Configuration Manager
Starting with release 22.1, the FintechOS Platform uses the HashiCorp Vault secrets management system to store system configurations in a secure and controlled environment. This protects sensitive data, such as system parameters, environment variables, services credentials, or API keys and simplifies user access and environment management.
When changing system parameters from Innovation Studio, the corresponding Vault secrets will be updated accordingly.
The Vault Agent can be installed either as an Azure web app for cloud deployments or as a Windows service for on-premise deployments.
Manage Vault Secrets
Directory Structure
The directory structure of a vault path is described below:
<kvSecretsEngine>/<environmentName>/<applicationName>/<node>
For example:
kv/production/fintech-os-portal/app-settings
Secrets
Within each node, you can define multiple secrets in the form of key-value pairs.
Vault Connection
To configure the connection between the Vault Agent and an Innovation Studio or Portal instance, open its web.config file in a text editor and, in the app-settings node, edit the following keys:
<app-settings>
<add key="vault__uri" value="https://myVaultWebApp" />
<add key="vault__token" value="myVaultAuthToken" />
<add key="vault__workspace__application_environment" value="test" />
<add key="vault__workspace__application_name" value="fintech-os-portal" />
</app-settings>| Key | Value |
|---|---|
| vault__uri | Address of the Vault Agent web app or Windows service. |
| vault__token | Authentication token created by Vault for the operator used to access the system configurations. |
| vault__workspace__application__name | Type of FintechOS ecosystem component. See Application. |
| vault__workspace__application__environment | Type of environment. See Environment. |
Enable web.config Override
The Vault secrets management system is the default method for storing system configurations. The web.config override is only intended for development and testing purposes, not for production use.
To control your Innovation Studio or FintechOS Portal application settings from the web.config file instead of Vault, open the web.config file in a text editor and, in the app-settings node, add or enable the following key:
<app-settings>
...
<add key= "feature-development-mode" value="1" />
...
</app-settings>| Key | Value |
|---|---|
| feature-development-mode |
|
The
feature-development-mode key should never be enabled in production, as it has multiple purposes targeted for developers (i.e. extra logging).Import system parameters to Vault (v22.1.4 or later)
Prerequisites
In the secrets engine, make sure the EbsSqlServer secret exists at the following location: <kvSecretsEngine>/<environmentName>/<applicationName>/<connection-strings>.
In order to import the system parameters from the database to Vault, use the SysParamToVault executable tool that can be found at the following path: [solution kit folder]\Tools\SysParamToVault\SysParamToVault.exe .
- Open Windows PowerShell with the admin role.
- Navigate to the SysParamToVault folder from the solution kit.
- Run the SysParamToVault.exe file with the following parameters:
| Parameter short name | Parameter long name | Description |
|---|---|---|
| g | vault-engine | The name of the secret engine. |
| e | vault-endpoint | Vaul endpoint. |
| t | vault-token | Vault token. |
| n | application-name | Application name. |
| r | application-environment | Application environment. |
| d | disable-ui-confirmations | Optional parameter. The default value is 0 (false). If set to true (1), the user is must confirm the database name configured in Vault in order for the importing process to continue. |
The system parameters are now copied to the secret engine at the following location :<kvSecretsEngine/<environmentName>/<applicationName>/<system-parameters>.