Using Vault as a Password Provider to secure the clientSecret
This document is prepared as a configuration guide to using Vault to secure your Celonis specific clientSecret for the Uplink.
Step 1: Download the vault.jar
The respective vault.jar file can be found in the EMS Download Portal.
Step 2: Private key file generation
Place the vault.jar in the same directory as the extractor and generate a private key file, using the command:
java -jar vault.jar genkey
You will be asked to enter a master password. This password will later be used to encrypt your private passwords.
After you enter the master password, your generated key will be printed in the console. You need to copy this key and store it in a file in your system, preferably in a secure area.
We suggest naming the file vault.file.
In the next step, you can encrypt the clientSecret using the following command:
java -jar vault.jar genpass
You will be asked to enter your master password and the password (clientSecret) you want to encrypt. An encrypted string will be printed to the console.
This encrypted string will be used as a placeholder instead of the clientSecret in the application-local.yml file.
Step 3: Adjust the configuration of the application-local.yml
An example of the adjusted application-local.yml file is shown below:
uplink: enabled: true url: http://dev.eu-1.celonis.cloud/uplink/api/public/uplink clientId: e102a1e3c3cabcf5cf6c74134ad25baaccbf83f80ea99262b6611bf902d3 clientSecret: 676sad7a6d7as5d6asd564d5sa476766 65c6dc8b4feced32401b608792872e9cbe69a8ea9456f98dcd0887470245c9700c2eab0ffebe0536c7baea4717b799dfc9f21892d757ff48706404fd8f3587a26b1b220dc1098b71a4fdb7d66d67989b1ff52b2b34a5c04a6bc50767a283119f6be30ad81e31b99cf3de7304ec95e157a6cb649fc9680299c9427b3205167c36cb71c0a42911e7e879b4f44cf1c1bef3db7fe3c83a598b9c9289e86fe8dfcfcd5aa056ba7eea9426910fe92eee58b9a1cdc9e56216eb9e094d6750cc1609415c0c5280bb5ab285192943a5cdec899f5a8a83f1d9658d8b8a49de312353b918c2c5750c2a4d0adbdc5824a605325122663058b0144aa64c8a20dd57d7078af1274a9aaf0a7b03ea146df63797c64969bac57f2d8fd12d87bb59dbd6f245583bee0d73b23780dead86f763882b17000c239b34a154498c950803f05ded82d8c1a434a1005d99515e271c4ec0b8ad7eb9f3f017befb9cc9471f92b3c67791f85f6a694fe2ff2b96ffb5370113ac15bdd530bcac49a7f71b63e29846717a8aacb59ee0eaf6f29d5ca22608a472ac4c16df7278980e9dced90e562440ac510e8f304a3379bcc4e9daa776a68d099ff55ba7817063391175eb0734dbc101bad03a36cd7c7b58940f0bb3d69a9f2fc4b9179f25877c8c6cd544916bbd2d344aa5ce71fcef4cc31b864ce211cd0b1096d3d5e180de6886f109128d28ae24e9149fb useCredentialsProvider: true credentialsProvider: enabled: false type: VAULT_CREDENTIALS_PROVIDER VAULT_CREDENTIALS_PROVIDER: vaultFile: /full/path/to/vault.file