Clarity LIMS
Illumina Connected Software
Clarity LIMS v6.3 & Lablink v2.5
Clarity LIMS v6.3 & Lablink v2.5
  • Release Notes Clarity LIMS v6.3
    • Release Notes Clarity LIMS v6.3.1
    • Release Notes Clarity LIMS v6.3.0
  • Technical Overview
    • Technical Requirements
  • Installation
    • Installation Procedure
    • Guide to Secret Management
    • Install/Upgrade Secret Management for Integration Modules
    • Change the Clarity LIMS Hostname
    • Update Server Passwords and Database Connection Details
  • On-Premise Deployments
    • Pre-installation Requirements
      • Install a Purchased SSL/TLS Certificate
      • Configure Your HashiCorp Vault
    • On Premise to On Premise Upgrade Procedures
    • On Premise to On Premise In-place Upgrade Procedures
    • On Premise to Hosted Upgrade Procedures
    • Hosted to On Premise Upgrade Procedures
  • Administration
    • Database Cleanup Procedure
    • Backup and Restore Procedure
    • Receiving and Decrypting Cloud Backup Data
    • LDAP Integration
      • Using the LDAP Checker Tool
    • Illumina Connected Software Platform Integration
    • Clarity LIMS Log Files
    • Customize the Term Used for Projects
    • Enforcing Unique Sample Names Within a Project
    • Container Name Uniqueness
    • Configure Electronic Signatures
    • Creating Enrypted Passwords
    • Config Slicer Tool
      • Managing Configurations with Config Slicer
      • Upgrading a configuration package/manifest file for compatibility with Config Slicer v3.0.x
      • Config Slicer Use Cases
      • Troubleshooting Config Slicer
    • Audit Trail
      • Enabling, Validating and Disabling Audit Trail
    • System Settings
    • Automation Worker Nodes
      • Troubleshooting Automation Worker
  • Clarity LIMS v6.3 Reference Guide
    • Dashboards
      • Overview Dashboard
      • Projects Dashboard
    • Projects and Samples
      • Projects
      • Samples Accessioning
        • Sample List for Batch Import
        • Guidelines and Tips for Batch Sample Import
      • Assign and Process Samples
    • Lab View
      • Requeue and Rework Samples
      • Storing Sample Aliquots for Later Use
      • Modifying Completed Step Details
      • Alert Notifications
    • Configuration
      • Lab Work
        • Steps and Master Steps
          • Step Milestones
          • Derived Sample Naming Convention Tokens
        • Protocols
        • Workflows
      • Consumables
        • Reagents
          • Reagent Kit Lot Manifest for Batch Import
        • Controls
        • Instruments
        • Labels
        • Containers
      • Custom Fields
      • User Management
        • Manage User Access
        • User Roles
        • Configured Role-Based Permissions
        • User and Profile Page
      • Automations
        • Automation Trigger Configuration
        • Copy Custom Fields from Step Input to Output
        • Template Files Associated With Automations
    • Automated Quality Control
      • Configure a QC System
    • Search
      • Basic Search
      • Advanced Search
    • Genealogy View
    • System Performance
      • Queue Performance and Usability
      • Demultiplexing API Endpoint Performance
    • Terms and Definitions
  • LabLink v2.5 Reference Guide
    • Project
      • Email Notifications for Notes
    • Resource Materials & Contact Us
    • Users
    • Configuration
    • Publishing Files and Progress
Powered by GitBook
On this page
  • Installing Integration Packages on Clarity LIMS
  • Configuration Script
  • Managing the passwords (Vault Mode)

Was this helpful?

Export as PDF
  1. Installation

Guide to Secret Management

Secret Utility (secretutil) is a password management tool used to store, manage, and retrieve passwords. Secret Utility returns the passwords in plain text.

The following sections describe the configuration of Secret Utility, which is installed as part of the Clarity LIMS-SecretUtil RPM.

Installing Integration Packages on Clarity LIMS

You may refer to the integration package installation guide for more information on installing/configuring the integration package.

