Adding a new authentication method
1) Go to the Vault (in incognito mode) and login with the root token.
2) Go to Access → Auth Methods → Enable new method → Username & Password
Adding a new Secret Engine
1) Go to the Vault (in incognito mode) and login with the root token.
2) Go to Secrets → Enable new engine → KV
Creating a new User (assumes a Username/Password authentication method is already added to the vault)
Creating a new User can be done in two ways
Method 1 → API call(recommended):
This is simple and straightforward . Copy and run this curl command (You should replace the vaultEndpoint, xVaultToken , userName , passWord and mountPoint )
curl --location '{vaultEndpoint}/v1/auth/{mountPoint}/users/{userName}' \
--header 'X-Vault-Token: {xVaultToken}' \
--header 'Content-Type: application/json' \
--data '{
"password": "{passWord}""
}'
For Eg:
curl --location 'http://red-osprey-9.phosphorus.io:8200/v1/auth/userpass/users/user3' \
--header 'X-Vault-Token: s.Yr5jEDojF0z9aIaWgRxGMX5j' \
--header 'Content-Type: application/json' \
--data '{
"password": "superSecretPassword"
}'
Method 2 → UI + CLI
1) Go to the Vault (in incognito mode) and login with the root token.
2) Go to Access → Entities → Create entity → Enter Name and click Create
3) Install Vault CLI
brew tap hashicorp/tap
brew install hashicorp/tap/vault
For Further info => Install | Vault | HashiCorp Developer
4) Open terminal and set the vaultEndpoint(VAULT_ADDR), vaultToken(VAULT_TOKEN), mountPoint (user pass is the mountPoint in the example below)
export VAULT_ADDR="http://red-osprey-9.phosphorus.io:8200"
export VAULT_TOKEN="s.Yr5jEDojF0z9aIaWgRxGMX5j"
vault write auth/userpass/users/user3 password="superSecretPassword"
5) You should see the response being printed in the terminal => Success! Data written to: auth/userpass/users/user3
Adding a new ACL Policy
1) Go to the Vault (in incognito mode) and login with the root token.
2) Go to Policies → Create an ACL Policy
path "user3engine/*" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
path "sys/health" { capabilities = ["read"] } path "sys/auth" { capabilities = ["read", "list"] }
3) Where user3engine
is the name of the secret engine
Attaching a ACL Policy to a user
1) Go to the Vault (in incognito mode) and login with the root token.
2) Go to Access → Entities → Select the entity → Edit entity → Select the policies you want to attach → Save
Listing all Users
curl \
--header "X-Vault-Token: s.Yr5jEDojF0z9aIaWgRxGMX5j" \
--request LIST \
http://red-osprey-9.phosphorus.io:8200/v1/auth/userpass/users
This only lists the users under userpass
mountpoint, you can change the mountpoint to list the users under the specific mountpoint.
Hashicorp Vault QA Document
Positive Testing:
-
Able to create
non-local
vault integrations – -
Able to use
Token
as the authentication method – -
Able to use
Username/Password
as the authentication method – -
Able to specify mountPoint other than
userpass
forUsername/Password
authentication method –
Negative Testing:
-
Specify an invalid
Token
and make sure error pops up and not being able to create the integration – -
Specify invalid
Username/Password
and make sure error pops up and not being able to create the integration – -
Specify invalid
mountPoint
and make sure error pops up and not being able to create the integration – -
Create multiple vault integrations. Bring down the instance and bring it back up. Make sure that the vault are still functional. –
-
Specify an
expired Token
and make sure error pops up and not being able to create the integration –
Features Testing
-
Create a vault integration and scan few devices with that integration =>
initialize()
andcreateCredential()
– -
On the Credential Providers Page make sure it displays the correct number of credentials present in that secretEngine =>
listCredentials()
– -
Go to a device and click on Show Device Password and make sure the device’s password match with what is present in the vault =>
getCredential()
– -
Rotate a device’s password and make sure the updated password is present in the vault =>
setCredential() -
Bulk Workers Testing
-
Select 4-5 devices and
rotate the credentials
for those devices and make sure the updated password matches with the vault. –
Auto Renewal Testing (check for multiple vault integrations as well): –
-
Create a token with a TTL of 15m.
