HashiCorp Vault
Last updated 2023-11-30
IMPORTANT
This feature only applies to Next-Gen WAF customers with access to the Next-Gen WAF control panel. Corp integrations (account integrations) are not supported on the Essential platform.
With the Signal Sciences plugin for HashiCorp Vault, you can use Vault to manage the keys for your agents. Vault is an identity-based secrets and encryption management system.
Specifically, the plugin allows:
- Vault to store the Agent Access Keys and Agent Secret Keys for your sites (also known as workspaces).
- the Vault agent to pull the keys from Vault when needed and give the keys to the deployed Next-Gen WAF agent.
- Vault to rotate or replace the keys. When Vault replaces keys, the Vault agent updates the configuration file for the relevant Next-Gen WAF agent and restarts the Next-Gen WAF agent.
- authenticated applications, services, and machines to read the keys that are stored in Vault.
Limitations and considerations
Before setting up the plugin to manage the keys in Vault, keep the following in mind:
- To use the Signal Sciences plugin for HashiCorp Vault, Vault must already be installed and configured to load external plugins.
- The key rotation process automatically restarts the Next-Gen WAF agent. Due to the agent's brief downtime during key rotation, we recommend rotating the keys during a maintenance window.
- The Signal Sciences plugin for HashiCorp Vault is only supported on Linux on x86 CPU architectures.
Set up plugin
To set up the plugin for the first time on systems that use systemd
, follow these steps:
Using the curl command line tool, copy the plugin binary to the external plugins directory:
$ curl -O https://dl.signalsciences.net/vault-plugin-sigsci/latest/vault-plugin-sigsci.tar.gz$ tar xzvf vault-plugin-sigsci.tar.gz$ vault plugin register -sha256=$(sha256sum vault-plugin-sigsci|cut -c-64) secret vault-plugin-sigsciUsing the command line, enable the plugin:
$ vault secrets enable -path=sigsci vault-plugin-sigsciVault mounts the plugin at path
/sigsci
.Create a user for the plugin. Assign the user the User role. An invitation email is sent to the email address you supplied for the plugin user.
From the plugin user's email account, open the invitation email and click Accept invite. The account creation form appears.
Fill out the account creation form:
- Leave the Email address field as is.
- In the Name field, enter
vault-user
. - In the Password field, enter a password for the account.
- In the Confirm password field, enter the password again.
Click Create account.
Create an API access token for the plugin user. Signal Sciences cloud API credentials are required for reading and managing agent site keys.
Using the command line, copy the API access token to
token.txt
file:$ vault write -f /sigsci/role/vault-user corp=<corp-id> email=<email-id> [email protected]Replace
<corp-id>
with the ID of your corp and<email-id>
with the plugin user's email address.Using the command line, copy site keys for a single site or all sites to vault:
$ vault write -f /sigsci/creds/vault-user/sites/<site-name>Replace
<site-name>
with the name of the site.or
$ vault write -f /sigsci/creds/vault-user/sites/Install and configure the Vault agent using the following template:
1234template {source = "/etc/signalsciences/agent.ctmpl"destination = "/etc/signalsciences/agent.conf"}The Vault agent automates the rendering of the Next-Gen WAF agent configuration template when the site keys are rotated.
Example content of the configuration template
/etc/signalsciences/agent.ctmpl
:1234{{ with secret "sigsci/creds/vault-user/sites/<site-name>" }}accesskeyid={{ .Data.accessKey }}secretkey={{ .Data.secretKey }}{{ end }}Using the command line, create a systemd service to restart the agent:
$ sudo tee -a /etc/systemd/system/sigsci-agent-restart.service <<END[Unit]Description="signalsciences agent restarter"[Service]Type=OneShotExecStart=/usr/bin/systemctl restart sigsci-agent.service[Install]WantedBy=multi-user.targetENDUsing the command line, create a configuration file watcher:
$ sudo tee -a /etc/systemd/system/sigsci-agent-restart.path <<END[Path]PathChanged=/etc/signalsciences/agent.conf[Install]WantedBy=multi-user.targetENDUsing the command line, start and enable the configuration file watcher:
$ systemctl enable --now sigsci-agent-restart.service
Rotate site keys
To rotate the keys for a site, replace the keys in Vault, restart the Next-Gen WAF agent, and then delete the non-primary keys in Vault:
Using the command line, rotate a site key in Vault:
$ vault write -f /sigsci/rotate/sites/<site-name>Replace
<site-name>
with the name of the relevant site.Using the command line, delete the non-primary keys in Vault:
$ vault delete /sigsci/rotate/sites/<site-name>Replace
<site-name>
with the name of the relevant site.
Manage plugin roles and keys
Once the plugin is set up, you can use the command line to perform these actions:
Action | Command |
---|---|
List roles | vault read /sigsci/role/ |
Read role details | vault read /sigsci/role/vault-user |
Delete role | vault delete /sigsci/role/vault-user |
Copy keys for one site to Vault | vault write -f /sigsci/creds/vault-user/sites/<site-name> |
Copy keys for all sites to Vault | vault write -f /sigsci/creds/vault-user/sites/ |
Rotate keys for a site | vault write -f /sigsci/rotate/sites/<site-name> |
List keys for all sites | vault read /sigsci/creds/vault-user/sites/ |
Read keys for one site | vault read /sigsci/creds/vault-user/sites/<site-name> |
Delete the non-primary keys for a site from Vault | vault delete /sigsci/rotate/sites/<site-name> |
Delete the keys for a site from Vault | vault delete /sigsci/creds/vault-user/sites/<site-name> |
Do not use this form to send sensitive information. If you need assistance, contact support. This form is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.