Implementing Hashicorp Vault with EDB Postgres Advanced Server version 15.2 and later and EDB Postgres Extended Server version 15.2 and later requires the following components:
EDB Postgres Distribution (15.2 or later)
Hashicorp Vault Enterprise version 1.13.2+ent or 1.12.6+ent
We refer to EDB Postgres Advanced Server version 15.2 and later and EDB Postgres Extended Server version 15.2 and later products as EDB Postgres distribution. The specific distribution type depends on your needs and preferences.
Prerequisites
A running EDB Postgres distribution with Python and PyKMIP installed
Hashicorp Vault Enterprise edition with enterprise licensing installed and deployed per your VM environment
Check/install Python on server
Many Unix-compatible operating systems, such as macOS and some Linux distributions, have Python installed by default, as it's included in a base installation.
To check your version of Python on your machine, or to see if it's installed, enter python3. The Python version is returned. You can also enter ps -ef |grep python to return a Python running process.
If you run a check and find that your system doesn't have Python installed, you can download it from Python.org. Select your OS and download and install it on your system.
Install Pykmip
Once your EDB Repository is installed on your server, you can then install the PyKMIP utility.
As root user, issue the install python3-pykmip command. This example uses a RHEL8 server, so the command is dnf install python3-pymkip.
The output looks something like:
Configure Hashicorp Vault KMIP secrets engine
Note
You have to set your environment variable with Hashicorp Vault before you can configure the Hashicorp Vault server using the API IP address and port. If you receive the error message, “Get "https://127.0.0.1:8200/v1/sys/seal-status": http: server gave HTTP response to HTTPS client,” enter this command at your command line: export VAULT_ADDR="http://127.0.0.1:8200".
After your Hashicorp Vault configuration is installed and deployed per the guidelines in the Hashicorp documentation, you then need to enable the KMIP capabilities.
Assume root user.
As the root user, enter vault secrets enable kmip:
You then need to configure the Hashicorp Vault secrets engine with the desired KMIP listener address.
Enter vault write kmip/config listen_addrs=0.0.0.0:5696:
To create the scope for defining allowed operations a role can perform, enter vault write -f kmip/scope/<scope_name>:
Note
To view the scopes you created, enter vault list kmip/scope.
To define the role for the scope, enter vault write kmip/scope/*scope_name*/role/<role_name> operation_all=true. In this example, the role of admin is for the scope edb:
You can read your scope and role with the command vault read kmip/scope/*scope_name*/role/<role_name>:
Generate client certificates
After you create a scope and a role, you need to generate client certificates to use in your pykmip.conf file for key management. You can use these certificates to establish communication with Hashicorp Vault’s KMIP server.
Generate the client certificate, which provides the CA chain, the private key, and the certificate.
Enter vault write -f -field=certificate \ kmip/scope/<scope_name>/role/<role_name>/credential/generate > <certificate_name>.pem.
This example uses the user edb, the scope admin, and the certificate name kmip-cert.pem:
To view your certificates, enter cat <certificate_name>.pem, which returns the certificates from Hashicorp Vault.
You need to separate the individual certificates into .pem files so they can be used in your pykmip.conf file.
Note
Make sure to include ----BEGIN ------ and ----END ------ in the .pem certificate files.
Create a key.pem file that contains the private key in the certificate chain:
Create a cert.pem file that contains the first certificate in the certificate chain:
Create a ca.pem file that contains the last two certificates in the certificate chain:
Once you have all of the required certificates, you're ready to use the Hashicorp Vault secrets engine with your EDB Postgres distribution with TDE.