Configuration [12]

To configure the mfsecretshashicorp vault, edit the secrets.cfg file to include values for the provider name, TLS connection details, authorization credentials, and details of the secrets engine.

The following is an example configuration file for the mfsecretshashicorp vault provider. See Vault Providers for more information on the structure of the config file:

[global]
default provider=hashicorpvault

[hashicorpvault]
provider name=mfsecretshashicorp


### Connection Details ###
# The location of the Hashicorp server to connect to
host=127.0.0.0
port=8200
# The certificate authority to validate the server's certificates against
# This is required as MfSecretsApi only supports TLS connection
ca_path=C:/certs/ca_collection.pem


### Optional TLS Client Verification ###
client_cert=C:/certs/client_cert.pem
client_key=C:/certs/client_key.pem
client_password=key_password
# The format that the certificate and key are given in
# Supported formats are PEM and DER. Defaults to PEM if nothing is given
client_cert_type=PEM
client_key_type=PEM


### Optional Connection Settings ###
# The timeout in seconds for a single attempt at *connecting* to a Hashicorp server via HTTPS
# Default: 20 seconds
# Negative values will become the maximum possible timeout time
# Zero values will become the default value
# If this is not set, the default value is used
connection_timeout_seconds=20
 
# The maximum number of *retries* to attempt
# Will stop retrying when this or max_total_connection_time_seconds is exceeded
# Default: 1
# Negative values will retry infinitely
# If this is not set, the default value is used
max_retry_count=1

# The maximum length of time in seconds to attempt to resolve a HTTPS transaction (retries and all)
# Will stop retrying when this or max_retry_count is exceeded
# Default: 60 seconds
# Negative values indicate no limit
# If this is not set, the default value is used
max_total_connection_time_seconds=60

# Turn on verbose transport layer debugging (optional)
# WARNING: This will print out HTTP headers and bodies which could contain sensitive data such as passwords
# Note: this should not be turned on unless asked to do so by the Micro Focus support team
transport_debugging=true


### Hashicorp server settings ###
# These options must correspond with the options set up on the Hashicorp server being connected to

# Supported secrets engines: 'kv1', and 'kv2'
secrets_engine_type=kv2
# The location the secrets engine of the desired type has been enabled on the Hashicorp server
secrets_engine_path=kv2

# The desired method of authentication. Supported: 'approle', 'tls', and 'userpass'
auth_type=approle
# The location the authenticator of the desired type has been enabled on the Hashicorp server
auth_path=approle


### Authentication Credentials ###
# These will change based on auth_type, see each auth_type's docs for what is required
role_id=db02de05-fa39-4855-059b-67221c5c2f63
secret_id=6a174c20-f6de-a53c-74d2-6018fcceff64