+
+
+
This document is intended to augment each vendor’s product documentation in order to guide the reader in getting the products working together. It is not intended to show the optimal configuration for the certified integration.
\ No newline at end of file diff --git a/advocacy_docs/partner_docs/HashicorpVault/02-PartnerInformation.mdx b/advocacy_docs/partner_docs/HashicorpVault/02-PartnerInformation.mdx new file mode 100644 index 00000000000..4c6ff94a89e --- /dev/null +++ b/advocacy_docs/partner_docs/HashicorpVault/02-PartnerInformation.mdx @@ -0,0 +1,12 @@ +--- +title: 'Partner Information' +description: 'Details of the partner' + +--- +| | | +| ----------- | ----------- | +| **Partner Name** | Hashicorp | +| **Web Site** | https://www.hashicorp.com/ | +| **Partner Product** | Vault | +| **Version** | Vault v1.12.6+ent, v1.13.2+ent | +| **Product Description** | Hashicorp Vault is an identity-based secrets and encryption management system. Used in conjunction with EDB Postgres Advanced Server or EDB Postgres Extended Server, it allows users to control access to encryption keys and certificates, as well as perform key management. | \ No newline at end of file diff --git a/advocacy_docs/partner_docs/HashicorpVault/03-SolutionSummary.mdx b/advocacy_docs/partner_docs/HashicorpVault/03-SolutionSummary.mdx new file mode 100644 index 00000000000..0e7d5e52a79 --- /dev/null +++ b/advocacy_docs/partner_docs/HashicorpVault/03-SolutionSummary.mdx @@ -0,0 +1,10 @@ +--- +title: 'Solution Summary' +description: 'Explanation of the solution and its purpose' +--- + +Hashicorp Vault is an identity-based secrets and encryption management system. Used in conjunction with EDB Postgres Advanced Server versions 15.2 and above or EDB Postgres Extended Server versions 15.2 and above, it allows users to control access to encryption keys and certificates, as well as perform key management. Using Hashicorp Vault’s KMIP secrets engine allows Vault to act as a KMIP server provider and handle the lifecycle of KMIP managed objects. + +Hashicorp Vault’s KMIP secrets engine manages its own listener to service any KMIP requests that operate on KMIP managed objects. The KMIP secrets engine determines the set of KMIP operations that the clients can perform based on roles that are assigned. + + diff --git a/advocacy_docs/partner_docs/HashicorpVault/04-ConfiguringHashicorpVault.mdx b/advocacy_docs/partner_docs/HashicorpVault/04-ConfiguringHashicorpVault.mdx new file mode 100644 index 00000000000..5c819cc989f --- /dev/null +++ b/advocacy_docs/partner_docs/HashicorpVault/04-ConfiguringHashicorpVault.mdx @@ -0,0 +1,219 @@ +--- +title: 'Configuration' +description: 'Walkthrough on configuring the integration' +--- + +Implementing Hashicorp Vault with EDB Postgres Advanced Server version 15.2 and above and EDB Postgres Extended Server version 15.2 and above requires the following components: +!!! Note + The EDB Postgres Advanced Server version 15.2 and above and EDB Postgres Extended Server version 15.2 and above, products will be referred to as EDB Postgres distribution. The specific distribution type will be dependent upon customer need or preference. + +- EDB Postgres Distribution (15.2 or later) +- Hashicorp Vault Enterprise version 1.13.2+ent or 1.12.6+ent +- [Pykmip](https://pypi.org/project/PyKMIP/#files) +- Python + +## Prerequisites + +- A running EDB Postgres distribution with Python and pykmip installed +- Hashicorp Vault Enterprise edition with enterprise licensing installed and deployed per your VM environment + +## Check/Install Python on Server + +Many Unix-compatible