docs/nifi-docs/components/org.apache.nifi/nifi-hashicorp-vault-nar/1.19.1/org.apache.nifi.vault.hashicorp.StandardHashiCorpVaultClientService/additionalDetails.html - nifi-site - Git at Google

 <!DOCTYPE html>
 <html lang="en" xmlns="http://www.w3.org/1999/html">
 <!--
       Licensed to the Apache Software Foundation (ASF) under one or more
       contributor license agreements.  See the NOTICE file distributed with
       this work for additional information regarding copyright ownership.
       The ASF licenses this file to You under the Apache License, Version 2.0
       (the "License"); you may not use this file except in compliance with
       the License.  You may obtain a copy of the License at
           http://www.apache.org/licenses/LICENSE-2.0
       Unless required by applicable law or agreed to in writing, software
       distributed under the License is distributed on an "AS IS" BASIS,
       WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
       See the License for the specific language governing permissions and
       limitations under the License.
     -->

 <head>
     <meta charset="utf-8"/>
     <title>StandardHashiCorpVaultClientService</title>
     <link rel="stylesheet" href="../../../../../css/component-usage.css" type="text/css"/>
 </head>
 <body>

 <h1>Configuring the Bootstrap HashiCorp Vault Configuration File</h1>

 <p>
     The ./conf/bootstrap-hashicorp-vault.conf file that comes with Apache NiFi is a convenient way to configure this
     controller service in a manner consistent with the HashiCorpVault sensitive properties provider.  Since this file is already used for configuring
     the Vault client for protecting sensitive properties in the NiFi configuration files
     (see the <a href="../../../../../html/administration-guide.html#hashicorp-vault-providers">Administrator's Guide</a>),
     it's a natural starting point for configuring the controller service as well.
 </p>

 <p>
     An example configuration of this properties file is as follows:
 </p>

 <code>
     <pre>
 # HTTP or HTTPS URI for HashiCorp Vault is required to enable the Sensitive Properties Provider
 vault.uri=https://127.0.0.1:8200

 # Optional file supports authentication properties described in the Spring Vault Environment Configuration
 # https://docs.spring.io/spring-vault/docs/2.3.x/reference/html/#vault.core.environment-vault-configuration
 #
 # All authentication properties must be included in bootstrap-hashicorp-vault.conf when this property is not specified.
 # Properties in bootstrap-hashicorp-vault.conf take precedence when the same values are defined in both files.
 # Token Authentication is the default when the 'vault.authentication' property is not specified.
 vault.authentication.properties.file=[full/path/to/vault-auth.properties]

 # Optional Timeout properties
 vault.connection.timeout=5 secs
 vault.read.timeout=15 secs

 # Optional TLS properties
 vault.ssl.enabledCipherSuites=
 vault.ssl.enabledProtocols=TLSv1.3
 vault.ssl.key-store=[path/to/keystore.p12]
 vault.ssl.key-store-type=PKCS12
 vault.ssl.key-store-password=[keystore password]
 vault.ssl.trust-store=[path/to/truststore.p12]
 vault.ssl.trust-store-type=PKCS12
 vault.ssl.trust-store-password=[truststore password]
     </pre>
 </code>

 <p>
     In order to use this file in the StandardHashiCorpVaultClientService, specify the following properties:
     <ul>
         <li><b>Configuration Strategy</b> - Properties Files</li>
         <li><b>Vault Properties Files</b> - ./conf/bootstrap-hashicorp-vault.conf</li>
     </ul>
 </p>

 <p>
     If your bootstrap configuration includes the vault.authentication.properties.file containing additional authentication properties, this
     file will also need to be added to the Vault Properties Files property as a comma-separated value.
 </p>

 <h3>Configuring the Client using Direct Properties</h3>

 <p>
     However, if you want to specify or override properties directly in the controller service, you may do this by specifying a Configuration Strategy
     of 'Direct Properties'.  This can be useful if you are reusing an SSLContextService or want to parameterize the Vault configuration properties.
     Authentication-related properties can also be added as sensitive dynamic properties, as seen in the examples below.
 </p>

