On-Premises initial installation using HashiCorp Vault

Using the initial installation method, you can connect and configure the external key vault connector, service account credential (Active Directory administrator password), and bootstrap (database) credential identifier.

Note: You must select Microsoft SQL Server Authentication as the database; other database authentication methods are not supported for this use case.

The initial installation supports a password-less installation for the Control Room bootstrap credentials. The password-less installation identifies the bootstrap credentials identified by the secret name configured in the vault.

You can configure the SMTP and AD credential identifier to retrieve from the external key vault using the Automation 360 user interface.

Procedure

  1. After you start the Automation 360 installation wizard, select On-premises as the Deployment Option and click Next.
  2. Accept the license agreement and click Next.
  3. Select Custom as the Installation Type Preference and click Next.
  4. Accept the default locations for the destination folders and click Next.
  5. Select Microsoft SQL Server as the Database Type and click Next.
  6. Select HashiCorp from the External Key Vault Integration drop-down.
    1. In the Vault URL field, enter the HashiCorp server API URL (for example: https://<host> or https://<host or IP>:<port>.
    2. In the Role ID field, enter the HashiCorp RoleID (for example: 675a50e7-cfe0-be76-e35f-49ec009731ea).
    3. In the Role Name field, enter the HashiCorp role name (for example: jenkins).
    4. In the Secret ID field, enter the HashiCorp SecretID (for example: ed0a642f-2acf-c2da-232f-1b21300d5f29).
    5. Optional: In the Namespace field, enter the namespace.
    6. Optional: If the issuing Certificate Authority (CA) of the HashiCorp server certificate is not trusted by the Control Room, then enter an optional server certificate.
      This is the server certificate (.pem format) for the HashiCorp server without a private key (the certificate Subject: field contains the HashiCorp server FQDN). The installer will add the optional HashiCorp server certificate to the truststore used by the Control Room.
    7. Click Next.
      Hashicorp external key vault option
  7. Accept the default settings from the TLS Configuration dialog and click Next.
  8. From the Service Credentials dialog, select an option to specify the HashiCorp Secret Name from HashiCorp instead of manually entering the user name and password for the Service Account used by the Control Room.
  9. Click Service Account (retrieve credentials from external key vault), and then enter the HashiCorp Secret Name value.
    The installer will query the HashiCorp server for the credential to validate the configuration.
    HashiCorp service credential safe name and object name entries
    Note: If the Service Account option to specify HashiCorp Secret Name is not available, then this indicates that the HashiCorp Vault was not previously configured properly. Contact your AAI Support team.

    See: Troubleshooting external key vaults.

  10. Click Next.
  11. From the Database Server dialog, select your Database Server and enter the name of your Control Room database, and then click Next.
    Control Room database name
  12. From the Database Authentication dialog, select an option to specify the HashiCorp Secret Name from HashiCorp instead of manually entering the user name and password the Control Room uses to authenticate to the database.
    1. Click SQL Server authentication (retrieve credential from external key vault), and then enter the HashiCorp Secret Name value.
    2. Click Next to continue and complete the initial installation.
    SQL server authentication for HashiCorp secret name

After you successfully complete the initial installation, the Automation 360 Control Room can access and retrieve credentials within the HashiCorp Vault.