Using Vault as a Password Provider to secure the clientSecret
This configuration guide explains how to use Vault to secure your Celonis-specific clientSecret for the Uplink.
Step 1: Download the connector.jar file
You can find the connector.jar file in the Celonis Platform Download Portal.
Click Admin & Settings > Download Portal.
Scroll down and open JDBC (Database) Extractor.
You'll see a list of the available connector.jar files. Select the latest one.
Step 2: Generate a private key file
Run the help command to see all your options.
java -jar connector.jar help-vault
Place the connector.jar file in the same directory as the extractor.
Generate a private key file, using the command:
java -jar connector.jar genkey
You will be asked to enter a master password. This password will later be used to encrypt your private passwords.
Save the output to a file which is only readable by your service account.
For example, in the YAML file below, we've used vault.file.
Step 3: Adjust the configuration of the application-local.yml
Add or update this line in your application.yml file:
credentialsProvider:VAULT_CREDENTIALS_PROVIDER:vaultFile:<Path to your keyfile>
You can encrypt the clientSecret using:
java -jar connector.jar genpass
Enter your master password and the password you want to encrypt.
Use the encrypted password in the configuration files where appropriate.
Here's an example of the adjusted application-local.yml file:
uplink: enabled: true url: http://dev.eu-1.celonis.cloud/uplink/api/public/uplink clientId: e102a1e3c3cabcf5cf6c74134ad25baaccbf83f80ea99262b6611bf902d3 clientSecret: 676sad7a6d7as5d6asd564d5sa476766 65c6dc8b4feced32401b608792872e9cbe69a8ea9456f98dcd0887470245c9700c2eab0ffebe0536c7baea4717b799dfc9f21892d757ff48706404fd8f3587a26b1b220dc1098b71a4fdb7d66d67989b1ff52b2b34a5c04a6bc50767a283119f6be30ad81e31b99cf3de7304ec95e157a6cb649fc9680299c9427b3205167c36cb71c0a42911e7e879b4f44cf1c1bef3db7fe3c83a598b9c9289e86fe8dfcfcd5aa056ba7eea9426910fe92eee58b9a1cdc9e56216eb9e094d6750cc1609415c0c5280bb5ab285192943a5cdec899f5a8a83f1d9658d8b8a49de312353b918c2c5750c2a4d0adbdc5824a605325122663058b0144aa64c8a20dd57d7078af1274a9aaf0a7b03ea146df63797c64969bac57f2d8fd12d87bb59dbd6f245583bee0d73b23780dead86f763882b17000c239b34a154498c950803f05ded82d8c1a434a1005d99515e271c4ec0b8ad7eb9f3f017befb9cc9471f92b3c67791f85f6a694fe2ff2b96ffb5370113ac15bdd530bcac49a7f71b63e29846717a8aacb59ee0eaf6f29d5ca22608a472ac4c16df7278980e9dced90e562440ac510e8f304a3379bcc4e9daa776a68d099ff55ba7817063391175eb0734dbc101bad03a36cd7c7b58940f0bb3d69a9f2fc4b9179f25877c8c6cd544916bbd2d344aa5ce71fcef4cc31b864ce211cd0b1096d3d5e180de6886f109128d28ae24e9149fb useCredentialsProvider: true credentialsProvider: enabled: false type: VAULT_CREDENTIALS_PROVIDER VAULT_CREDENTIALS_PROVIDER: vaultFile: /full/path/to/vault.file