Skip to main content

Using Vault as a Password Provider to secure the clientSecret

This configuration guide explains how to use Vault to secure your Celonis-specific clientSecret for the Uplink.

Step 1: Download the connector.jar file

You can find the connector.jar file in the Celonis Platform Download Portal.

  1. Click Admin & Settings > Download Portal.

  2. Scroll down and open JDBC (Database) Extractor.

You'll see a list of the available connector-jdbc.jar files. Select the latest one.

Step 2: Generate a private key file

  1. Run the help command to see all your options.

     java -jar connector-jdbc.jar help-vault

  2. Place the connector.jar file in the same directory as the extractor.

  3. Generate a private key file, using the command:

     java -jar connector-jdbc.jar genkey

    You will be asked to enter a master password. This password will later be used to encrypt your private passwords.

  4. Save the output to a file which is only readable by your service account.

    For example, in the YAML file below, we've used vault.file.

Step 3: Adjust the configuration of the application-local.yml

  1. Add or update this line in your application.yml file:

    credentialsProvider:VAULT_CREDENTIALS_PROVIDER:vaultFile:<Path to your keyfile>

  2. You can encrypt the clientSecret using:

     java -jar connector-jdbc.jar genpass

  3. Enter your master password and the password you want to encrypt.

    Use the encrypted password in the configuration files where appropriate.

Here's an example of the adjusted application-local.yml file:

uplink:
  enabled: true
  url: http://dev.eu-1.celonis.cloud/uplink/api/public/uplink
  clientId: e102a1e3c3cabcf5cf6c74134ad25baaccbf83f80ea99262b6611bf902d3
  clientSecret: 676sad7a6d7as5d6asd564d5sa476766 65c6dc8b4feced32401b608792872e9cbe69a8ea9456f98dcd0887470245c9700c2eab0ffebe0536c7baea4717b799dfc9f21892d757ff48706404fd8f3587a26b1b220dc1098b71a4fdb7d66d67989b1ff52b2b34a5c04a6bc50767a283119f6be30ad81e31b99cf3de7304ec95e157a6cb649fc9680299c9427b3205167c36cb71c0a42911e7e879b4f44cf1c1bef3db7fe3c83a598b9c9289e86fe8dfcfcd5aa056ba7eea9426910fe92eee58b9a1cdc9e56216eb9e094d6750cc1609415c0c5280bb5ab285192943a5cdec899f5a8a83f1d9658d8b8a49de312353b918c2c5750c2a4d0adbdc5824a605325122663058b0144aa64c8a20dd57d7078af1274a9aaf0a7b03ea146df63797c64969bac57f2d8fd12d87bb59dbd6f245583bee0d73b23780dead86f763882b17000c239b34a154498c950803f05ded82d8c1a434a1005d99515e271c4ec0b8ad7eb9f3f017befb9cc9471f92b3c67791f85f6a694fe2ff2b96ffb5370113ac15bdd530bcac49a7f71b63e29846717a8aacb59ee0eaf6f29d5ca22608a472ac4c16df7278980e9dced90e562440ac510e8f304a3379bcc4e9daa776a68d099ff55ba7817063391175eb0734dbc101bad03a36cd7c7b58940f0bb3d69a9f2fc4b9179f25877c8c6cd544916bbd2d344aa5ce71fcef4cc31b864ce211cd0b1096d3d5e180de6886f109128d28ae24e9149fb
  useCredentialsProvider: true

credentialsProvider:
  enabled: false
  type: VAULT_CREDENTIALS_PROVIDER
  VAULT_CREDENTIALS_PROVIDER:
    vaultFile: /full/path/to/vault.file

Step 4: Restart the extractor server