGd1Fq0Z/vLi3IF7HpGWDUl9zFtL1xIAm aSViKv6xugxXNf4F1PY/LOrD2lugRjIT7mYO3LYZ6LHt5+lEHcQpvMK3VlVb3XwP C4Y7ki+p/5RILwi999jIoOaRIWLVdbnLCuCYUCMqjXkhXSwZjfNJC6fk3w2iT0Gt VR2TUGVzyRsBxDmh1j5bwoEju/lnfNK66W4gNRq8uz9haK1kQ1m2ctxSKOBbjv34 kQISe7dMkPv8jk5sQhJS00DdKspR1nWKcyqGmizgbtFHBPPYaJQuBMt2pkldS6o1 56eCmYvAR5R3P1Bv3pMUsOnC3XLNslerILBsiN77OfDqXLoNHXXftegAtYzVWTOo o7EvRJRfkEYZ+Q+oJExY0UoPxZmmGWLgo/sbkmrpxDECAwEAATANBgkqhkiG9w0B AQsFAAOCAgEAcsWnOt9NyKbqmZAmMKEuo9r4hNYOmxfNixmlqBgiWBhqMs1UhH0S jBl2+mcbQkPk8p7UVMFfUgMRRcf/ibwZA4mrKOEB5jb6duvwFszMUnCAByS+uSU9 MlqsPnQIaka4hp2VFRnKbbMk/O/pz2FABw1zgKVyj89zXAlurOVeLBAEwAaJh2Vz MHzrDXfDPZoaFVxhsgF1NLhDycthkhCO4vmxgal0pddtblMtOfaZvFU2WU+akugE pKEE4RGCyYT/hlJsZbrY8aD6H0bSUSW5z3Z3fX+0WaF9z0cx+CsbQUAoTelyHopf Vfqf8j1kE2WzGUqM0xcWKgYQZmtLNYhwX9ZaLP0BRZ1lgvlExhU82Rs7OyqQOkfT JW+LjjtmAB4q9ePe9zNkeEmbFO42KH0Zpq5s5pYCTtvwLPNqOxNqMfg9l2OL2ClH x3C/0RS9nGeA+eO402T7+rU00IllmX9jfsM7GNRummeZKmrJjBkibRsqjWbPiqtQ 7xcTRgEHJZuQg023ud+16loAzvthnhAdMbDrJ7h9tLpZmYNMI3jQIksAYW6lX0ok hTS0Sv7CiPYTbswzygVOOOTTyOwVUOzkMihTRlFXRbGph6y7OB8Rs3bI2EVB3NvF k05k5RlBteCXi+rU0boH2x57iPYXhhR14TJoPSLeYmTedr62orgkmuo= -----END CERTIFICATE-----

10. When entering the signed certificate, its validity is checked and the validity period shown, if valid.

11. Click Save to save the signed certificate.

Referring to a key pair in the vault

1. Key pairs stored in the vault can be used in an IAM configuration valid for this tenant. For this, use the references to the keystore path and private key alias provided in the key pair settings.

2. In Airlock Console, go to Configuration > Vault

3. Go to the tenant dropdown list on top of the navigation tree to the left, and select the relevant tenant.

4. In the Vault dialog, select the Key pairs tab.

5. The available key pairs are listed in the dialog. Click on the entry of the key pair to which you want to refer in your IAM configuration.

6. The following dialog displays the settings of the key pair, such as ID, public key, creation date and the (editable) description. The Reference section shows the reference to the keystore path, e.g., /secrets/keystore.p12. Copy this reference and paste it without modification in the relevant configuration file or IAM Config Editor.

Deleting a key pair in the vault

1. In Airlock Console, go to Configuration > Vault

2. Go to the tenant dropdown list on top of the navigation tree to the left, and select the relevant tenant.

3. In the Vault dialog, select the Key pairs tab.

4. The available key pairs are listed in the dialog. Click on the entry of the key pair that you want to delete.

5. The following dialog displays the settings of the key pair. To delete the key pair, click the (red) Delete button at the bottom of the dialog. Confirm the deletion in the following popup window.

6. The key pair will be deleted.

Notice
Deleting the key pair does not affect the currently active IAM configuration. To apply the change, re-activate the configuration.