Secret Types
Secrets represent the credentials needed to connect to external systems, like a third-party REST API or AWS S3 bucket. Such systems often require different authentication formats, be it an API key, username and password, or private SSH key. Utilihive supports a variety of these requirements as typed secrets. As long as the properties on the secret match the intended type, the corresponding processor will be able to integrate with the given system.
Supported Types
ApiKey
API key/value pair to be added as header/query to the request.
Secrets of type ApiKey have the following properties:
| Property | Description |
|---|---|
|
API key name. Required. |
|
API key value. Required. |
|
Location of API key in the request. Required. Can be one of the following:
|
|
Description of secret config. Required. |
|
Comment explaining the reason for changes in secret config. Required. |
ApiKeys
Multiple API key/value pairs to be added as header/query to the request.
Secrets of type ApiKeys have the following properties:
| Property | Description |
|---|---|
|
API keys as key/value pairs presented in the following format: "apiKey1=apiValue1\napiKey2=apiValue2\napiKey3=apiValue3" where key and value delimited by "=" and pairs are delimited by new line (\n) Required. |
|
Location of API keys in the request. Required. Can be one of the following:
|
|
Description of secret config. Required. |
|
Comment explaining the reason for changes in secret config. Required. |
AwsCredentials
AWS credentials for calling AWS services.
Secrets of type AwsCredentials have the following properties:
| Property | Description |
|---|---|
|
AWS access key, used to identify the user interacting with AWS. Required. |
|
AWS secret access key, used to authenticate the user interacting with AWS. Required. |
|
Description of secret config. Required. |
|
Comment explaining the reason for changes in secret config. Required. |
AzureClientCertificate
Azure AD credential that acquires a token with a client secret for an AAD application.
Secrets of type AzureClientCertificate have the following properties:
| Property | Description |
|---|---|
|
Application tenant ID. Required. |
|
Application Client ID. Required. |
|
Client secret for the authentication. Required. |
|
Description of secret config. Required. |
|
Comment explaining the reason for changes in secret config. Required. |
AzureConnectionString
Azure connection string with authentication information required for access to Azure services.
Secrets of type AzureConnectionString have the following properties:
| Property | Description |
|---|---|
|
Azure connection string with authentication information required for access to Azure services. Required. |
|
Description of secret config. Required. |
|
Comment explaining the reason for changes in secret config. Required. |
GoogleServiceAccountCredentials
OAuth2 credentials representing a Service Account for calling Google services
Secrets of type GoogleServiceAccountCredentials have the following properties:
| Property | Description |
|---|---|
|
Client ID of the service account. Required. |
|
Client email address of the service account. Required. |
|
RSA private key object for the service account in PKCS_8 format. Required. |
|
Private key identifier for the service account. Required. |
|
Google Cloud project id. Required. |
|
Description of secret config. Required. |
|
Comment explaining the reason for changes in secret config. Required. |
OAuth2
Authentication based on OAuth2 access token to be added as Authorization HTTP header.
Secrets of type OAuth2 have the following properties:
| Property | Description |
|---|---|
|
The URI of the OAuth2 token endpoint. Required. |
|
Authorisation scope. |
|
Key of the specific type of the secret config to be used with remote OAuth2 service provider. Supported types are basic OAuth2 authentication (OAuth2BasicSecretDto), OAuth2 password authentication (OAuth2PasswordSecretDto) and signed JWT authentication (OAuth2SignedJWTSecretDto). Required. |
|
Optional key used to look up SSL related configuration. The key should be set if the certificate used by the token server is not signed by a trusted certificate authority, or other TLS/SSL configuration is required. |
|
Description of secret config. Required. |
|
Comment explaining the reason for changes in secret config. Required. |
OAuth2Basic
OAuth2 basic authentication based on client credentials
Secrets of type OAuth2Basic have the following properties:
| Property | Description |
|---|---|
|
OAuth2 client ID. Required. |
|
OAuth2 client secret. |
|
OAuth2 credentials location. If it is set to Header (default), the client_id and client_secret will be Base64 encoded in the Authorization header and grant_type and scope will be placed in the body of the OAuth request. If it is set to Body, the client_id, client_secret, grant_type and scope will all be placed in the body of the OAuth request.Defaults to Header when it's not configured. Can be one of the following:
|
|
Description of secret config. Required. |
|
Comment explaining the reason for changes in secret config. Required. |
OAuth2Password
OAuth2 Password Grant authentication based on client credentials
Secrets of type OAuth2Password have the following properties:
| Property | Description |
|---|---|
|
OAuth2 client ID. |
|
OAuth2 client secret. |
|
User name. Required. |
|
Password. Required. |
|
OAuth2 credentials location. If it is set to Header (default), the client_id and client_secret will be Base64 encoded in the Authorization header and grant_type and scope will be placed in the body of the OAuth request. If it is set to Body, the client_id, client_secret, grant_type and scope will all be placed in the body of the OAuth request. Can be one of the following:
|
|
Description of secret config. Required. |
|
Comment explaining the reason for changes in secret config. Required. |
OAuth2SignedJWT
OAuth2 secret config based on signed JWT. The signed JWT is used to obtain an oauth2 token
Secrets of type OAuth2SignedJWT have the following properties:
| Property | Description |
|---|---|
|
Issuer claim. Required. |
|
Subject claim. Required. |
|
Audience claim. Required. |
|
Expiration time claim. Defaults to 60 minutes if not configured. |
|
Not-before claim. Defaults to -2 minutes (to account for some clock skew) if not configured. |
|
Key store entry to retrieve credentials from. Required. |
