Vault Providers

Note: This topic applies only when the Enterprise Server feature is enabled.

A vault provider is the software module used by the Vault Facility to interact with a particular kind of vault. The mfsecretsaes vault provider included with Enterprise Developer supports both Windows and UNIX platforms. See The mfsecretsaes Vault Provider for more information.

Note: Micro Focus does not currently provide support for customer-written providers.

Enterprise Server comes configured with a default vault that uses the mfsecretsaes vault provider. Some components, such as Enterprise Server Common Web Administration (ESCWA), store secrets in this vault automatically. By editing the secrets.cfg file, you can modify configuration parameters for these components, and configure some additional components to use the vault.

Attention: Before changing the values for the password or salt parameters, consider the following:
  • The installation process automatically creates values for mfsecretsaes that enable valid encryption.
  • After storing information in the vault, if the password or salt values are then changed, secrets stored before the change become inaccessible.
  • Because some components store secrets in the vault automatically, be sure to create a backup of the secrets.cfg file before making any changes. When doing this, be sure that your secrets are backed up in securely, for example, in a file on an encrypted USB flash drive, to ensure recovery.
  • Micro Focus strongly recommends that you secure and control access to the secrets.cfg file using your operating system file permissions, and that you monitor its access. See Restricting Access to the Vault Facility for more information.

By default, the secrets.cfg file is located in the %PROGRAMDATA%\Micro Focus\COBOL Server\mfsecrets directory.

Use the comments contained in the secrets.cfg file to guide your changes.

The following is a sample secrets.cfg file for the default mfsecretsaes vault provider:

# This file controls the operation of applications which access the
# vault interface for storing "secret" values such as passwords and
# other sensitive information. It is strongly recommended that 
# appropriate OS file permissions are set and that its contents are
# monitored for any changes.

# NOTE: if configuration values are changed, then "secrets" that 
# were previously accessible may become inaccessible. It is strongly
# recommended that appropriate change management is used, and backups 
# are made before changes are applied.

# NOTE: A vault is a logical configuration set which determines the 
# location and method used to store secrets. The "provider" is the 
# software module which implements access to the vault.


# A default vault can be set in the "global" configuration. 
# Unless a particular applications/software component requires or 
# allows use of a specific named vault, the "default" vault 
# will be used.
[global]
default vault=aesvault
# To enable audit using mfaudit configure audit enabled to TRUE or YES
# For details on configuring mfaudit consult product documentation. 
audit enabled=FALSE

# Specify vaults and their configuration below here.

# Individual "vaults" will have individual configuration 
# requirements. The key=value pairs beneath the logical [vault] label
# will be used by the provider module to control its behavior.
[aesvault]

# This should be the name of the provider so/dll. No file extension 
# required.
provider name=mfsecretsaes

# The "location" key specifies the physical or logical (depending on 
# provider type) directory where secrets will be stored. For the 
# "mfsecretsaes" provider, the target directory needs to pre-exist and 
# have appropriate file permissions to allow application processes to 
# access the location. 
#
# The product installer will initially set a product-specific 
# file location by default.
location=<location>

# Different vault types may also support different sub-modes of operation.
mode=AES256-CBC

# For AES256-CBC a plain text password is used to generate a key and iv.
# By default, the product installer will generate a value.
password=<password>

# Salt is an optional base64 value. By default, the product installer will 
# generate a value.
salt=<salt>