Configuration
Suggest editsImplementing Hashicorp Vault with EDB Postgres Advanced Server version 15.2 and above and EDB Postgres Extended Server version 15.2 and above requires the following components:
Note
The EDB Postgres Advanced Server version 15.2 and above and EDB Postgres Extended Server version 15.2 and above, products will be referred to as EDB Postgres distribution. The specific distribution type will be dependent upon customer need or preference.
- EDB Postgres Distribution (15.2 or later)
- Hashicorp Vault Enterprise version 1.13.2+ent or 1.12.6+ent
- Pykmip
- Python
Prerequisites
- A running EDB Postgres distribution with Python and pykmip installed
- Hashicorp Vault Enterprise edition with enterprise licensing installed and deployed per your VM environment
Check/Install Python on Server
Many Unix-compatible operating systems such as macOS and some Linux distributions have Python installed by default as it is included in a base installation.
To check your version of Python on your machine, or to see if it is installed, simply type python3
and it will return the version. You can also type ps -ef |grep python
to return a python running process.
root@ip-172-31-46-134:/home/ubuntu# python Python 3.8.10 (default, May 26 2023, 14:05:08) [GCC 9.4.0] on linux Type "help", "copyright", "credits" or "license" for more information.
If you run a check and find that your system does not have Python installed, you can follow the docs and download it from Python.org. Simply select your specific OS and download and install on your system.
Install Pykmip
Once you have your EDB Repository installed on your server, you can then install the Pykmip utility that is needed.
- As
root
user issue theinstall python3-pykmip
command, for our example we have a RHEL8 server so it would bednf install python3-pymkip
.
The output should look something like:
[root@ip-172-31-7-145 ec2-user]# dnf install python3-pykmip Updating Subscription Management repositories. Red Hat Enterprise Linux 8 for x86_64 - AppStre 63 MB/s | 58 MB 00:00 Red Hat Enterprise Linux 8 for x86_64 - BaseOS 71 MB/s | 62 MB 00:00 Red Hat Ansible Engine 2 for RHEL 8 (RPMs) from 19 MB/s | 2.5 MB 00:00 RHUI Client Configuration Server 8 45 kB/s | 3.7 kB 00:00 Last metadata expiration check: 0:00:01 ago on Thu 06 Jul 2023 01:30:54 PM UTC. Dependencies resolved. ================================================================================ Package Arch Version Repository Size ================================================================================ Installing: python3-pykmip noarch 0.9.1-1.el8 enterprisedb-enterprise-noarch 401 k Installing dependencies: python3-sqlalchemy x86_64 1.3.2-2.module+el8.3.0+6646+6b4b10ec rhel-8-appstream-rhui-rpms 1.9 M Enabling module streams: python36 3.6 Transaction Summary ================================================================================ Install 2 Packages Total download size: 2.3 M Installed size: 13 M Is this ok [y/N]: y Downloading Packages: (1/2): python3-sqlalchemy-1.3.2-2.module+el8.3. 23 MB/s | 1.9 MB 00:00 (2/2): python3-pykmip-0.9.1-1.el8.noarch.rpm 450 kB/s | 401 kB 00:00 -------------------------------------------------------------------------------- Total 2.5 MB/s | 2.3 MB 00:00 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Installing : python3-sqlalchemy-1.3.2-2.module+el8.3.0+6646+6b4b1 1/2 Installing : python3-pykmip-0.9.1-1.el8.noarch 2/2 Running scriptlet: python3-pykmip-0.9.1-1.el8.noarch 2/2 Verifying : python3-pykmip-0.9.1-1.el8.noarch 1/2 Verifying : python3-sqlalchemy-1.3.2-2.module+el8.3.0+6646+6b4b1 2/2 Installed products updated. Installed: python3-pykmip-0.9.1-1.el8.noarch python3-sqlalchemy-1.3.2-2.module+el8.3.0+6646+6b4b10ec.x86_64 Complete!
