Configuring

Implementing Hashicorp Vault with EDB Postgres Advanced Server version 15.2 and later and EDB Postgres Extended Server version 15.2 and later requires the following components:

  • EDB Postgres Distribution (15.2 or later)
  • Hashicorp Vault Enterprise version 1.13.2+ent or 1.12.6+ent
  • PyKMIP
  • Python
Note

We refer to EDB Postgres Advanced Server version 15.2 and later and EDB Postgres Extended Server version 15.2 and later products as EDB Postgres distribution. The specific distribution type depends on your needs and preferences.

Prerequisites

  • A running EDB Postgres distribution with Python and PyKMIP installed
  • Hashicorp Vault Enterprise edition with enterprise licensing installed and deployed per your VM environment

Check/install Python on server

Many Unix-compatible operating systems, such as macOS and some Linux distributions, have Python installed by default, as it's included in a base installation.

To check your version of Python on your machine, or to see if it's installed, enter python3. The Python version is returned. You can also enter ps -ef |grep python to return a Python running process.

root@ip-172-31-46-134:/home/ubuntu# python
Python 3.8.10 (default, May 26 2023, 14:05:08) 
[GCC 9.4.0] on linux
Type "help", "copyright", "credits" or "license" for more information.

If you run a check and find that your system doesn't have Python installed, you can download it from Python.org. Select your OS and download and install it on your system.

Install Pykmip

Once your EDB Repository is installed on your server, you can then install the PyKMIP utility.

  • As root user, issue the install python3-pykmip command. This example uses a RHEL8 server, so the command is dnf install python3-pykmip.

The output looks something like:

[root@ip-172-31-7-145 ec2-user]# dnf install python3-pykmip
Updating Subscription Management repositories.
Red Hat Enterprise Linux 8 for x86_64 - AppStre  63 MB/s |  58 MB     00:00    
Red Hat Enterprise Linux 8 for x86_64 - BaseOS   71 MB/s |  62 MB     00:00    
Red Hat Ansible Engine 2 for RHEL 8 (RPMs) from  19 MB/s | 2.5 MB     00:00    
RHUI Client Configuration Server 8               45 kB/s | 3.7 kB     00:00    
Last metadata expiration check: 0:00:01 ago on Thu 06 Jul 2023 01:30:54 PM UTC.
Dependencies resolved.
================================================================================
 Package            Arch   Version         Repository                      Size
================================================================================
Installing:
 python3-pykmip     noarch 0.9.1-1.el8     enterprisedb-enterprise-noarch 401 k
Installing dependencies:
 python3-sqlalchemy x86_64 1.3.2-2.module+el8.3.0+6646+6b4b10ec
                                           rhel-8-appstream-rhui-rpms     1.9 M
Enabling module streams:
 python36                  3.6                                                 

Transaction Summary
================================================================================
Install  2 Packages

Total download size: 2.3 M
Installed size: 13 M
Is this ok [y/N]: y
Downloading Packages:
(1/2): python3-sqlalchemy-1.3.2-2.module+el8.3.  23 MB/s | 1.9 MB     00:00    
(2/2): python3-pykmip-0.9.1-1.el8.noarch.rpm    450 kB/s | 401 kB     00:00    
--------------------------------------------------------------------------------
Total                                           2.5 MB/s | 2.3 MB     00:00     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                        1/1 
  Installing       : python3-sqlalchemy-1.3.2-2.module+el8.3.0+6646+6b4b1   1/2 
  Installing       : python3-pykmip-0.9.1-1.el8.noarch                      2/2 
  Running scriptlet: python3-pykmip-0.9.1-1.el8.noarch                      2/2 
  Verifying        : python3-pykmip-0.9.1-1.el8.noarch                      1/2 
  Verifying        : python3-sqlalchemy-1.3.2-2.module+el8.3.0+6646+6b4b1   2/2 
Installed products updated.

Installed:
  python3-pykmip-0.9.1-1.el8.noarch                                             
  python3-sqlalchemy-1.3.2-2.module+el8.3.0+6646+6b4b10ec.x86_64                

Complete!