operating systems such as macOS and some Linux distributions have Python installed by default as it is included in a base installation. + +To check your version of Python on your machine, or to see if it is installed, simply type `python3` and it will return the version. You can also type `ps -ef |grep python` to return a python running process. +```bash +root@ip-172-31-46-134:/home/ubuntu# python +Python 3.8.10 (default, May 26 2023, 14:05:08) +[GCC 9.4.0] on linux +Type "help", "copyright", "credits" or "license" for more information. +``` +If you run a check and find that your system does not have Python installed, you can follow the docs and download it from [Python.org](https://www.python.org/downloads/). Simply select your specific OS and download and install on your system. + +## Install Pykmip +Once you have your EDB Repository installed on your server, you can then install the Pykmip utility that is needed. + +- As `root` user issue the `install python3-pykmip` command, for our example we have a RHEL8 server so it would be `dnf install python3-pymkip`. + +The output should look something like: +```bash +[root@ip-172-31-7-145 ec2-user]# dnf install python3-pykmip +Updating Subscription Management repositories. +Red Hat Enterprise Linux 8 for x86_64 - AppStre 63 MB/s | 58 MB 00:00 +Red Hat Enterprise Linux 8 for x86_64 - BaseOS 71 MB/s | 62 MB 00:00 +Red Hat Ansible Engine 2 for RHEL 8 (RPMs) from 19 MB/s | 2.5 MB 00:00 +RHUI Client Configuration Server 8 45 kB/s | 3.7 kB 00:00 +Last metadata expiration check: 0:00:01 ago on Thu 06 Jul 2023 01:30:54 PM UTC. +Dependencies resolved. +================================================================================ + Package Arch Version Repository Size +================================================================================ +Installing: + python3-pykmip noarch 0.9.1-1.el8 enterprisedb-enterprise-noarch 401 k +Installing dependencies: + python3-sqlalchemy x86_64 1.3.2-2.module+el8.3.0+6646+6b4b10ec + rhel-8-appstream-rhui-rpms 1.9 M +Enabling module streams: + python36 3.6 + +Transaction Summary +================================================================================ +Install 2 Packages + +Total download size: 2.3 M +Installed size: 13 M +Is this ok [y/N]: y +Downloading Packages: +(1/2): python3-sqlalchemy-1.3.2-2.module+el8.3. 23 MB/s | 1.9 MB 00:00 +(2/2): python3-pykmip-0.9.1-1.el8.noarch.rpm 450 kB/s | 401 kB 00:00 +-------------------------------------------------------------------------------- +Total 2.5 MB/s | 2.3 MB 00:00 +Running transaction check +Transaction check succeeded. +Running transaction test +Transaction test succeeded. +Running transaction + Preparing : 1/1 + Installing : python3-sqlalchemy-1.3.2-2.module+el8.3.0+6646+6b4b1 1/2 + Installing : python3-pykmip-0.9.1-1.el8.noarch 2/2 + Running scriptlet: python3-pykmip-0.9.1-1.el8.noarch 2/2 + Verifying : python3-pykmip-0.9.1-1.el8.noarch 1/2 + Verifying : python3-sqlalchemy-1.3.2-2.module+el8.3.0+6646+6b4b1 2/2 +Installed products updated. + +Installed: + python3-pykmip-0.9.1-1.el8.noarch + python3-sqlalchemy-1.3.2-2.module+el8.3.0+6646+6b4b10ec.x86_64 + +Complete! +``` + +## Configure Hashicorp Vault KMIP Secrets Engine + +!!! Note + You have to set your environment variable with Hashicorp Vault before you can configure the Hashicorp Vault server using the API IP address and port. If you receive this error message “Get "https://127.0.0.1:8200/v1/sys/seal-status": http: server gave HTTP response to HTTPS client” you need to issue this in your command line export VAULT_ADDR="http://127.0.0.1:8200". + +1. After