/
Protecting sensible application-wide configuration

Protecting sensible application-wide configuration

This feature is available for all tia Core products with exception of tia ContentServer Core. Sensible configuration for ContentServer is typically not application-wide, but stored in the repository.cfg file and can be protected in the same way.

Read more here: https://kgs-software.atlassian.net/wiki/x/GIAMq.

 

The keystore needs to be created with the kgs-create-key Tool see https://kgs-software.atlassian.net/wiki/spaces/DOCUEN/pages/2763522049/Set+up+a+KeyStore+tC#Generate-KeyStore. Both generated files <keystore> and <keystore>.vault need to be available in the same folder.

 

Any configuration data in the application configuration (application.yaml file, viewer.yaml file, etc.) can be protected and stored in a keystore securely.

In the configuration file itself, use the KSA(<secret>) syntax to reference to the alias which the configuration data is store by.

 

Example:

  1. To import a secret referenced by alias MySecret containing a password into the keystore value file execute this command:

keytool -importpass -storetype pkcs12 -alias MySecret -keystore <Keystorename> -storepass <keystorepassword>

After execution of this command, keytool is asking for the phrase to store secretly.

 

  1. Insert a reference to the keystore the configuration data is stored in to the viewer.yaml file. Then, reference the secret in viewer.yaml file using the KSA(<secret>) syntax, like this:

tia: property: keystore: path: <path>/<keystore>.p12 instances: default: sap: url: "https://sapServer:8400/tia/tia_viewer?sap-client=250" username: secuser password: KSA(MySecret)