Configuring the Security CLI Docker Image
Overview
This topic covers how to configure the security CLI Docker image which is required to run ThingWorx in a containerized environment.
Configuring the Security CLI Docker Image
You can add the following options to the environment section of the file to control the configuration of each container.
Variable Names
Defaults
Comments
KEYSTORE
No default value set
Set to true to create a configuration file using the KeyStore environment variables.
KEYSTORE_PASSWORD_FILE_PATH
No default value set
Sets the path to the KeyStore password. This property must be set.
KEYSTORE_PASSWORD_FILE_NAME
No default value set
Sets the name of the KeyStore password file.
KEYSTORE_FILE_PATH
No default value set
Sets the path to the KeyStore file. This property must be set.
KEYSTORE_FILE_NAME
No default value set
Sets the KeyStore filename.
DEFAULT_ENCRYPTION_KEY_LENGTH
265 bytes
Sets the default key length used when creating new encryption keys. It does affect the size of existing keys.
Initializing Secrets
Secrets are passed to the tool using environment variables. You can use any of the following two methods to initialize secrets:
Option A 
All environment variables starting with the text SECRET_ are processed. Valid environment variable names include SECRET_MYSECRET, SECRET_SECRET1, SECRET_SPECIAL_SECRET_VALUE.
The <prefix> of the environment variable (e.g. SECRET_ in SECRET_MYSECRET) is stripped and is converted to lower case to be used as the key. For instance, for the SECRET_MYSECRET environment variable, mysecret is the key. The environment variable value is the secret value to be set.
Option B 
Environment variables with the name CUSTOM_SECRET_LIST and with the value that has a comma-separated list of secretKey-envVarName pairs are processed. The comma-separated value is tokenized and for each secretKey-envVarName token, the environment variable represented by envVarName is read into a secretValue variable. This secretKey-secretValue pair is set in the keystore.
Example value of the CUSTOM_SECRET_LIST environment variable: * mysecretkey1: <env-var that has the value for this key>,mysecretkey2:<env-var that has the value for this key>
Example Compose for KeyStore
The following example creates a shared storage volume. In the container, it is mapped to SecureData, where the location of the KeyStore and KeyStore Password files is configured. The container starts and creates or updates the KeyStore values. Once all values are populated, the container exits.
docker-compose.yml
version: '2.3'
volumes:
storage:

services:
secrets:
image: artifactory.rd2.thingworx.io/twxdevops/security-cli:latest
environment:
- "KEYSTORE=true"
- "KEYSTORE_PASSWORD_FILE_PATH=/SecureData"
- "KEYSTORE_FILE_PATH=/SecureData"
- "SECRET_MYSECRET=zyfdzhij"
- "SECRET_SECRET1=mydata1"
- "SECRET_MY_SECRET2=mydata2"
- "SECRET_SPECIAL_SECRET_VALUE=mydata3"
- "TWX_DATABASE_PASSWORD=abcd"
- "LS_PASSWORD=efgh"
- "CUSTOM_SECRET_LIST=encrypt.db.password:TWX_DATABASE_PASSWORD,encrypt.licensing.password:LS_PASSWORD"
volumes:
- storage:/SecureData
To use the file above, run docker-compose up secrets, which generates the following output:
secrets_1 | Running command with config:
secrets_1 | Config(SimpleConfigObject({"output-file":"/opt/cli.conf","sources":{"scripts":[]},"template-file":"/opt/cli.conf.j2","type":"process-template"}))
secrets_1 | Loading config from file /opt/cli.conf
secrets_1 | mysecret stored
secrets_1 | Loading config from file /opt/cli.conf
secrets_1 | secret1 stored
secrets_1 | Loading config from file /opt/cli.conf
secrets_1 | my_secret2 stored
secrets_1 | Loading config from file /opt/cli.conf
secrets_1 | special_secret_value stored
secrets_1 | Loading config from file /opt/cli.conf
secrets_1 | encrypt.db.password stored
secrets_1 | Loading config from file /opt/cli.conf
secrets_1 | encrypt.licensing.password stored
secrets_1 | security-common-cli-docker_secrets_1 exited with code 0
Was this helpful?