Configuring the Security CLI Docker Image
Overview
This topic covers how to configure the security CLI Docker image which is required to run ThingWorx in a containerized environment.
Configuring the Security CLI Docker Image
You can add the following options to the environment section of the file to control the configuration of each container.
Variable Names
Defaults
Comments
KEYSTORE
No default value set
Set to true to create a configuration file using the KeyStore environment variables.
KEYSTORE_PASSWORD_FILE_PATH
No default value set
Sets the path to the KeyStore password. This property must be set.
KEYSTORE_PASSWORD_FILE_NAME
No default value set
Sets the name of the KeyStore password file.
KEYSTORE_FILE_PATH
No default value set
Sets the path to the KeyStore file. This property must be set.
KEYSTORE_FILE_NAME
No default value set
Sets the KeyStore filename.
DEFAULT_ENCRYPTION_KEY_LENGTH
265 bytes
Sets the default key length used when creating new encryption keys. It does affect the size of existing keys.
Initializing Secrets
Secrets are passed to the tool using environment variables. You can use any of the following two methods to initialize secrets:
Option A
All environment variables starting with the text SECRET_ are processed. Valid environment variable names include SECRET_MYSECRET, SECRET_SECRET1, SECRET_SPECIAL_SECRET_VALUE.
The <prefix> of the environment variable (e.g. SECRET_ in SECRET_MYSECRET) is stripped and is converted to lower case to be used as the key. For instance, for the SECRET_MYSECRET environment variable, mysecret is the key. The environment variable value is the secret value to be set.
Option B
The environment variable CUSTOM_SECRET_LIST is a comma delimited list of keystore-key:environment-variable-name. It can be used to map any environment variable to a specific key in the keystore. If an environment variable in this list is passed to the tool it will read the value and assign it to the corresponding key. This is useful when you have environment variables that don’t directly map to key names.
Example value of the CUSTOM_SECRET_LIST environment variable: mysecretkey1: SOME_ENV_VARIABLE1,mysecretkey2:ANOTHER_ENV_VARIABLE
Key Names
Description
encrypt.db.password
Database password
encrypt.licensing.password
Licensing connection password
encrypt.proxy.password
Licensing proxy password
encrypt.queue.password
Symphony Rabbit MQ password
encrypt.sc.keystore.password
Solution Central password
encrypt.ignite.keystore.password
Ignite keystore password
encrypt.zk.keystore.password
Zookeeper keystore password
encrypt.zk.truststore.password
Zookeeper truststore password
encrypt.akka.keystore.password
Akka Keystore password
encrypt.akka.truststore.password
Akka truststore password
encrypt.propertytransform.password
Property Transform Rabbit MQ password
encrypt.broker.ssl.clientstore.password
Property Transform keystore password
encrypt.broker.ssl.truststore.password
Property Transform truststore password
Example Compose for KeyStore
The following example creates a shared storage volume. In the container, it is mapped to SecureData, where the location of the KeyStore and KeyStore Password files is configured. The container starts and creates or updates the KeyStore values. Once all values are populated, the container exits.
docker-compose.yml
version: '2.3'
volumes:
storage:

services:
secrets:
image: artifactory.rd2.thingworx.io/twxdevops/security-cli:latest
environment:
- "KEYSTORE=true"
- "KEYSTORE_PASSWORD_FILE_PATH=/SecureData"
- "KEYSTORE_FILE_PATH=/SecureData"
- "SECRET_MYSECRET=zyfdzhij"
- "SECRET_SECRET1=mydata1"
- "SECRET_MY_SECRET2=mydata2"
- "SECRET_SPECIAL_SECRET_VALUE=mydata3"
- "TWX_DATABASE_PASSWORD=abcd"
- "LS_PASSWORD=efgh"
- "CUSTOM_SECRET_LIST=encrypt.db.password:TWX_DATABASE_PASSWORD,encrypt.licensing.password:LS_PASSWORD"
volumes:
- storage:/SecureData
To use the file above, run docker compose up secrets, which generates the following output:
secrets_1 | Running command with config:
secrets_1 | Config(SimpleConfigObject({"output-file":"/opt/cli.conf","sources":{"scripts":[]},"template-file":"/opt/cli.conf.j2","type":"process-template"}))
secrets_1 | Loading config from file /opt/cli.conf
secrets_1 | mysecret stored
secrets_1 | Loading config from file /opt/cli.conf
secrets_1 | secret1 stored
secrets_1 | Loading config from file /opt/cli.conf
secrets_1 | my_secret2 stored
secrets_1 | Loading config from file /opt/cli.conf
secrets_1 | special_secret_value stored
secrets_1 | Loading config from file /opt/cli.conf
secrets_1 | encrypt.db.password stored
secrets_1 | Loading config from file /opt/cli.conf
secrets_1 | encrypt.licensing.password stored
secrets_1 | security-common-cli-docker_secrets_1 exited with code 0
Was this helpful?