-
Make an API call
tokenLookupSelf
and note down the TTL (dateTime format). Let’s call this T1. -
Create an integration with Token as the authentication method and specify the created token.
-
Make sure the Auto Renew check box is selected
-
After 10 mins make the same API call as in step 2 and verify that the TTL would have been by 15m. (The reason for 10 mins is that there is an
autoTimer
in the code that makes therenewToken
API call at 7.5mins (T1/2))Check for
Auto Renew
unabled as well.
Retry Logic Testing:
-
Token
auth method =>
a) Create a vault token integration with a token which is about to expire in a few mins (uncheck Auto Renew)
b) Wait for the token to expire
c) Now make a vault action like creating a credential.
You should not be able to create the credential and get the errorUnable to complete action, check if Token has expired
in the BE logs- -
Userpass
auth method => Retry Logic for userpass is quite tricky and needs local setup –
a)Follow the steps in Hashicorp Vault. Create users to create an authMethod whose token expires in 5 mins.
c) Create a vault userpass integration. Uncheck the auto Renew check box (through the UI).
d) If you do a vault action like creating a credential, it should succeed since the vaultWrapper will call userpassLogin
and get a new token
Backward Compatibility Testing –
-
Deploy Master to a RO
-
Create a non-local Vault integration
-
Deploy the branch (feat-PHO-1356-additional-auth-methods) to the same RO
-
Make sure the existing vault integration does not break and also we are able to create new vault integrations
Delete Provider (stop auto renew) Testing –
-
Create a vault integration and set
autoRenew
to true -
now before the
renewLeaseFunc
runs, we delete that integartion -
Now when the
renewLeaseFunc
runs , it would not renew the token.
Does not break CyberArk Testing –
-
Create two CA integrations (CA-core, CA-bidirect).
-
Enroll devices in both the CA integrations.
-
Deploy the vault-branch to the RO
-
Verify that existing CA integrations did not break.
-
Verify that we are able to create new vault integrations.
-
Verify that we are able to enroll devices in CA and vault integrations.
-
Create a new CA integration and enroll a device with that integration.
Hashicorp Vault Setup Documentation
Overview
This document describes how to configure your Hashicorp Vault to integrate with the Phosphorus Enterprise application. After you complete this setup, Phosphorus will be able to make use of the vault to access and store device secrets.
This setup includes steps to:
-
Access your Hashicorp Vault
-
Configure a Secrets Engine
-
Configure an ACL Policy
-
Configure an Authentication Method
At the end of this configuration, you must provide the following information about your Hashicorp Vault configuration to Phosphorus:
-
Authentication method configured and the specific fields required for that authentication method
-
Vault URL
-
Secrets Engine Path
-
Namespace (if using HCP or Vault Enterprise)
Before you begin
Before you configure the Hashicorp Vault integration, you must have:
-
Administrator/root permissions to access and configure the Hashicorp Vault instance you wish to configure within the Phosphorus Enterprise application
Access Your Hashicorp Vault
Access an existing Hashicorp Local Vault
-
Access your instance at https://{instance_name}:8200 and log in with a user that has root privileges.
-
Make note of the above full URL, as this will need to be submitted to Phosphorus to properly integrate with your local Vault.
Configure and access a new HCP Vault
-
Login to the Hashicorp Cloud Platform: HashiCorp Cloud Platform
-
Under the Services section in the navigation bar, click on Vault
-
Under the Start from scratch heading, click Create cluster
-
Configure the cluster as it suits your production environment. Under the Templates setting, make sure to choose the Start from scratch option. Click complete and wait for the cluster to be initialized.
-
Once initialized, in the Quick actions heading and under the New admin token box, click Generate token to generate the admin token that we will use for configuring the HCP Vault cluster. The token will be copied to your clipboard, so make sure to store it somewhere for reference.