your Hashicorp Vault configuration is installed and deployed per the guidelines in the [Hashicorp documentation](https://developer.hashicorp.com/vault/tutorials/getting-started/getting-started-install), you will then need to enable the KMIP capabilities. + +2. Assume root user. + +3. When you are the root user, type `vault secrets enable kmip`. +```bash +root@ip-172-31-46-134:/home/ubuntu# vault secrets enable kmip +Success! Enabled the kmip secrets engine at: kmip/ +``` + +4. You will then need to configure the Hashicorp Vault secrets engine with the desired kmip listener address. + +5. Enter `vault write kmip/config listen_addrs=0.0.0.0:5696`. +```bash +root@ip-172-31-46-134:/home/ubuntu# vault write kmip/config listen_addrs=0.0.0.0:5696 +Success! Data written to: kmip/config +``` + +6. Enter `vault write -f kmip/scope/*scope_name*` to create the scope that will be used to define the allowed operations a role can perform. +```bash +root@ip-172-31-46-134:/home/ubuntu# vault write -f kmip/scope/edb +Success! Data written to: kmip/scope/edb +``` + +!!! Note + To view your scopes you have created you can enter `vault list kmip/scope`. + + +7. Enter `vault write kmip/scope/*scope_name*/role/*role_name* operation_all=true` to define the role for the scope. In our example the role of `admin` is for the scope `edb`. +```bash +root@ip-172-31-46-134:/home/ubuntu# vault write kmip/scope/edb/role/admin operation_all=true +Success! Data written to: kmip/scope/edb/role/admin +``` + +8. You can read your scope and role with this command `vault read kmip/scope/*scope_name*/role/*role_name*` +```bash +root@ip-172-31-46-134:/home/ubuntu# vault read kmip/scope/edb/role/admin +Key Value +--- ----- +operation_all true +tls_client_key_bits 0 +tls_client_key_type n/a +tls_client_ttl 0s +``` + +## Generate Client Certificates + +After a scope and role have been created you will need to generate client certificates that will be used within your pykmip.conf file for key management. These certificates can be used to establish communication with Hashicorp Vault’s KMIP Server. + +1. Generate the client certificate, this will provide the CA Chain, the private key and the certificate. + +2. Enter `vault write -f -field=certificate \ kmip/scope/*scope_name*/role/*role_name*/credential/generate > *certificate_name*.pem`. + +In our example we used role: `edb`, scope: `admin` and certificate name: `kmip-cert.pem`. + +```bash +root@ip-172-31-46-134:/home/ubuntu# vault write -f -field=certificate \ kmip/scope/edb/role/admin/credential/generate > kmip-cert.pem +``` + +3. To view your certificates type `cat *certificate_name*.pem*` and this will return the certificates from Hashicorp Vault. +```bash +root@ip-172-31-46-134:/home/ubuntu# cat kmip-cert.pem +``` + +4. You will need to separate the individual certificates into `.pem` files so they can be used in your pykmip.conf file. +!!! Note + Make sure to include ----BEGIN ------ and ----END ------ in the .pem certificate files. + +5. Create a `key.pem` file contains the private key in the certificate chain. +```bash +ubuntu@ip-172-31-46-134:/tmp$ cat key.pem +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIIbpRtITDlQ5DpFtuRXWpWdV0fRdZ6vnBYJQmMKCR/iZoAoGCCqGSM49 +AwEHoUQDQgAE3+Kp/PXqTMDCINKIbeNI34qQ47Pd7lttkN2Pgfl7LhLt8uLlAmLX +wmmW4klCuDzRdSBvtdcA5LguWrSBimKXDw== +-----END EC PRIVATE KEY----- +``` + +6. Create a `cert.pem` file contains the first certificate in the certificate chain. +```bash +ubuntu@ip-172-31-46-134:/tmp$ cat cert.pem +-----BEGIN CERTIFICATE----- +MIIBwjCCAWegAwIBAgIUJEpQl3OQKZL5pT7pkOKbBuafBwYwCgYIKoZIzj0EAwIw +KjEoMCYGA1UEAxMfdmF1bHQta21pcC1kZWZhdWx0LWludGVybWVkaWF0ZTAeFw0y +MzAzMzAyMjE1MjhaFw0yMzA0MTMyMjE1NThaMCAxDjAMBgNVBAsTBWZUZWNDMQ4w +DAYDVQQDEwU1R0VhTjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABN/iqfz16kzA +wiDSiG3jSN+KkOOz3e5bbZDdj4H5ey4S7fLi5QJi18JpluJJQrg80XUgb7XXAOS4 +Llq0gYpilw+jdTBzMA4GA1UdDwEB/wQEAwIDqDATBgNVHSUEDDAKBggrBgEFBQcD +AjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQle1YJXy2VX699fQoR7NcMT06/OTAf +BgNVHSMEGDAWgBSSBDXnwdExsaSbT/vgqDHm4zG6STAKBggqhkjOPQQDAgNJADBG +AiEAk7Vo1HpS1D+C3OyBXqHGlCOD3p4HnMeStGaBB/Cqn2cCIQDul2Vxal7lCeDN +Xlg2U8LToGCBEvf1quZU7T8ZQkbQCA== +-----END CERTIFICATE----- +``` + +7. Create a `ca.pem` file contains the last two certificates in the certificate chain. +```bash +ubuntu@ip-172-31-46-134:/tmp$ cat ca.pem +-----BEGIN CERTIFICATE----- +MIIBrTCCAVKgAwIBAgIUEvo9Bh4qNPVYvQC2wttR5vD9KTQwCgYIKoZIzj0EAwIw +HTEbMBkGA1UEAxMSdmF1bHQta21pcC1kZWZhdWx0MB4XDTIzMDMwMTE5MjgyN1oX +DTMzMDIyNjE5Mjg1N1owKjEoMCYGA1UEAxMfdmF1bHQta21pcC1kZWZhdWx0LWlu +dGVybWVkaWF0ZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABCNpmJK8lrNg1AVl +s5ge5tfIhaCq4Vgom3tbRnIhmqDKIjnJa1QQtGXl+aY8sa3Uckabu7F73Qlmx2uG +yO7qzXqjYzBhMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1Ud +DgQWBBSSBDXnwdExsaSbT/vgqDHm4zG6STAfBgNVHSMEGDAWgBSS2fzAT5gtJFl+ +csFk43spGfJR3zAKBggqhkjOPQQDAgNJADBGAiEAgmLt1YGJfma0tjbs8crQTfXt +RkbhctXSJQOqR3ejM/8CIQCZY4LIgwBhOE95gw1xAv4onclSk/ZaUxDQCXBeh60i +lg== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIBoDCCAUWgAwIBAgIUAZ/BGjgU/gvnzlVC9WEPxUcb0howCgYIKoZIzj0EAwIw +HTEbMBkGA1UEAxMSdmF1bHQta21pcC1kZWZhdWx0MB4XDTIzMDMwMTE5MjgyN1oX +DTMzMDIyNjE5Mjg1N1owHTEbMBkGA1UEAxMSdmF1bHQta21pcC1kZWZhdWx0MFkw +EwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEzQCEnid/sExfxBpki2suGc3pE0wVQt31 +Wtg16m9l0mLj3qZFdRCAHJKpoY6RT5X81/gkhhEjVBR3Hi3C3C6J+KNjMGEwDgYD +VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFJLZ/MBPmC0k +WX5ywWTjeykZ8lHfMB8GA1UdIwQYMBaAFJLZ/MBPmC0kWX5ywWTjeykZ8lHfMAoG +CCqGSM49BAMCA0kAMEYCIQCoeQmZmYeViGcm2qtm9vjPs4SLEHVbDjG17zZ1euW6 +IgIhAMb3y3xRXwddt2ejaow1GytysRz4LoxC3B5dLn1LoCpI +-----END CERTIFICATE----- +``` + +Now that you have all of the required certificates you are ready to use Hashicorp Vault Secrets Engine with your EDB Postgres distribution with TDE. \ No newline at end of file diff --git a/advocacy_docs/partner_docs/HashicorpVault/05-UsingHashicorpVault.mdx b/advocacy_docs/partner_docs/HashicorpVault/05-UsingHashicorpVault.mdx index 53cd9afe293..41377f665c7 100644 --- a/advocacy_docs/partner_docs/HashicorpVault/05-UsingHashicorpVault.mdx +++ b/advocacy_docs/partner_docs/HashicorpVault/05-UsingHashicorpVault.mdx @@ -3,21 +3,65 @@ title: 'Using' description: 'Walkthrough of example usage scenarios' --- -After you have configured all of the Hashicorp Vault keys as stated in the Configuring section, you will be able to use them in conjunction with EDB Postgres Advanced Server 15.2. +After you have configured all of the Hashicorp Vault certificates, as stated in the Configuring section, you will be able to use them in conjunction with your EDB Postgres distribution. !!! Note - It is important to note that this doc is intended for versions 15.2 and above of EDB Postgres Advanced Server as this version supports Transparent Data Encryption (TDE). + It is important to note that this doc is intended for versions 15.2 and above of EDB Postgres Advanced Server and versions 15.2 and above of EDB Postgres Extended Server as these versions support Transparent Data Encryption (TDE). -Before you can implement Hashicorp Vault Secrets Engine with your EDB Postgres