Configure Hashicorp Vault KMIP Secrets Engine
Note
You have to set your environment variable with Hashicorp Vault before you can configure the Hashicorp Vault server using the API IP address and port. If you receive this error message “Get "https://127.0.0.1:8200/v1/sys/seal-status": http: server gave HTTP response to HTTPS client” you need to issue this in your command line export VAULT_ADDR="http://127.0.0.1:8200".
After your Hashicorp Vault configuration is installed and deployed per the guidelines in the Hashicorp documentation, you will then need to enable the KMIP capabilities.
Assume root user.
When you are the root user, type
vault secrets enable kmip
.
root@ip-172-31-46-134:/home/ubuntu# vault secrets enable kmip Success! Enabled the kmip secrets engine at: kmip/
You will then need to configure the Hashicorp Vault secrets engine with the desired kmip listener address.
Enter
vault write kmip/config listen_addrs=0.0.0.0:5696
.
root@ip-172-31-46-134:/home/ubuntu# vault write kmip/config listen_addrs=0.0.0.0:5696 Success! Data written to: kmip/config
- Enter
vault write -f kmip/scope/*scope_name*
to create the scope that will be used to define the allowed operations a role can perform.
root@ip-172-31-46-134:/home/ubuntu# vault write -f kmip/scope/edb Success! Data written to: kmip/scope/edb
Note
To view your scopes you have created you can enter vault list kmip/scope
.
- Enter
vault write kmip/scope/*scope_name*/role/*role_name* operation_all=true
to define the role for the scope. In our example the role ofadmin
is for the scopeedb
.
root@ip-172-31-46-134:/home/ubuntu# vault write kmip/scope/edb/role/admin operation_all=true Success! Data written to: kmip/scope/edb/role/admin
- You can read your scope and role with this command
vault read kmip/scope/*scope_name*/role/*role_name*
root@ip-172-31-46-134:/home/ubuntu# vault read kmip/scope/edb/role/admin Key Value --- ----- operation_all true tls_client_key_bits 0 tls_client_key_type n/a tls_client_ttl 0s
Generate Client Certificates
After a scope and role have been created you will need to generate client certificates that will be used within your pykmip.conf file for key management. These certificates can be used to establish communication with Hashicorp Vault’s KMIP Server.
Generate the client certificate, this will provide the CA Chain, the private key and the certificate.
Enter
vault write -f -field=certificate \ kmip/scope/*scope_name*/role/*role_name*/credential/generate > *certificate_name*.pem
.
In our example we used role: edb
, scope: admin
and certificate name: kmip-cert.pem
.
root@ip-172-31-46-134:/home/ubuntu# vault write -f -field=certificate \ kmip/scope/edb/role/admin/credential/generate > kmip-cert.pem
- To view your certificates type
cat *certificate_name*.pem*
and this will return the certificates from Hashicorp Vault.
root@ip-172-31-46-134:/home/ubuntu# cat kmip-cert.pem
You will need to separate the individual certificates into
.pem
files so they can be used in your pykmip.conf file.Note
Make sure to include ----BEGIN ------ and ----END ------ in the .pem certificate files.
Create a
key.pem
file contains the private key in the certificate chain.
ubuntu@ip-172-31-46-134:/tmp$ cat key.pem -----BEGIN EC PRIVATE KEY----- MHcCAQEEIIbpRtITDlQ5DpFtuRXWpWdV0fRdZ6vnBYJQmMKCR/iZoAoGCCqGSM49 AwEHoUQDQgAE3+Kp/PXqTMDCINKIbeNI34qQ47Pd7lttkN2Pgfl7LhLt8uLlAmLX wmmW4klCuDzRdSBvtdcA5LguWrSBimKXDw== -----END EC PRIVATE KEY-----
- Create a
cert.pem
file contains the first certificate in the certificate chain.
