Genpact Cora Knowledge Center

Support

Configure Secret Management Support

Prerequisite

  • Basic understanding of Cora Orchestration.
  • Basic understanding of the external secret stores, AWS Secrets Manager or Azure Key Vault, whichever you want to use.
  • Knowledge of creating secret keys in the secret stores.

Overview

Cora Orchestration supports external secret stores to store and fetch values like user credentials, connection strings, database credentials, API keys, OAuth tokens, and other secrets for the configuration files at runtime. With this functionality you need not hardcode the sensitive information in plain text or encrypted text. With secret stores you can also control the permission-based access to the sensitive information.

Following are the three secret stores supported:

  • AWS Secrets Manager
  • Azure Key Vault
  • System Environment Variables

To choose a specific secret store for Cora Orchestration, you need to add the sequence:secrets:providerTypes environment variable in your system environment variables.

To connect to the secret store, you need to configure the store specific environment variables in the system, and store the secret keys in the secret store.
All the store specific environment variables are listed in the sections below.
For the secret keys required for Cora Orchestration, see the Secret keys section below. 

AWS Secrets Manager environment variables

In the system environment variables, add the following.

Environment variableDescription
sequence:secrets:providerTypesthe secret store type
Value: AWSSecretManager
sequence:secrets:awsAccessKeythe access key
sequence:secrets:awsSecretKeythe secret key
sequence:secrets:awsRegionthe region for which secret store is being set
sequence:secrets:awsUseSecretNameAsKeyPrefix  (Optional)When true, will generate keys with secret name as prefix: "secretName:secretKey".
When false, will generate keys without secret name as prefix: "secretKey".
sequence:secrets:awsKeyPrefixFilter  (Optional)the prefix that all keys must include.
sequence:secrets:awsAcceptedSecretArns (Optional)the list of identifiers for the secrets which are to be retrieved. The secret ARN (full or partial) and secret name are supported.
For example:
MySecretFullARN-abcxyz;MySecretPartialARN;MySecretUniqueName
sequence:secrets:awsPollingInterval (Optional)the waiting time before refreshing the secrets. If null, secrets will not be refreshed.
For example, 00:15:00 for 15 minutes.
sequence:secrets:awsSecretNamesFilter (Optional)the list of secret names that get passed to the client to filter the listed secrets before returning them.
For example, secret1;secret2

Azure Key Vault environment variables 

In the system environment variables, add the following.

Environment variableDescription
sequence:secrets:providerTypesthe secret store type
Value: AzureKeyVault
sequence:secrets:azureKeyVaultUrithe Azure Uniform Resource Identifier of the key vault
sequence:secrets:azureKeyVaultTenantIdthe ID of the tenant (directory) where the AD application is registered
sequence:secrets:azureKeyVaultClientIdthe ID of the application (client) that you created to read the secrets
sequence:secrets:azureKeyVaultClientSecretthe secret for the Azure Active Directory application
sequence:secrets:azureKeyVaultSecretKeyPrefix (Optional)the prefix for the names of the secrets  in the vault

System environment variables

If you don't want to use any external secret sore, then you can use your system environment variables to store secrets.

Environment variableValue/Description
sequence:secrets:providerTypesthe secret store type
Value: EnvironmentVariable

Secret keys

The following are the secret keys and their values you need to store in your secret store.

Secret keyDescriptionValue
sequence:persistence:database:providerDatabase provider nameMicrosoft.Data.SqlClient
sequence:persistence:database:credentialsDatabase credentialsuser id=sa;password=sa;
sequence:persistence:database:connectionStringDatabase connection stringFor example,
MultipleActiveResultSets=true;initial catalog=DBName;persist security info=True;data source=DBserverName;packet size=4096;
sequence:messageBus:connections:defaultConnectionNameMessage bus connection name
  • SqlServiceBroker
  • ActiveMQ
sequence:messageBus:connections:activeMQ:credentialsActiveMQ credentials, if you have added ActiveMQ as default connection nameuser id=mb1;password=sd;
sequence:messageBus:connections:activeMQ:connectionStringActiveMQ connection string, if you have added ActiveMQ as default connection nameFor example,
Server=failover:(tcp://192.168.xx.x:00000);Username=usr1;Password=pswd1;
sequence:cryptography:sha256:saltthe sha256 salt to prevent identical passwords
NOTE
When you upgrade, this value should not be changed.
Base64string
sequence:cryptography:rijndael:keythe Rijndael key
NOTE
When you upgrade, this value should not change.
Base64string
sequence:cryptography:rijndael:saltthe Rijndael salt to prevent identical passwords
NOTE
When you upgrade, this value should not change.
Base64string