Configuration Script

If Secret Utility has not been configured, the 05_configure_claritylims_secretutil.sh script is created in the /opt/gls/clarity/config/pending folder.

To reconfigure Secret Utility:

  1. Remove the hidden file /opt/gls/clarity/tools/secretutil/.configured

  2. Run the Secret Utility configuration script as follows: /opt/gls/clarity/config/configure_claritylims_secretutil.sh

The following table describes the entries prompted by the configure_claritylims_secretutil.sh script.

Configuration Script Entries

Prompts
Default
Description

Enter required value for Secret Utility Mode.

vault

Configure the mode for Secret Utility. Allowed values: vault, file

Enter required value for Clarity Tenant Hostname.

localhost

Vault mode only

Configure the Tenant hostname to be used as part of the vault path.

Enter required value for Vault Engine Path.

secret

Vault Mode only

Configure the secret engine path.

Enter required value for Vault URI.

Vault Mode only

Configure the Vault Server target.

Vault Enterprise (Y/N)

N

Vault Mode only

Configure whether the Vault Server is an enterprise version.

Enter required value for Vault Namespace.

Vault Enterprise only

Configure the Vault namespace.

Enter required value for Vault Authentication Mode.

Vault Mode only

Configure the authentication method. Allowed values: token, approle

Enter required value for Vault Token.

Token Authentication only

Enter required value for Vault AppRole Role-Id.

AppRole Authentication only

Enter required value for Vault AppRole Secret-Id.

AppRole Authentication only

Enter required value for app.ftp.password

Enter required value for app.ldap.managerPass

Enter required value for app.rabbitmq.password

Enter required value for db.tenant.password

Enter required value for db.clarity.password

Enter required value for db.lablink.password

Enter required value for db.reporting.password

File Mode only

Sets the secrets (encrypted with CLARITYSECRET_ENCRYPTION_KEY env variable) into conf/secret.properties

Global values

Enter required value for platform.clientid (optional for integration with Platform Auth)

File Mode only

Sets the secrets (encrypted with CLARITYSECRET_ENCRYPTION_KEY env variable) into conf/secret.properties

Enter required value for Username for API user

apiuser

File Mode only

Sets the username of the API user to be used when applications require an API user.

Enter required password for API user

File Mode only

Sets the password for the API user configured.

Managing the passwords (Vault Mode)

If Secret Utility is configured as Vault Mode, the passwords are stored and retrieved from Vault Enterprise.

  • To use Secret Utility and perform the following steps, you must first remote into the instance before performing any of the following steps.

  • To use the Vault user interface (UI) and perform the following steps, you must have the appropriate role and access control list (ACL) policies.

Vault ACL Paths

The Vault ACLs control three main paths: Clarity, Integration, and Ops. If there is an attempt to write into a read-only path, secretutil.jar returns an error.

Clarity (read only)

  • Stores all passwords related to Clarity LIMS. The secrets/passwords are encrypted with CLARITYSECRET_ENCRYPTION_KEY env variable. See Configuration Script.

Integration (read write)

  • Stores all integration-related passwords and allows read and write access.

  • apiusers

    • Stores passwords that are used by packages and applications for API authentication (eg, the apiuser password).

    • Username is case sensitive.

    • For example, retrieve apiuser password from integration/apiusers/apiuser.

  • external.file.stores

    • Stores password of external file stores used by Clarity LIMS.

    • External file store is optional to the Clarity LIMS system.

    • For example, retrieve file store password from integration/external.file.stores/.password.

Ops

  • Stores secrets related to operations.

    • For Illumina cloud hosted deployments, Illumina manages this path.

    • This path is optional for on-premise customers.

Create a New Password

Using Secret Utility

The following command creates a new password:

java -jar /opt/gls/clarity/tools/secretutil/secretutil.jar [-gh] [-n=<namespace>] [-u=<newValue>] <key>
  • When creating a new password for integration, specify the -n= integration option.