|
Key store type (PKCS12 or JKS). Defaults to PKCS12 if not configured. Can be one of the following:
|
|
Key store password. Required. |
|
Key alias to retrieve certificate from the key store by. Required. |
|
Key password to generate JWT signature signer. Required. |
|
Certificate thumbprint type. Defaults to SHA1 if not configured. Can be one of the following:
|
|
Algorithm to use when generating JWT signature signer. Defaults to RS256 if not configured. Can be one of the following:
|
|
Description of secret config. Required. |
|
Comment explaining the reason for changes in secret config. Required. |
SignedJWT
Signed JWT secret config used to create a signed JWT
Secrets of type SignedJWT have the following properties:
| Property | Description |
|---|---|
|
Key store entry to retrieve credentials from. Required. |
|
Key store type (PKCS12 or JKS). Defaults to PKCS12 if not configured. Can be one of the following:
|
|
Key store password. Defaults to no password |
|
Key alias to retrieve private key from the key store by. Required. |
|
Key password to generate JWT signature signer. Defaults to no password |
|
Algorithm to use when generating JWT signature signer. Defaults to RS256 if not configured. Can be one of the following:
|
|
Comma-separated list of claims formatted as <key>=<value>. (exp, nbf, and iat will be discarded and overwritten by the explicit properties jwtExpirationTimeInMinutes, jwtNotBeforeInMinutes, and the time when the jwt was created). |
|
Number of minutes before the jwt will expire relative to the creation time of the jwt. The value will be converted to the exp claim. Defaults to 60 minutes if not configured. |
|
Number of minutes before the jwt is valid relative to the creation time of the jwt. The value will be converted into the nbf claim. Defaults to -2 minutes (to account for some clock skew) if not configured. |
|
Description of secret config. Required. |
|
Comment explaining the reason for changes in secret config. Required. |
SshPrivateKey
SSH private key authentication
Secrets of type SshPrivateKey have the following properties:
| Property | Description |
|---|---|
|
SSH user name. Required. |
|
SSH password. |
|
SSH private key. Required. |
|
SSH private key passphrase. |
|
Description of secret config. Required. |
|
Comment explaining the reason for changes in secret config. Required. |
Tls
Secret config for configuring SSL/TLS connections.
Secrets of type Tls have the following properties:
| Property | Description |
|---|---|
|
Base64 encoded server public key. |
|
Flag that configures if self-signed certificate is allowed. Default: false. NOTE: Do not set this to true if the certificate is not self-signed. A certificate is interpreted to be self singed only if it has a certificate chain of length 1. |
|
Flag that configures if association with wrong host is allowed. Default: false. |
|
Base64 encoded client keystore string. |
|
Client key store type (PKCS12 or JKS). Defaults to PKCS12 if not configured. Can be one of the following:
|
|
Client key store password. |
|
Client key password. |
|
Client key store alias. |
|
Base64 encoded server truststore string. |
|
Server trust store type (PKCS12 or JKS). Defaults to PKCS12 if not configured. Can be one of the following:
|
|
Server trust store password. |
|
Description of secret config. Required. |
|
Comment explaining the reason for changes in secret config. Required. |
UserNameAndPassword
General userName/password authentication.
Secrets of type UserNameAndPassword have the following properties:
| Property | Description |
|---|---|
|
User name. Required. |
|
Password. Required. |
|
Description of secret config. Required. |
|
Comment explaining the reason for changes in secret config. Required. |
WssSignature
WS-Signature configuration.
Secrets of type WssSignature have the following properties:
| Property | Description |
|---|---|
|
Request parts to be signed. Required. |
|
WS-Security signature algorithm. |
|
WS-Security signature digest algorithm. |
|
WS-service signature key identifier. |
|
WS-Security signature C14N algorithm to apply to the data. |
|
Base64 encoded client keystore string. |
|
Client key store type (PKCS12 or JKS). Defaults to PKCS12 if not configured. Can be one of the following:
|
|
Client key store password. |
|
Client key password. |
|
Client key store alias. |
|
Base64 encoded server truststore string. |
|
Server trust store type (PKCS12 or JKS). Defaults to PKCS12 if not configured. Can be one of the following:
|
|
Server trust store password. |
|
Description of secret config. Required. |
|
Comment explaining the reason for changes in secret config. Required. |
WssUserNameToken
WS-Security username token
Secrets of type WssUserNameToken have the following properties:
| Property | Description |
|---|---|
|
WS-Security user name. Required. |
|
WS-Security password. |
|
WS-Security password type (Text, Digest, None). Defaults to Text if not configured. Can be one of the following:
|
|
WS-Security nonce. If not configured, the nonce will be added. |
|
WS-Security nonce creation time. If not configured, creation time will be added. |
|
Description of secret config. Required. |
|
Comment explaining the reason for changes in secret config. Required. |
Working with Keystores
Secret types that rely on a keystore/certificate (such as OAuth2SignedJWT and Tls) reference the keystore as a Base64 encoded string.
If you already have a keystore file, then macOS and Linux users can run the following command line command to convert the file to Base64:
base64 -i certificate.p12 -o output_fileOn Windows, use the following certutil command instead:
certutil -encode certificate.p12 output_file
The output of certutil includes beginning and ending lines (e.g., -----BEGIN CERTIFICATE-----) that should not be copied over.
|
If you need to generate a new PKCS12 keystore (i.e., a self-signed certificate), you can use the OpenSSL toolkit. This is done in two steps, first to create the key and certificate, then to create the keystore bundle. For example:
openssl req -x509 -newkey rsa:4096 -keyout myKey.pem -out cert.pem -days 365
openssl pkcs12 -export -out keyStore.p12 -inkey myKey.pem -in cert.pemAlternatively, you can use Java’s keytool command to generate a Java KeyStore (JKS).
For example:
keytool -genkey -keyalg RSA -keystore keyStore.jks -validity 360 -keysize 2048