 <h3>Vault Authentication</h3>
 <p>
     Under the hood, the controller service uses Spring Vault, and directly supports the property keys specified in
     <a href="https://docs.spring.io/spring-vault/docs/2.3.x/reference/html/#vault.core.environment-vault-configuration">Spring Vault's documentation</a>.
     Following are some common examples of authentication with Vault.
 </p>

 <h4>Token Authentication</h4>
 <p>
     The simplest authentication scheme uses a rotating token, which is enabled by default in Vault.  To specify this mechanism, select "TOKEN" from the
     "Vault Authentication" property (the default). However, since the token should rotate by nature, it is a best practice to use the 'Properties Files'
     Configuration Strategy, and keep the token value in an external properties file, indicating this filename in the 'Vault Properties Files' property.
     Then an external process can rotate the token in the file without updating NiFi configuration.  In order to pick up the changed token, the controller
     service must be disabled and re-enabled.
 </p>

 <p>
     For testing purposes, however, it may be more convenient to specify the token directly in the controller service.  To do so, add a new Sensitive property named
     'vault.token' and enter the token as the value.
 </p>

 <h4>Certificate Authentication</h4>
 <p>
     Certificate authentication must be enabled in the Vault server before it can be used from NiFi, but it uses the same TLS settings as the actual
     client connection, so no additional authentication properties are required.  While these TLS settings can be provided in an external properties file,
     we will demonstrate configuring an SSLContextService instead.
 </p>

 <p>
     First, create an SSLContextService controller service and configure the Filename, Password, and Type for both the Keystore and Truststore.
     Enable it, and assign it as the SSL Context Service in the Vault controller service.  Then, simply specify "CERT" as the "Vault Authentication"
     property value.
 </p>

 <h4>Other Authentication Methods</h4>
 <p>
     To configure the other authentication methods, see the Spring Vault documentation linked above.  All relevant properties should be added either
     to the external properties files referenced in the "Vault Properties Files" property if using the 'Properties Files' Configuration Strategy,
     or added as custom properties with the same name if using the 'Direct Properties' Configuration Strategy.
     For example, for the Azure authentication mechanism, properties will have to be added for 'vault.azure-msi.azure-path',
     'vault.azure-msi.role', and 'vault.azure-msi.identity-token-service'.
 </p>

 </body>
 </html>
	<!DOCTYPE html>
	<html lang="en" xmlns="http://www.w3.org/1999/html">
	<!--
	Licensed to the Apache Software Foundation (ASF) under one or more
	contributor license agreements. See the NOTICE file distributed with
	this work for additional information regarding copyright ownership.
	The ASF licenses this file to You under the Apache License, Version 2.0
	(the "License"); you may not use this file except in compliance with
	the License. You may obtain a copy of the License at
	http://www.apache.org/licenses/LICENSE-2.0
	Unless required by applicable law or agreed to in writing, software
	distributed under the License is distributed on an "AS IS" BASIS,
	WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	See the License for the specific language governing permissions and
	limitations under the License.
	-->

	<head>
	<meta charset="utf-8"/>
	<title>StandardHashiCorpVaultClientService</title>
	<link rel="stylesheet" href="../../../../../css/component-usage.css" type="text/css"/>
	</head>
	<body>

	<h1>Configuring the Bootstrap HashiCorp Vault Configuration File</h1>

	<p>
	The ./conf/bootstrap-hashicorp-vault.conf file that comes with Apache NiFi is a convenient way to configure this
	controller service in a manner consistent with the HashiCorpVault sensitive properties provider. Since this file is already used for configuring
	the Vault client for protecting sensitive properties in the NiFi configuration files
	(see the <a href="../../../../../html/administration-guide.html#hashicorp-vault-providers">Administrator's Guide</a>),
	it's a natural starting point for configuring the controller service as well.
	</p>

	<p>
	An example configuration of this properties file is as follows:
	</p>

	<code>
	<pre>
	# HTTP or HTTPS URI for HashiCorp Vault is required to enable the Sensitive Properties Provider
	vault.uri=https://127.0.0.1:8200

