Creating secrets to protect sensitive configuration data

 Containers: 
 V20.x:  A secret is an object that contains a small amount of sensitive data such as a password, a token, or a key. Before you install IBM® Business Automation Workflow, you must create secrets manually for LDAP, IBM Business Automation Workflow, User Management Service, FileNet® Content Manager, IBM Business Automation Navigator,  V20.0.0.2 IBM Business Automation Application Engine, and Resource Registry.

echo -n "<sample_string>" | base64

1. An LDAP server is required before you install IBM Business Automation Workflow. Create required secrets for LDAP.
   1. Save the following content in a YAML file named, for example, ldap-bind-secret.yaml.
      LDAP secret:

      apiVersion: v1
      kind: Secret
      metadata:
        name: ldap-bind-secret
      type: Opaque
      data:
        ldapUsername: <LDAP_BIND_DN>
        ldapPassword: <LDAP_PASSWORD>

      where:

      • ldapUsername corresponds to the bindDN property of your LDAP server, Base64-encoded
      • ldapPassword corresponds to the bindPassword property of your LDAP server, Base64-encoded
   2. On the OpenShift master node, run the following command for the YAML file:

      oc apply -f YAML_file_name

   3. In your custom resource file:
      • Specify the hostname of your LDAP server as the ldap_configuration.lc_ldap_server property.
      • Specify the secret name that you created above as the ldap_configuration.lc_bind_secret property.
2. Create required secrets for IBM Business Automation Workflow.
   1. Save the following content in a separate YAML file for each secret. All values under data in the secret must be Base64 encoded.
      Business Automation Workflow Server database secret:

      apiVersion: v1
      kind: Secret
      metadata:
        name: ibm-baw-wfs-server-db-secret
      type: Opaque  
      data:
        dbUser: <DB_USER>
        password: <DB_USER_PASSWORD>

      where dbUser and password are the database user name and password. Ensure all values under data are Base64 encoded.

      IBM Process Federation Server secret:

      This secret is required for 20.0.2 or earlier versions. Use the following content.

      Note:  V20.0.0.2  This secret is optional. If you set the Process Federation Server admin secret name in pfs_configuration.admin_secret_name, the operator creates it automatically. However, if you want to create the secret manually, use the following content.

      apiVersion: v1
      kind: Secret
      metadata:
        name: ibm-pfs-admin-secret
      type: Opaque
      data:
        ltpaPassword: <LTPA_PASSWORD>
        oidcClientPassword: <OIDC_CLIENT_PASSWORD>
        sslKeyPassword: <SSL_KEY_PASSWORD>

      • ltpaPassword is used to set the LTPA password
      • oidcClientPassword is registered at UMS as the OIDC client password
      • sslKeyPassword is used as the keystore and truststore password
      • All values under data are Base64-encoded.

      Optional: Workflow server admin secret. This secret is used to integrate with other servers, such as UMS. You must set the Workflow Server admin secret name in baw_configuration[x].admin_secret_name and the operator creates it automatically. However, if you want to create the secret manually, use the following content:

      apiVersion: v1
      kind: Secret
      metadata:
      name: ibm-baw-admin-secret
      type: Opaque
      data:
      sslKeyPassword: <SSL_KEY_PASSWORD>
      oidcClientPassword: <OIDC_CLIENT_PASSWORD>

      where:

      • sslKeyPassword is used as the keystore and truststore password
      • oidcClientPassword is used as the OIDC client password
      • All values under data are Base64-encoded.
   2. On the OpenShift master node, run the following command for each YAML file:

      oc apply -f YAML_file_name

3. Create required secrets for User Management Service (UMS) by following the step to prepare your security environment in Configuring User Management Service.
   1. As an example of a UMS secret, you would save the following content in a YAML file.
      User Management Service secret:

      apiVersion: v1
      kind: Secret
      metadata:
        name: ibm-dba-ums-secret
      type: Opaque
      data:
        adminUser: <UMS_USER>
        adminPassword: <UMS_PASSWORD>
        oauthDBUser: <UMS_DB_USER>
        oauthDBPassword: <UMS_DB_PASSWORD>
        tsDBUser: <UMS_DB_USER>
        tsDBPassword: <UMS_DB_PASSWORD>

      where:

      • adminUser is the UMS admin user
      • oauthDBUser is the UMS database user
      • tsDBUser is the UMS database user

      Ensure all values under data are Base64-encoded.
   2. On the OpenShift master node, run the following command for the YAML file:

      oc apply -f YAML_file_name

4. Create required secrets for FileNet Content Manager by following step 1 to prepare your security environment in Configuring FileNet Content Manager.
5. Create required secrets for IBM Business Automation Navigator by following step 1 to prepare your security environment in Configuring Business Automation Navigator.
6.  V20.0.0.2  Create required secrets for Application Engine by following the instructions in Creating secrets to protect sensitive configuration data. These instructions also include creating a secret for Resource Registry.