Microsoft's Azure Key Vault is becoming an increasingly popular resource for securing credentials particularly for Event Hub and other Azure cloud services. The “Secrets Management” feature of AKV is used for storing the NaCl private key used by Connect CDC SQData. See the official introduction to AKV at https://docs.microsoft.com/en-us/azure/key-vault/general/overview.
Once the NaCL key pair has been generated by %PREFIX%>UTIL , the contents of the private key file, id_nacl can be stored as a "secret" using either Microsoft's Azure Portal import process or the Azuer CLI.
Syntax:
Using the id_nacl file content from the KeyGen, use Azure CLI in a script or at the command line to specify only the private key value from the file, excluding the "-----BEGIN NACL PRIVATE KEY-----" and "-----END NACL PRIVATE KEY-----" lines.
az keyvault secret set --vault-name "<your-unique-keyvault-name>" --name "id_nacl" --value "L68x1APsG4Bhhv+gG4CYP3IdsSUX3fNSQ030RUy0T5I="
Once the NaCL Private pair has been secured in the AKV it will be referenced as required by Connect CDC SQData components using the existing method for specifying non-default identity locations:
--identity=azkv://<vault-name>.vault.azure.net/secrets/<secret_name>
Keyword | Description |
---|---|
secret_name |
While any name can be used for the secret, using ïd_nacl" or when several different NaCL private keys are to be stored in the AKV, a naming standard that relates to a host or application name concatinated with id_nacl may be appropriate. |
- If client_id is specified in sqdata_cloud.conf file, then AAD token is retrieved from user managed identity
- If none of tenant_id, client_id and client_secret is specified, then AAD token is retrieved from system managed identity.
[azkv]
tenant_id=f0h2842c-8394-4tcu-bb4r-e7745dc73b3b
client_id=73495b95-9d73-4973-8318-caf355b10f54
client_secret=~WlkC~4QsdQFLg0XyEeb0923_23MpRWsC~.
Example 1:
sqdrpl Db2TOKAF.rpl --identity=azkv://abc_company.vault.azure.net/secrets/id_nacl
Example 2:
Use the AKV to provide the NaCL Private Key for an Apply engine named Db2TOKAF controlled by a local Engine Controller on linux. This Engine could be started using the sqdmon utility on the localhost or even a zOS batch job executing SQDMON and starting the Engine on the remote linux system since the Private Key used by the Engine is specified by the Engine Controller SQDaemon.
acl=/home/sqdata/poc/daemon/cfg/acl.cfg
authorized_keys=home/sqdata/poc/daemon/nacl_auth_keys
identity=azkv://abc_company.vault.azure.net/secrets/id_nacl
message_level=2
message_file=../logs/daemon.log
service=2626
[Db2TOKAF]
type=Engine
program=sqdata
args=/home/sqdata/poc/engines/Db2TOKAF.prc
working_directory=/home/sqdata/poc
stdout_file=/home/sqdata/poc/DB2TOKAF.rpt
stderr_file=/home/sqdata/poc/DB2TOKAF.rpt
auto_start=N
<key>=%secret(azkv://<vault-name>.vault.azure.net/secrets/<secret_name>
Example 3:
sasl.password=%secret(azkv://connect123.vault.azure.net/secrets/saslpas)