Storing sensitive configuration values using the Config Editor

Use the Secure External Storage Manager - it can be opened in two ways:

  1. Click on the 59802490.png button in the toolbar. The dialog supports adding, removing, changing, and deleting external secrets. External storage IDs available in the manager can then be referenced in the Change Password dialog to use them for a specific property.
  2. 59802492.png
  3. Click on the 59802491.png button when editing a sensitive property. Subsequently, choose between Secure external storage (use this as the default choice), Config file (XML) - obfuscated (not encrypted), or Config file (XML) - plain from the Storage Mode drop-down. The storage IDs previously configured in the Storage Manager can be selected.
  4. Select storage ID from Secure external storage
  • Be aware that changing or deleting a secret may influence other IAM instances/installations that share the same external storage.
  • The secrets that are edited by the manager are stored immediately.
  • Previous versions of the secret values cannot be restored.

Single secrets can be read from an external file. To do so, the relative or absolute path to the secret file can be (specified instead of the value) using the syntax [FILE]relative-or-absolute-filename.ext.

  • Examples:
  • [FILE]/opt/secrets/my-secret-value.txt
  • [FILE]instances/auth/my-other-secret-value.txt
External Security Settings Secret

The Storage Mode must be Config file (XML) - plain. The file path needs to be set in both input fields and must be set newly every time the external file name or path changes.

Note that the referenced file must be readable by the process running Airlock IAM.