ubuntu@ip-172-31-46-134:/tmp$ cat cert.pem -----BEGIN CERTIFICATE----- MIIBwjCCAWegAwIBAgIUJEpQl3OQKZL5pT7pkOKbBuafBwYwCgYIKoZIzj0EAwIw KjEoMCYGA1UEAxMfdmF1bHQta21pcC1kZWZhdWx0LWludGVybWVkaWF0ZTAeFw0y MzAzMzAyMjE1MjhaFw0yMzA0MTMyMjE1NThaMCAxDjAMBgNVBAsTBWZUZWNDMQ4w DAYDVQQDEwU1R0VhTjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABN/iqfz16kzA wiDSiG3jSN+KkOOz3e5bbZDdj4H5ey4S7fLi5QJi18JpluJJQrg80XUgb7XXAOS4 Llq0gYpilw+jdTBzMA4GA1UdDwEB/wQEAwIDqDATBgNVHSUEDDAKBggrBgEFBQcD AjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQle1YJXy2VX699fQoR7NcMT06/OTAf BgNVHSMEGDAWgBSSBDXnwdExsaSbT/vgqDHm4zG6STAKBggqhkjOPQQDAgNJADBG AiEAk7Vo1HpS1D+C3OyBXqHGlCOD3p4HnMeStGaBB/Cqn2cCIQDul2Vxal7lCeDN Xlg2U8LToGCBEvf1quZU7T8ZQkbQCA== -----END CERTIFICATE-----
- Create a
ca.pem
file contains the last two certificates in the certificate chain.
ubuntu@ip-172-31-46-134:/tmp$ cat ca.pem -----BEGIN CERTIFICATE----- MIIBrTCCAVKgAwIBAgIUEvo9Bh4qNPVYvQC2wttR5vD9KTQwCgYIKoZIzj0EAwIw HTEbMBkGA1UEAxMSdmF1bHQta21pcC1kZWZhdWx0MB4XDTIzMDMwMTE5MjgyN1oX DTMzMDIyNjE5Mjg1N1owKjEoMCYGA1UEAxMfdmF1bHQta21pcC1kZWZhdWx0LWlu dGVybWVkaWF0ZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABCNpmJK8lrNg1AVl s5ge5tfIhaCq4Vgom3tbRnIhmqDKIjnJa1QQtGXl+aY8sa3Uckabu7F73Qlmx2uG yO7qzXqjYzBhMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1Ud DgQWBBSSBDXnwdExsaSbT/vgqDHm4zG6STAfBgNVHSMEGDAWgBSS2fzAT5gtJFl+ csFk43spGfJR3zAKBggqhkjOPQQDAgNJADBGAiEAgmLt1YGJfma0tjbs8crQTfXt RkbhctXSJQOqR3ejM/8CIQCZY4LIgwBhOE95gw1xAv4onclSk/ZaUxDQCXBeh60i lg== -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIBoDCCAUWgAwIBAgIUAZ/BGjgU/gvnzlVC9WEPxUcb0howCgYIKoZIzj0EAwIw HTEbMBkGA1UEAxMSdmF1bHQta21pcC1kZWZhdWx0MB4XDTIzMDMwMTE5MjgyN1oX DTMzMDIyNjE5Mjg1N1owHTEbMBkGA1UEAxMSdmF1bHQta21pcC1kZWZhdWx0MFkw EwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEzQCEnid/sExfxBpki2suGc3pE0wVQt31 Wtg16m9l0mLj3qZFdRCAHJKpoY6RT5X81/gkhhEjVBR3Hi3C3C6J+KNjMGEwDgYD VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFJLZ/MBPmC0k WX5ywWTjeykZ8lHfMB8GA1UdIwQYMBaAFJLZ/MBPmC0kWX5ywWTjeykZ8lHfMAoG CCqGSM49BAMCA0kAMEYCIQCoeQmZmYeViGcm2qtm9vjPs4SLEHVbDjG17zZ1euW6 IgIhAMb3y3xRXwddt2ejaow1GytysRz4LoxC3B5dLn1LoCpI -----END CERTIFICATE-----
Now that you have all of the required certificates you are ready to use Hashicorp Vault Secrets Engine with your EDB Postgres distribution with TDE.
Could this page be better? Report a problem or suggest an addition!