Skip to main content

Configure the VaultCode Application

In this step, you will create the application config file that will manage how VaultCode behaves.

First, download the VaultCode release files.

The ZIP file contains multiple application.yml configuration files. The application-vault-code-hsm.yml file is intended for running inside the HSM. Below is a listing of the most important options. For all available options, see the application-vault-code-template.yml.

Take the application-vault-code-hsm.yml and edit it according to your needs.

hsm:
  host: 'host.primus-hsm' # Don't change. This is for routing inside the HSM.
  port: '2510'            # Don't change. This is the JCE port inside the HSM.
  user: 'changeme_partition_name'
  setupPassword: 'changeme_setup_password'
  encryptionPassword: 'changeme_user_secret_encryption_password'

  attestationKeyName: 'vault_code_attestation_key'
  runningOnVaultContainer: true # force VaultCode to connect via the internal JCE

  # Set to true if VaultCode is running on a Clone.
  # When enabled, writes go to the database on the Master, instead of the local read-only DB.
  databaseClusteringService: false

syslog:
  # 0 (emergency) to 7 (debug)
  log-level: 6

vaultcode:

  # Control which JARs can be uploaded. If empty, all JARs are allowed.
  allowlistUploadExecutable:

    # Hashes of JAR files that are allowed to be uploaded.
    fingerprints:
      # - "sha256:HASH_HERE_1"
      # - "sha512:HASH_HERE_2"

    # Certificates for verifying JAR signatures.
    jarSignerCertificates:
      # - |
      #   -----BEGIN CERTIFICATE-----
      #   MIIDFzCCAf+gAwIBAgIUVrqEyyEStyAHF6z8vvlvD9uqLTAwDQYJKoZIhvcNAQEL
      #   -----END CERTIFICATE-----

  keys:
    # Key to sign results
    output:
      label: output_key_vaultcode
    evidence:
      label: environment_key_vaultcode
    timestamp:
      label: timestamp_iso_key_vaultcode
    # Key to decrypt uploaded JARs
    encrypt:
      label: encrypt_key_vaultcode
tip

From other Spring Boot based applications, you may be used to setting the spring.datasource section in the application config file. When running inside the HSM in VaultContainers, you do not need to set this section. The VaultContainers runtime automatically inject these values, to specify the connection parameters for the local database that is also running in VaultContainers.

info

The normal default JCE port is 2300. However, inside the HSM, JCE is reachable from VaultContainers via port 2510. This port will never be reachable from the outside of the HSM.

Get started withCloudHSM for free.
Other questions?Ask Sales.
Last updated on
Feedback
Need help?