  • Make sure that the key uses a forward slash for nested secrets. For example, apiusers/apiuser

  • The same command is used for updating an existing password and creating a new password. Read the key you are planning to create to check whether it is an existing password.

Using Vault UI

  1. Log in to the Vault UI.

  2. Select the Key Value (KV) secret engine with the path instances.

  3. Look for the FQDN instance that you want to create the password for.

  4. Select the path where you want to create the new password, ie, clarity/integration/ops.

  5. Select Create Secret +.

  6. Under Path for this secret, enter the path for the new password, eg, app.ldap.managerPass.

  7. Under Version data:

    1. Enter 'value' into the key field.

    2. Enter the new password into the value field.

  8. Select Save.

Read an Existing Password

Using Secret Utility

Run the following command to create a new password:

java -jar /opt/gls/clarity/tools/secretutil/secretutil.jar <key>

Using Vault UI

  1. Log in to the Vault UI.

  2. Select the KV secret engine with the path instances.

  3. Look for the FQDN instance that you want to create the password for.

  4. Select the path where the existing password is located, ie, clarity/integration/ops.

  5. Click into the secret and view the password by selecting the peek icon.

Update an Existing Password

NOTE: Global values can be updated through Vault UI only.

Using Secret Utility

Run the following command to update an existing password:

java -jar /opt/gls/clarity/tools/secretutil/secretutil.jar [-gh] [-n=<namespace>] [-u=<newValue>] <key>

Using Vault UI

  1. Log in to the Vault UI.

  2. Select the KV secret engine with the path instances.

  3. Look for the FQDN instance that you want to create the password for.

  4. Select the path where the existing password is located, ie, clarity/integration/ops.

  5. Select into the secret.

  6. Select Create new version +.

  7. Under Version Data, enter the new password.

  8. Select Save.

Delete an Existing Password

NOTE: Confirm with the Illumina Support team before deleting passwords and secrets.

Using Secret Utility

Secret Utility does not support permanent deletion of a key by design.

Using Vault UI

  1. Log in to the Vault UI.

  2. Select the KV secret engine with the path instances.

  3. Look for the FQDN instance that you want to create the password for.

  4. Select the path, ie, clarity/integration/ops, to the location of the existing password.

  5. Select into the secret.

  6. Select Delete secret.

Managing the Passwords (File Mode)

If Secret Utility is configured as File mode, the passwords are encrypted and stored in /opt/gls/clarity/tools/secretutil/conf/secrets.properties. Encryption is based on the CLARITYSECRET_ENCRYPTION_KEY environment variable.

To manage the passwords and perform the following steps, you must first remote into the instance.

Create a New Password

Run the following command to create a new password:

java -jar /opt/gls/clarity/tools/secretutil/secretutil.jar [-gh] [-n=<namespace>] [-u=<newValue>] <key>
  • If you are creating a new password for integration, specify the -n=integration option.

  • The same command is used for updating an existing password and creating a new password. Read the key you are planning to create to check whether it is an existing password.

Read an Existing Password

Run the following command to read an existing password:

java -jar /opt/gls/clarity/tools/secretutil/secretutil.jar <key>
Update an Existing Password

NOTE: Global values can only be updated through secret utility in File Mode.

Run the following command to update an existing password:

java -jar /opt/gls/clarity/tools/secretutil/secretutil.jar [-gh] [-n=<namespace>] [-u=<newValue>] <key>
Delete an Existing Password

NOTE: Confirm with the Illumina Support team before deleting passwords and secrets.

By design, Secret Utility does not support permanent deletion of a key. As an alternative, you can run the following steps.

  1. Open the secrets.properties file with an editor, eg, vim.

  2. Remove the key from the file and save the file.

PreviousInstallation ProcedureNextInstall/Upgrade Secret Management for Integration Modules

Last updated 9 months ago

Was this helpful?

Configure the AppRole role-id to use. Refer to Role ID noted during HashiCorp Vault configuration. (See )

Configure the AppRole secret-id to use. Refer to Secret ID noted during HashiCorp Vault configuration. (See )

AppRole
AppRole