Skip to main content

Celonis Product Documentation

Using Vault as a Password Provider to secure the clientSecret

This document is prepared as a configuration guide to using Vault to secure your Celonis specific clientSecret for the Uplink.

Step 1: Download the vault.jar

The respective vault.jar file can be found in the EMS Download Portal.

Step 2: Private key file generation

Place the vault.jar in the same directory as the extractor and generate a private key file, using the command:

 java -jar vault.jar genkey

You will be asked to enter a master password. This password will later be used to encrypt your private passwords.

After you enter the master password, your generated key will be printed in the console. You need to copy this key and store it in a file in your system, preferably in a secure area.

We suggest naming the file vault.file.

In the next step, you can encrypt the clientSecret using the following command:

 java -jar vault.jar genpass

You will be asked to enter your master password and the password (clientSecret) you want to encrypt. An encrypted string will be printed to the console.

This encrypted string will be used as a placeholder instead of the clientSecret in the application-local.yml file.

Step 3: Adjust the configuration of the application-local.yml

An example of the adjusted application-local.yml file is shown below:

uplink:
  enabled: true
  url: http://dev.eu-1.celonis.cloud/uplink/api/public/uplink
  clientId: e102a1e3c3cabcf5cf6c74134ad25baaccbf83f80ea99262b6611bf902d3
  clientSecret: 676sad7a6d7as5d6asd564d5sa476766 65c6dc8b4feced32401b608792872e9cbe69a8ea9456f98dcd0887470245c9700c2eab0ffebe0536c7baea4717b799dfc9f21892d757ff48706404fd8f3587a26b1b220dc1098b71a4fdb7d66d67989b1ff52b2b34a5c04a6bc50767a283119f6be30ad81e31b99cf3de7304ec95e157a6cb649fc9680299c9427b3205167c36cb71c0a42911e7e879b4f44cf1c1bef3db7fe3c83a598b9c9289e86fe8dfcfcd5aa056ba7eea9426910fe92eee58b9a1cdc9e56216eb9e094d6750cc1609415c0c5280bb5ab285192943a5cdec899f5a8a83f1d9658d8b8a49de312353b918c2c5750c2a4d0adbdc5824a605325122663058b0144aa64c8a20dd57d7078af1274a9aaf0a7b03ea146df63797c64969bac57f2d8fd12d87bb59dbd6f245583bee0d73b23780dead86f763882b17000c239b34a154498c950803f05ded82d8c1a434a1005d99515e271c4ec0b8ad7eb9f3f017befb9cc9471f92b3c67791f85f6a694fe2ff2b96ffb5370113ac15bdd530bcac49a7f71b63e29846717a8aacb59ee0eaf6f29d5ca22608a472ac4c16df7278980e9dced90e562440ac510e8f304a3379bcc4e9daa776a68d099ff55ba7817063391175eb0734dbc101bad03a36cd7c7b58940f0bb3d69a9f2fc4b9179f25877c8c6cd544916bbd2d344aa5ce71fcef4cc31b864ce211cd0b1096d3d5e180de6886f109128d28ae24e9149fb
  useCredentialsProvider: true

credentialsProvider:
  enabled: false
  type: VAULT_CREDENTIALS_PROVIDER
  VAULT_CREDENTIALS_PROVIDER:
    vaultFile: /full/path/to/vault.file
Step 4: Restart the extractor server