Secrets in the SDF

As of SIMPL VM 6.8.0, a major change was made to the way secrets are handled. Secrets are now stored in a secure database on the SIMPL VM known as QSG (Quicksilver Secrets Gateway), to avoid them having to be written in plaintext in the SDF.

Each secret has a secret ID, which is just a human-readable name. It can be any combination of lowercase letters a-z, digits 0-9, and hyphens -. Each secret must have a unique secret ID. While in earlier SIMPL VM versions the SDF would contain the plaintext value of the secret, the SDF now contains the secret ID in that field (and the field name is slightly modified). See below for a list of secret fields in the SDF.

Secrets come in three types:

  • freeform (a simple string; used for passwords, encryption keys, and the like)

  • key (an SSH private key)

  • certificate (a three-part secret, consisting of a certificate, the key used to sign it, and the issuing CA’s certificate).

To handle secrets, perform the following steps before uploading configuration to CDS and/or deploying the VMs:

  1. Create an SDF with secret IDs in the appropriate fields.

  2. Upload any keys and certificates to a directory on the SIMPL VM.

  3. Use the csar secrets create-input-file command to generate an input file for QSG.

  4. Edit the input file, filling in freeform secret values and specifying the full path to the key and certificate files.

  5. Run csar secrets add to add the secrets to QSG.

Adding secrets to QSG

To add secrets to QSG, first create a YAML file describing the secrets and their plaintext values. Next, pass the input file to the csar secrets add command. See the SIMPL VM documentation for instructions on how to create a template file, fill it in, and use csar secrets add.

When deploying a VM, SIMPL VM reads the values from QSG and passes them as bootstrap parameters. Likewise, when you run rvtconfig upload-config, rvtconfig will read secrets from QSG before encrypting them and storing them in CDS.

If you need to update the value of a secret (for example, if the password to the VM host is changed), edit your input file and run csar secrets add again. Any secrets already existing in QSG will be overwritten with their new values from the file.

Important

Note carefully the following:

  • Ensure you have a copy of any secret values, keys and certificates, stored securely outside of the SIMPL VM, before running csar secrets add. For security, that command will remove the input file from the SIMPL VM’s disk, along with any keys/certificates that it may reference.

    If the secrets have been added to QSG, it is possible to retrieve the secret values from QSG using csar secrets get-value. If they have not, however, then it is impossible to retrieve them.

  • Keys and certificates should be copied to the SIMPL VM in a directory under /home/admin. Do not use the same directory as the one containing your YAML config files for the VMs.

  • The password for connecting to the VM host can be changed at any time. It will take effect the next time you run a csar command.

    The VMs support updating the primary-user-password and the SIMPL VM’s SSH private key at any time after deployment. Update the values in QSG, then use rvtconfig upload-config to push the changes to the VMs.

    If you wish to change the MDM credentials, this is only possible via a separate procedure. Other secrets in the SDF cannot be reconfigured; they are fixed for the lifetime of the deployment. Contact your Customer Care Representative for further details if required.

List of secrets in the SDF

  • In a site’s vim-options, any password fields for connecting to the VNFI (VM host) are freeform-type secrets. See the example SDFs.

  • The MDM credentials for each site are configured under a certificate-type field named mdm-certificate-id. See MDM service group for more information.

  • In the product-options for each Rhino VM Automation VNFC, the fields secrets-private-key-id, primary-user-password-id, and cassandra-password-id are freeform-type secrets.

  • For each instance, the SSH key used by SIMPL VM to access the VM for validation tests is a key-type secret. See SSH options for more information.

  • In the product-options for each Rhino VM Automation VNFC, the field cassandra-encryption-signing-certificate-id is a certificate-type secret.

  • In the product-options for the TSN VNFC, the field cassandra-encryption-signing-key-password-id is a freeform-type secret.

Previous page Next page
VM Build Container Version 3.2