Configuring the Security CLI Docker Image

Installation and Upgrade > Installing ThingWorx > Using ThingWorx Docker > Setting Up, Building, and Configuring ThingWorx Docker > Configuring ThingWorx Docker > Configuring the Security CLI Docker Image

Overview

This topic covers how to configure the security CLI Docker image which is required to run ThingWorx in a containerized environment.

Configuring the Security CLI Docker Image

You can add the following options to the environment section of the file to control the configuration of each container.

Variable Names	Defaults	Comments
KEYSTORE	No default value set	Set to true to create a configuration file using the KeyStore environment variables.
KEYSTORE_PASSWORD_FILE_PATH	No default value set	Sets the path to the KeyStore password. This property must be set.
KEYSTORE_PASSWORD_FILE_NAME	No default value set	Sets the name of the KeyStore password file.
KEYSTORE_FILE_PATH	No default value set	Sets the path to the KeyStore file. This property must be set.
KEYSTORE_FILE_NAME	No default value set	Sets the KeyStore filename.
DEFAULT_ENCRYPTION_KEY_LENGTH	265 bytes	Sets the default key length used when creating new encryption keys. It does affect the size of existing keys.

Initializing Secrets

Secrets are passed to the tool using environment variables. You can use any of the following two methods to initialize secrets:

Option A

All environment variables starting with the text SECRET_ are processed. Valid environment variable names include SECRET_MYSECRET, SECRET_SECRET1, SECRET_SPECIAL_SECRET_VALUE.

The <prefix> of the environment variable (e.g. SECRET_ in SECRET_MYSECRET) is stripped and is converted to lower case to be used as the key. For instance, for the SECRET_MYSECRET environment variable, mysecret is the key. The environment variable value is the secret value to be set.

Option B

The environment variable CUSTOM_SECRET_LIST is a comma delimited list of keystore-key:environment-variable-name. It can be used to map any environment variable to a specific key in the keystore. If an environment variable in this list is passed to the tool it will read the value and assign it to the corresponding key. This is useful when you have environment variables that don’t directly map to key names.

Example value of the CUSTOM_SECRET_LIST environment variable: mysecretkey1: SOME_ENV_VARIABLE1,mysecretkey2:ANOTHER_ENV_VARIABLE

Key Names	Description
encrypt.db.password	Database password
encrypt.licensing.password	Licensing connection password
encrypt.proxy.password	Licensing proxy password
encrypt.queue.password	Symphony Rabbit MQ password
encrypt.sc.keystore.password	Solution Central password
encrypt.ignite.keystore.password	Ignite keystore password
encrypt.zk.keystore.password	Zookeeper keystore password
encrypt.zk.truststore.password	Zookeeper truststore password
encrypt.akka.keystore.password	Akka Keystore password
encrypt.akka.truststore.password	Akka truststore password
encrypt.propertytransform.password	Property Transform Rabbit MQ password
encrypt.broker.ssl.clientstore.password	Property Transform keystore password
encrypt.broker.ssl.truststore.password	Property Transform truststore password

Example Compose for KeyStore

The following example creates a shared storage volume. In the container, it is mapped to SecureData, where the location of the KeyStore and KeyStore Password files is configured. The container starts and creates or updates the KeyStore values. Once all values are populated, the container exits.

docker-compose.yml

version: '2.3'
volumes:
storage:

services:
secrets:
image: artifactory.rd2.thingworx.io/twxdevops/security-cli:latest
environment:
- "KEYSTORE=true"
- "KEYSTORE_PASSWORD_FILE_PATH=/SecureData"
- "KEYSTORE_FILE_PATH=/SecureData"
- "SECRET_MYSECRET=zyfdzhij"
- "SECRET_SECRET1=mydata1"
- "SECRET_MY_SECRET2=mydata2"
- "SECRET_SPECIAL_SECRET_VALUE=mydata3"
- "TWX_DATABASE_PASSWORD=abcd"
- "LS_PASSWORD=efgh"
- "CUSTOM_SECRET_LIST=encrypt.db.password:TWX_DATABASE_PASSWORD,encrypt.licensing.password:LS_PASSWORD"
volumes:
- storage:/SecureData

To use the file above, run docker compose up secrets, which generates the following output:

secrets_1 | Running command with config:
secrets_1 | Config(SimpleConfigObject({"output-file":"/opt/cli.conf","sources":{"scripts":[]},"template-file":"/opt/cli.conf.j2","type":"process-template"}))
secrets_1 | Loading config from file /opt/cli.conf
secrets_1 | mysecret stored
secrets_1 | Loading config from file /opt/cli.conf
secrets_1 | secret1 stored
secrets_1 | Loading config from file /opt/cli.conf
secrets_1 | my_secret2 stored
secrets_1 | Loading config from file /opt/cli.conf
secrets_1 | special_secret_value stored
secrets_1 | Loading config from file /opt/cli.conf
secrets_1 | encrypt.db.password stored
secrets_1 | Loading config from file /opt/cli.conf
secrets_1 | encrypt.licensing.password stored
secrets_1 | security-common-cli-docker_secrets_1 exited with code 0

Was this helpful?