On-Premises post-installation using HashiCorp Vault

You use the command-line interactive key vault utility during a scheduled system downtime where you must stop all running Control Room services. You should coordinate with the HashiCorp administrative team for any key vault configuration changes that might impact connectivity parameters (such as App ID, vault URL, port numbers, and certificate) during downtimes.

Prerequisites

Note: If you use the key vault utility to disable HashiCorp Vault integration, you must first unmap any mapped credentials that are in use.

Using the post-installation method, you can perform these actions:

  • Modify or configure the external key vault connection parameters.
  • (If not configured during initial installation) Modify or configure the service account credential (Active Directory administrator password).
  • (If not configured during initial installation) Modify or configure the database (bootstrap) credential identifier (retrieved when authenticating the database).
    Note: Retrieving bootstrap credentials from an external key vault might cause the Control Room to fail if the external key vault is not accessible during boot-up; or if the external key vault is not accessible when the Control Room refreshes database connections and authenticates users with Active Directory.
  • Recover the Control Room for these reasons:
    • If the external key vault connection parameters, the service account, and database credential safe and object identifiers were modified.
    • If the HashiCorp Vault connection parameters changes caused the Control Room to experience connectivity issues.
    • If credential identifiers for bootstrap passwords changed.

      You can update any initial configuration settings that were not set correctly and recover the system.

    Note:

    You can configure and edit SMTP and AD credential identifiers to retrieve information from the external key vault from the Automation 360 Control Room by navigating to Administration > Settings > Email and Administration > Settings > Active Directory.

Procedure

  1. Run the key vault utility for the HashiCorp Vault.
    Note: You must import the HashiCorp server certificate (the certificate issued to the HashiCorp server) to the Java truststore before invoking the dB utility commands. The certificate can be in .cer (PEM) format and does not contain a private key.

    To run the key vault utility and update key vault connection settings:

    1. As the Control Room administrator, access the Automation Anywhere Control Room installation directory that was created during the initial Automation 360 installation.
      For example: C:\Program Files\Automation Anywhere\Enterprise
    2. Download the latest version of the key vault utility. To download the jar file used to update the directory, use the following instructions:
      1. Open a browser and access the A-People site: A-People Downloads page (Login required).
      2. Click the link to the latest On-Premises build.
      3. Click the Installation Setup folder.
      4. Download the crutils.jar file.
      Note: If DB authentication is configured to use external key vault, the utility returns the following exception: Database currently configured to retrieve credentials from key vault. Update database authentication to WINDOWS/SQL to proceed further and exit.
      The utility requests the user to confirm the action: Disable/update of key vault might impact functionalities using key vault (for example, Active Directory configuration, Email Settings configuration). Make sure to update these settings (if any). Are you sure you want to continue?
    3. Enter Y to continue.
    4. Enter the following:
      > jdk11\bin\java -jar certmgr.jar -appDir . -importTrustCert <Full path of the certificate>
    5. Add these jvm arguments to the command to run the key vault utility:
      1. -Djavax.net.ssl.trustStore="C:\Program Files\Automation Anywhere\Enterprise\pki\trust\store.ks"
      2. -Djavax.net.ssl.trustStorePassword=changeit --module-path lib -jar crutils.jar -configPath "C:\Program Files\Automation Anywhere\Enterprise\config" -action [UPDATE_KEY_VAULT_CONFIGURATION or UPDATE_DB_AUTHENTICATION_CONFIGURATION]

      You can update either of these configuration actions:

      • Enter UPDATE_KEY_VAULT_CONFIGURATION to edit the HashiCorp key vault configuration.
      • Enter UPDATE_DB_AUTHENTICATION_CONFIGURATION to change to database authentication using external key vault.
  2. Based on the configuration action you used, select the appropriate action:
    • Update key vault configuration for HashiCorp: If you entered UPDATE_KEY_VAULT_CONFIGURATION as the configuration action:
      1. After the utility loads the current key vault configuration and properties, this prompt is displayed: Enter key vault [AWS/CYBERARK/AZURE/HASHICORP/NONE] :. Enter HASHICORP
      2. At the Please enter Vault URL: prompt, enter (for example): https://services.uscentral.skytap.com:19516
      3. At the Please enter Role Name: prompt, enter (for example): jenkins
      4. At the Please enter Role ID: prompt, enter (for example): 675a50e7-cfe0-be76-e35f-49ec009731ea
      5. At the Please enter Secret ID: prompt, enter (for example): ed0a642f-2acf-c2da-232f-1b21300d5f29
      6. At the Please enter Namespace: prompt, enter (for example): tenant1
      The key vault utility runs. If the configuration was successful (the utility was able to connect to the external key vault using the configured parameters), these messages are displayed on the console: 
      Connection configurations valid
  Key Vault configurations successfully updated
    • Update database authentication for HashiCorp: If you entered UPDATE_DB_AUTHENTICATION_CONFIGURATION as the configuration action:
      1. After the utility loads the current database configuration information, this prompt is displayed:
        Database authentication configurations loaded
Currently configured database authentication [SQL]

Change database authentication. Available options:
WINDOWS: Connect to database using windows authentication
SQL: Connect to database using SQL server authentication, manually enter username and password
KEY_VAULT: Connect to database using SQL server authentication, retrieve username and password from external key Vault 

Enter database authentication [WINDOWS/SQL/KEY_VAULT]:

        Enter KEY_VAULT

      2. At the Please enter Secret name: prompt, enter (for example): aadbuser

      The key vault utility runs. If the database configuration was successful (the utility was able to connect to HashiCorp, retrieve the designated credential and then use the credential to connect to the database), these messages are displayed on the console:

      Database Credentials are valid
Database authentication configurations successfully updated