Skip to content

Preparing a Secret Storage Application

The following section outlines the steps involved in preparing specific secret storage applications prior to installing CAS Manager. Once you have CAS Manager installed, you can configure the secret storage application to work with CAS Manager.

Preparing Azure Key Vault

The following section outlines how to prepare Azure Key Vault for key and secret encryption and storage with CAS Manager.

Before configuring CAS Manager to use the Azure Key Vault you need to complete the following steps:

  1. Create an Azure service principal that is able to read, write and delete secrets from/to the Azure Key Vault. For information on how to create this service principal, see App Objects and Service Principals.
  2. Create an Azure Key Vault. For information on how to create an Azure Key Vault, see Quickstart: Create a key vault using the Azure Portal.

Once you have completed the pre-requisite steps above, return to the Installing CAS Manager - External Database and Secret Storage Configuration and complete the installation of CAS Manager.

Preparing Hashicorp Vault

The following section outlines how to prepare Vault for key and secret encryption and storage with CAS Manager.

Deploying Vault with Consul and Integrated Storage (Raft)

For information on setting up a Vault server using Consul as a storage backend, see Hashicorp's official deployment guide see Vault using Consul. This guide demonstrates how to deploy a Vault in a high availability mode.

HashiCorp's recommendations for a production level deployment of Vault can be found here Production Level Deployment.

Hashicorp's official deployment guide for setting up a Vault server using Integrated Storage (Raft) as a storage backend can be found here Vault with Raft Storage.

Reference Instructions for MongoDB and Vault Configuration

For detailed deployment instructions on installing and configuring MongoDB and Vault in a single virtual machine to be used by CAS Manager, see the following KB article. This KB article outlines in detail how to install and configure an instance of MongoDB and an instance of Vault on the same virtual machine. This KB article should be used in conjunction with the installation steps outlined in this section.

All configuration steps outlined should be used as a reference only. For specific details user's should visit the vendors official documentation and knowledge base.

The following steps outline how to prepare Vault to be used by CAS Manager. You can skip these steps if you have setup Vault and prepared it by following the KB article linked above. If you have not gone through the KB above and have already installed and configured the Vault server, following the vendors official documentation site, follow the steps below to add specific Vault configurations required for CAS Manager:

  1. Initialize the Vault. For information on initializing the Vault, see Initializing the Vault.
  2. Unseal the Vault. For information on sealing and unsealing the Vault, see Seal/Unseal.
  3. Enable the secrets path expected by CAS Manager by running the following command:
    vault login
    vault secrets enable -version=2 -path=secret/ kv
    
  4. Create a Vault policy called "casm-policy":
    vault policy write casm-policy - << EOF
    path "secret/data/*" {
      capabilities = ["create", "update", "read", "delete", "list"]
    }
    EOF
    
    The output for this command should be:
    Success! Uploaded policy: casm-policy
    
    You can validate the policy by running the following command:
    vault policy read casm-policy
    
  5. Create a role to be used by CAS Manager by running the following command:
    vault write auth/token/roles/casm-role allowed_policies="casm-policy" period="768h"
    
    This command will create a token role with the casm policy created above. Any token created using this role will be valid for 32 days, if not renewed. If the token is renewed, then its validation period will be reset back to 32 days. This period should be set in accordance with your security guidelines and should be configured to be as low as possible. The output of this command should be:
    Success! Data written to: auth/token/roles/casm-role
    
  6. Create a periodic token to be used by CAS Manager by running the following command:
    vault token create -role=casm-role -orphan
    
    This command will create a periodic token which are useful when the token in question is intended to be used by a long-running process or application. For more information on creating Vault tokens, see Vault Tokens. The output of this command should be:
    Key                  Value
    ---                  -----
    token                <your token is here>
    token_accessor       <your token accessor is here>
    token_duration       768h
    token_renewable      true
    token_policies       ["casm" "default"]
    identity_policies    []
    policies             ["casm" "default"]
    

Once you have completed the pre-requisite steps above, return to the Installing CAS Manager - External Database and Secret Storage Configuration) and complete the installation of CAS Manager.