-
Next, under the Cluster URLs, click on Public to copy the public link for your HCP Vault. Make note of this value, as you will need to provide it as part of the configuration for Vault URL.
-
Open a new tab in your browser and access the public URL that is copied in your clipboard. This should bring you to a login page for your HCP Vault.
-
Select Token as the method and paste the value of the admin token that was generated above.
-
You have now accessed your HCP Vault!
Configure Secret Engine
Phosphorus supports integrating with Vault using a KV (key:value) secrets engine.
-
Within your Hashicorp Vault instance, click on Secret engines in the navigation bar
-
Click on Enable new engine
-
Under the Generic section, select KV and click Next
-
Give the secret engine a name in the Path form. Make note of this name as we will require it for further configuration. For the purpose of this guide, we will name our secret engine
user2engine
-
Once done, click Enable Engine to create your secrets engine
Configure ACL Policy
We now need to configure an ACL Policy within your Vault instance in order to provide the policy needed for your secrets engine to access the necessary secrets.
-
Within your Hashicorp Vault instance, click on Policies is the navigation bar and click Create ACL policy
-
Provide a name for the ACL Policy. For the sake of this guide, we will name it
user2engine policy
-
Paste the following policy into the text box:
path "{{name of secret engine created}}/*" { capabilities = ["create", "read", "update", "delete", "list", "sudo"] } path "sys/health" { capabilities = ["read"] } path "sys/auth" { capabilities = ["read", "list"] }
NOTE: It is mandatory for you to replace {{name of secret engine created}}
with the name of the secret engine you created above. In our example, this is named user2engine
.
-
Click Create Policy
Configure Authentication Method
Phosphorus supports integration with Vault via three authentication methods:
-
Username/password
-
Token
-
AppRole
Please follow the steps for configuring one of these authentication methods.
Username/Password Authentication
-
Within your Hashicorp Vault instance, click on Access in the navigation bar
-
Click on Auth Methods, and then Enable new method
-
Under the Generic heading, select Username & Password and click Next
-
Give this authentication method a name. Make note of this name as we will require it for further configuration. For the purpose of this guide, we will name our user/pass authentication method:
userpass
-
Expand the Method Options section
-
Set the Default Lease TTL to 60 days and the Max Lease TTL to 600 days
-
Click Enable Method
-
Next, go back to Access > Auth Methods within your Vault instance, and click on the User&Pass method you just created, and click on Create user.
-
Specify a username and password for this user. Make sure you note down these values, as they will be required to complete configuration.
-
Expand the Tokens section, and under the Generated Token’s Policies, add two rows:
-
One with a value of default
-
One with a value of the ACL policy name configured above. For our example, we use
user2engine policy
.
-
-
Click Save to finish creating the user
AppRole Authentication
-
Within your Hashicorp Vault instance, click on Access in the navigation bar
-
Click on Auth Methods, and then Enable new method
-
Under the Generic heading, select AppRole and click Next
-
Give this authentication method a name. Make note of this name as we will require it for further configuration. For the purpose of this guide, we will name our AppRole authentication method:
approle
-
Next, we need to create and retrieve the RoleId and SecretId for this AppRole authentication method. This information NEEDS to be retrieved via the Vault API as the Vault UI does not currently support this. This configuration guide will provide the cURL commands that can be run via a terminal, but these requests can be made by any tool that allows you to reach the Vault API (ie, PostMan)
Note: The following values need to be substituted in the API calls:
-
{{vaultUrl}} – the URL to your Vault instance with port. Example:
https://vault-cluster-public-vault-83aa8692.c6220029.z1.hashicorp.cloud:8200
-
{{appName}} – the name of the AppRole you want to configure. The recommended value is:
phosphorusVault
-
{{adminToken}} – the admin token generated/retrieve in the Access Your Hashicorp Vault step
-
{{aclPolicy}} – the name of the ACL Policy configured in the Configure ACL Policy step above. In this document, we used
user2engine policy
as our example value. -
{{namespace}} – the namespace to use for your HCP/Vault Enterprise environment. By default, this should just be
admin
Step |
Action |
Local Vault |
HCP Vault |
Action on Response |
---|---|---|---|---|
1 |
Create AppRole role |
|
|
No response will be returned. |
2 |
Get AppRole role |
|
|
Verify that the token policies are present in the response |
3 |
Get AppRole role-id |
|
|
Retrieve and note the |
4 |
Create AppRole secret-id |
|
|
Retrieve and note the |
Token Authentication
NOTE: Best security practices recommend that you use an authentication method other than token auth
NOTE: If you are deciding to go forward with using token authentication, you have the option of providing an root token or creating a new orphan token. The root token will allow the Phosphorus integration to Vault to persist for as long as the root token is not revoked. If choosing to create an orphan token, be aware that a maximum TTL must be specified for the token, and once that TTL is reached, the integration will no longer be able to refresh the token and authenticate against your Vault instance. This means that the Vault integration will stop working and a new token will need to be manually updated.