Configure Hashicorp Vault KMIP secrets engine

Note

You have to set your environment variable with Hashicorp Vault before you can configure the Hashicorp Vault server using the API IP address and port. If you receive the error message, “Get "https://127.0.0.1:8200/v1/sys/seal-status": http: server gave HTTP response to HTTPS client,” enter this command at your command line: export VAULT_ADDR="http://127.0.0.1:8200".

After your Hashicorp Vault configuration is installed and deployed per the guidelines in the Hashicorp documentation, you then need to enable the KMIP capabilities.

  1. Assume root user.

  2. As the root user, enter vault secrets enable kmip:

root@ip-172-31-46-134:/home/ubuntu# vault secrets enable kmip
Success! Enabled the kmip secrets engine at: kmip/

You then need to configure the Hashicorp Vault secrets engine with the desired KMIP listener address.

  1. Enter vault write kmip/config listen_addrs=0.0.0.0:5696:
root@ip-172-31-46-134:/home/ubuntu# vault write kmip/config listen_addrs=0.0.0.0:5696
Success! Data written to: kmip/config
  1. To create the scope for defining allowed operations a role can perform, enter vault write -f kmip/scope/<scope_name>:
root@ip-172-31-46-134:/home/ubuntu# vault write -f kmip/scope/edb
Success! Data written to: kmip/scope/edb
Note

To view the scopes you created, enter vault list kmip/scope.

  1. To define the role for the scope, enter vault write kmip/scope/*scope_name*/role/<role_name> operation_all=true. In this example, the role of admin is for the scope edb:
root@ip-172-31-46-134:/home/ubuntu# vault write kmip/scope/edb/role/admin operation_all=true
Success! Data written to: kmip/scope/edb/role/admin
  1. You can read your scope and role with the command vault read kmip/scope/*scope_name*/role/<role_name>:
root@ip-172-31-46-134:/home/ubuntu# vault read kmip/scope/edb/role/admin
Key                    Value
---                    -----
operation_all          true
tls_client_key_bits    0
tls_client_key_type    n/a
tls_client_ttl         0s

Generate client certificates

After you create a scope and a role, you need to generate client certificates to use in your pykmip.conf file for key management. You can use these certificates to establish communication with Hashicorp Vault’s KMIP server.

  1. Generate the client certificate, which provides the CA chain, the private key, and the certificate.

  2. Enter vault write -f -field=certificate \ kmip/scope/<scope_name>/role/<role_name>/credential/generate > <certificate_name>.pem.

This example uses the user edb, the scope admin, and the certificate name kmip-cert.pem:

root@ip-172-31-46-134:/home/ubuntu# vault write -f -field=certificate \ kmip/scope/edb/role/admin/credential/generate > kmip-cert.pem
  1. To view your certificates, enter cat <certificate_name>.pem, which returns the certificates from Hashicorp Vault.
root@ip-172-31-46-134:/home/ubuntu# cat kmip-cert.pem 
  1. You need to separate the individual certificates into .pem files so they can be used in your pykmip.conf file.
Note

Make sure to include ----BEGIN ------ and ----END ------ in the .pem certificate files.