	# Optional file supports authentication properties described in the Spring Vault Environment Configuration
	# https://docs.spring.io/spring-vault/docs/2.3.x/reference/html/#vault.core.environment-vault-configuration
	#
	# All authentication properties must be included in bootstrap-hashicorp-vault.conf when this property is not specified.
	# Properties in bootstrap-hashicorp-vault.conf take precedence when the same values are defined in both files.
	# Token Authentication is the default when the 'vault.authentication' property is not specified.
	vault.authentication.properties.file=[full/path/to/vault-auth.properties]

	# Optional Timeout properties
	vault.connection.timeout=5 secs
	vault.read.timeout=15 secs

	# Optional TLS properties
	vault.ssl.enabledCipherSuites=
	vault.ssl.enabledProtocols=TLSv1.3
	vault.ssl.key-store=[path/to/keystore.p12]
	vault.ssl.key-store-type=PKCS12
	vault.ssl.key-store-password=[keystore password]
	vault.ssl.trust-store=[path/to/truststore.p12]
	vault.ssl.trust-store-type=PKCS12
	vault.ssl.trust-store-password=[truststore password]
	</pre>
	</code>

	<p>
	In order to use this file in the StandardHashiCorpVaultClientService, specify the following properties:
	<ul>
	<li><b>Configuration Strategy</b> - Properties Files</li>
	<li><b>Vault Properties Files</b> - ./conf/bootstrap-hashicorp-vault.conf</li>
	</ul>
	</p>

	<p>
	If your bootstrap configuration includes the vault.authentication.properties.file containing additional authentication properties, this
	file will also need to be added to the Vault Properties Files property as a comma-separated value.
	</p>

	<h3>Configuring the Client using Direct Properties</h3>

	<p>
	However, if you want to specify or override properties directly in the controller service, you may do this by specifying a Configuration Strategy
	of 'Direct Properties'. This can be useful if you are reusing an SSLContextService or want to parameterize the Vault configuration properties.
	Authentication-related properties can also be added as sensitive dynamic properties, as seen in the examples below.
	</p>

	<h3>Vault Authentication</h3>
	<p>
	Under the hood, the controller service uses Spring Vault, and directly supports the property keys specified in
	<a href="https://docs.spring.io/spring-vault/docs/2.3.x/reference/html/#vault.core.environment-vault-configuration">Spring Vault's documentation</a>.
	Following are some common examples of authentication with Vault.
	</p>

	<h4>Token Authentication</h4>
	<p>
	The simplest authentication scheme uses a rotating token, which is enabled by default in Vault. To specify this mechanism, select "TOKEN" from the
	"Vault Authentication" property (the default). However, since the token should rotate by nature, it is a best practice to use the 'Properties Files'
	Configuration Strategy, and keep the token value in an external properties file, indicating this filename in the 'Vault Properties Files' property.
	Then an external process can rotate the token in the file without updating NiFi configuration. In order to pick up the changed token, the controller
	service must be disabled and re-enabled.
	</p>

	<p>
	For testing purposes, however, it may be more convenient to specify the token directly in the controller service. To do so, add a new Sensitive property named
	'vault.token' and enter the token as the value.
	</p>

	<h4>Certificate Authentication</h4>
	<p>
	Certificate authentication must be enabled in the Vault server before it can be used from NiFi, but it uses the same TLS settings as the actual
	client connection, so no additional authentication properties are required. While these TLS settings can be provided in an external properties file,
	we will demonstrate configuring an SSLContextService instead.
	</p>

	<p>
	First, create an SSLContextService controller service and configure the Filename, Password, and Type for both the Keystore and Truststore.
	Enable it, and assign it as the SSL Context Service in the Vault controller service. Then, simply specify "CERT" as the "Vault Authentication"
	property value.
	</p>

	<h4>Other Authentication Methods</h4>
	<p>
	To configure the other authentication methods, see the Spring Vault documentation linked above. All relevant properties should be added either
	to the external properties files referenced in the "Vault Properties Files" property if using the 'Properties Files' Configuration Strategy,
	or added as custom properties with the same name if using the 'Direct Properties' Configuration Strategy.
	For example, for the Azure authentication mechanism, properties will have to be added for 'vault.azure-msi.azure-path',
	'vault.azure-msi.role', and 'vault.azure-msi.identity-token-service'.
	</p>

	</body>
	</html>