Configure the Vault Provider

Restriction: This topic applies only when the Enterprise Server feature is enabled.

Enterprise Server comes configured with a default vault that uses the mfsecretsaes vault provider. Some components, such as Enterprise Server Common Web Administration (ESCWA), store secrets in this vault automatically. By editing the secrets.cfg file, you can modify configuration parameters for these components, and configure some additional components to use the vault.

Attention: Before changing the values for the password or salt parameters, consider the following:

The installation process automatically creates values for mfsecretsaes that enable valid encryption. After storing information in the vault, if the password or salt values are then changed, secrets stored before the change become inaccessible. Because some components store secrets in the vault automatically, be sure to create a backup of the secrets.cfg file before making any changes. In doing this, be sure that your secrets themselves are backed up in a secure fashion, for example in a file on an encrypted USB flash drive, to ensure recovery. We also strongly recommend that you secure and control access to the secrets.cfg file using your operating system file permissions, and that you monitor its access.

The secrets.cfg file is located by default in the $COBDIR/etc directory.

Use the instructions contained in the secrets.cfg file to guide your changes.

The following is a sample secrets.cfg file:

# This file controls the operation of applications which access the
# vault interface for storing "secret" values such as passwords and
# other sensitive information. It is strongly recommended that 
# appropriate OS file permissions are set and that its contents are
# monitored for any changes.

# NOTE: if configuration values are changed, then "secrets" that 
# were previously accessible may become inaccessible. It is strongly
# recommended that appropriate change management is used, and backups 
# are made before changes are applied.

# A default vault provider can be set in the "global" configuration. 
# Unless a particular applications/software component requires or 
# allows use of a specific named provider, the "default" provider 
# will be used.
[global]
default provider=mfsecretsaes

# Specify vault providers and their configuration below here.

# Individual vault "providers" will have individual configuration 
# requirements. The key=value pairs beneath the logical [provider] label
# will be used by the provider module to control its behaviour.
[mfsecretsaes]

# This should be the name of the provider so/dll. No file extension 
# required.
provider name=mfsecretsaes

# The "location" key specifies the physical or logical (depending on vault 
# type) directory where secrets will be stored. For the "mfsecretsaes"
# provider, the target directory needs to pre-exist and have appropriate
# file permissions to allow application processes to access the
# vault. 
#
# The product installer will initially set a product-specific 
# file location by default.
location=C:\ProgramData\Micro Focus\Enterprise Developer\mfsecrets

# Different vault types may also support different sub-modes of operation.
mode=AES256-CBC

# For AES256-CBC a plain text password is used to generate a key and iv.
# By default, the product installer will generate a value.
password=<generated_value>
# Salt is an optional base64 value. By default, the product installer will 
# generate a value.
salt=<generated_value>