  1. Create a key.pem file that contains the private key in the certificate chain:
ubuntu@ip-172-31-46-134:/tmp$ cat key.pem 
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIIbpRtITDlQ5DpFtuRXWpWdV0fRdZ6vnBYJQmMKCR/iZoAoGCCqGSM49
AwEHoUQDQgAE3+Kp/PXqTMDCINKIbeNI34qQ47Pd7lttkN2Pgfl7LhLt8uLlAmLX
wmmW4klCuDzRdSBvtdcA5LguWrSBimKXDw==
-----END EC PRIVATE KEY-----
  1. Create a cert.pem file that contains the first certificate in the certificate chain:
ubuntu@ip-172-31-46-134:/tmp$ cat cert.pem 
-----BEGIN CERTIFICATE-----
MIIBwjCCAWegAwIBAgIUJEpQl3OQKZL5pT7pkOKbBuafBwYwCgYIKoZIzj0EAwIw
KjEoMCYGA1UEAxMfdmF1bHQta21pcC1kZWZhdWx0LWludGVybWVkaWF0ZTAeFw0y
MzAzMzAyMjE1MjhaFw0yMzA0MTMyMjE1NThaMCAxDjAMBgNVBAsTBWZUZWNDMQ4w
DAYDVQQDEwU1R0VhTjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABN/iqfz16kzA
wiDSiG3jSN+KkOOz3e5bbZDdj4H5ey4S7fLi5QJi18JpluJJQrg80XUgb7XXAOS4
Llq0gYpilw+jdTBzMA4GA1UdDwEB/wQEAwIDqDATBgNVHSUEDDAKBggrBgEFBQcD
AjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQle1YJXy2VX699fQoR7NcMT06/OTAf
BgNVHSMEGDAWgBSSBDXnwdExsaSbT/vgqDHm4zG6STAKBggqhkjOPQQDAgNJADBG
AiEAk7Vo1HpS1D+C3OyBXqHGlCOD3p4HnMeStGaBB/Cqn2cCIQDul2Vxal7lCeDN
Xlg2U8LToGCBEvf1quZU7T8ZQkbQCA==
-----END CERTIFICATE-----
  1. Create a ca.pem file that contains the last two certificates in the certificate chain:
ubuntu@ip-172-31-46-134:/tmp$ cat ca.pem 
-----BEGIN CERTIFICATE-----
MIIBrTCCAVKgAwIBAgIUEvo9Bh4qNPVYvQC2wttR5vD9KTQwCgYIKoZIzj0EAwIw
HTEbMBkGA1UEAxMSdmF1bHQta21pcC1kZWZhdWx0MB4XDTIzMDMwMTE5MjgyN1oX
DTMzMDIyNjE5Mjg1N1owKjEoMCYGA1UEAxMfdmF1bHQta21pcC1kZWZhdWx0LWlu
dGVybWVkaWF0ZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABCNpmJK8lrNg1AVl
s5ge5tfIhaCq4Vgom3tbRnIhmqDKIjnJa1QQtGXl+aY8sa3Uckabu7F73Qlmx2uG
yO7qzXqjYzBhMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1Ud
DgQWBBSSBDXnwdExsaSbT/vgqDHm4zG6STAfBgNVHSMEGDAWgBSS2fzAT5gtJFl+
csFk43spGfJR3zAKBggqhkjOPQQDAgNJADBGAiEAgmLt1YGJfma0tjbs8crQTfXt
RkbhctXSJQOqR3ejM/8CIQCZY4LIgwBhOE95gw1xAv4onclSk/ZaUxDQCXBeh60i
lg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIBoDCCAUWgAwIBAgIUAZ/BGjgU/gvnzlVC9WEPxUcb0howCgYIKoZIzj0EAwIw
HTEbMBkGA1UEAxMSdmF1bHQta21pcC1kZWZhdWx0MB4XDTIzMDMwMTE5MjgyN1oX
DTMzMDIyNjE5Mjg1N1owHTEbMBkGA1UEAxMSdmF1bHQta21pcC1kZWZhdWx0MFkw
EwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEzQCEnid/sExfxBpki2suGc3pE0wVQt31
Wtg16m9l0mLj3qZFdRCAHJKpoY6RT5X81/gkhhEjVBR3Hi3C3C6J+KNjMGEwDgYD
VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFJLZ/MBPmC0k
WX5ywWTjeykZ8lHfMB8GA1UdIwQYMBaAFJLZ/MBPmC0kWX5ywWTjeykZ8lHfMAoG
CCqGSM49BAMCA0kAMEYCIQCoeQmZmYeViGcm2qtm9vjPs4SLEHVbDjG17zZ1euW6
IgIhAMb3y3xRXwddt2ejaow1GytysRz4LoxC3B5dLn1LoCpI
-----END CERTIFICATE-----

Once you have all of the required certificates, you're ready to use the Hashicorp Vault secrets engine with your EDB Postgres distribution and TDE.


Could this page be better? Report a problem or suggest an addition!