Root Token
Identify how to retrieve the root token associated with your Vault instance and make note of it.
Orphan Token
We need to create an orphan token that the Phosphorus application can use for authenticating to Vault via token. This information NEEDS to be retrieved via the Vault API as the Vault UI does not currently support this.
This configuration guide will provide the cURL command that can be run via a terminal, but this request can be made by any tool that allows you to reach the Vault API (ie, PostMan)
Note: The following values need to be substituted in the API calls:
-
{{vaultUrl}} – the URL to your Vault instance with port. Example:
https://vault-cluster-public-vault-83aa8692.c6220029.z1.hashicorp.cloud:8200
-
{{adminToken}} – the admin token generated/retrieve in the Access Your Hashicorp Vault step
-
{{aclPolicy}} – the name of the ACL Policy configured in the Configure ACL Policy step above. In this document, we used
user2engine policy
as our example value. -
{{namespace}} – the namespace to use for your HCP/Vault Enterprise environment. By default, this should just be
admin
. -
{{maxTtl}} – the maximum time-to-live for the token. If you are not using a root token, then this should be set to a very high number (ie 2000h) because once this time is reached, the token can no longer be refreshed, and the provider integration will stop working.
Local Vault |
HCP Vault |
---|---|
|
|
After running the command, retrieve and note the auth.client_token value in the response. This is the token that you will submit to Phosphorus.
Provide configuration to Phosphorus
To complete your Hashicorp Vault configuration with Phosphorus:
-
Sign in to the Phosphorus Portal
-
Click on the Settings tab
-
Click on Credential Providers in the side menu
-
Click the Add button
-
Select Vault from the drop-down menu
-
Provide a unique name for the credential provider.
-
In the Vault URL field, populate the public link to your Vault that was gathered above in the Access Your Hashicorp Vault section. An example value of this is:
https://vault-cluster-public-vault-83aa8692.c6220029.z1.hashicorp.cloud:8200
-
In the Secrets Engine Path field, populate the secret engine that was configured above. In our example case, that would be
user2engine
. -
In the Namespace field, populate the Vault Namespace you want to use for this configuration. By default, within Vault, the namespace is:
admin
-
From the Auth Method dropdown, select the auth method that was configured above. Each Auth method will have a different set of fields that are required to be provided
-
Username/Password
-
Populate the Username field with the username of the user that was created
-
Populate the Password field with the password of the user that was created
-
Populate the User/Pass Authentication Method Mount field with the name of the username/password authentication method created. In our example case, this refers to
userpass
-
-
Token
-
Populate the Token field with the token that was generated as part of this configuration
-
-
AppRole
-
Populate the RoleId field with the Role ID that was configured as part of this set up
-
Populate the SecretId field with the Secret ID that was configured as part of this set up
-
Populate the AppRole Authentication Method Mount field with the name of the AppRole authentication method created. In our example case, this refers to
approle
-
-
-
Click Create
Once the credential provider is configured, you are all set! You will be able to enroll device credentials into your Hashicorp Vault!