Advanced Server instance, you must ensure that you have the following downloaded to your system: +To implement Hashicorp Vault Secrets Engine with your EDB Postgres distribution, you must ensure that you have the following downloaded to your system: - Python - [pykmip](https://pypi.org/project/PyKMIP/#files) -- edb_tde_kmip_client.py downloaded from your EDB Repos access +- edb-tde-kmip-client downloaded from your EDB Repos access -All of the `.pem` files that you created need to be on the system where your EDB Postgres Advanced Server 15.2 instance is installed. For our example in this guide, all of the `.pem` files and the `edb_tde_kmip_client.py` program are in the `/tmp/` directory. +All of the `.pem` files that you created in the Configuring section, `key.pem`, `cert.pem` and `ca.pem`, need to be copied to the system where your EDB Postgres distribution is installed. For our example, all of the `.pem` files and the `edb_tde_kmip_client.py` program are in the `/tmp/` directory. + +## Check Prerequisites and Download edb-tde-kmip-client +Ensure that you have the prerequisite software (Python and Pykmip) installed on your system as stated in the Configuring section. + +To install the edb-tde-kmip-client on your system assume `root` user and issue the install command for `edb-tde-kmip-client`. For our example we installed it on a RHEL8 Server so it would be `dnf install edb-tde-kmip-client`. + +You should receive some output that looks like the following: +```bash +[root@ip-172-31-7-145 ec2-user]# dnf install edb-tde-kmip-client +Updating Subscription Management repositories. +Last metadata expiration check: 0:00:59 ago on Thu 06 Jul 2023 01:30:54 PM UTC. +Dependencies resolved. +================================================================================ + Package Arch Version Repository Size +================================================================================ +Installing: + edb-tde-kmip-client noarch 1.0-1.el8 enterprisedb-enterprise-noarch 14 k + +Transaction Summary +================================================================================ +Install 1 Package + +Total download size: 14 k +Installed size: 20 k +Is this ok [y/N]: y +Downloading Packages: +edb-tde-kmip-client-1.0-1.el8.noarch.rpm 23 kB/s | 14 kB 00:00 +-------------------------------------------------------------------------------- +Total 23 kB/s | 14 kB 00:00 +Running transaction check +Transaction check succeeded. +Running transaction test +Transaction test succeeded. +Running transaction + Preparing : 1/1 + Installing : edb-tde-kmip-client-1.0-1.el8.noarch 1/1 + Verifying : edb-tde-kmip-client-1.0-1.el8.noarch 1/1 +Installed products updated. + +Installed: + edb-tde-kmip-client-1.0-1.el8.noarch + +Complete! +``` ## Create pykmip.conf File -1. On your system where you have your EDB Postgres Advanced Server 15.2 instance, navigate to the directory where you have saved your `.pem` files and the `edb_tde_kmip_client.py` client. +1. On your system where you have your EDB Postgres distribution, navigate to the directory where you have saved your `.pem` files and the `edb_tde_kmip_client.py` client. 2. In that directory create a file called `pykmip.conf` and input the following: - Host @@ -35,7 +79,6 @@ port=5696 keyfile=/tmp/key.pem certfile=/tmp/cert.pem ca_certs=/tmp/ca.pem -#cert_reqs=CERT_REQUIRED ``` !!! Note @@ -43,7 +86,7 @@ ca_certs=/tmp/ca.pem ## Create a Key on Hashicorp Vault Secrets Engine -1. On your system where you have your EDB Postgres Advanced Server 15.2 instance, assume root user to create the key on the Hashicorp Vault Secrets Engine. +1. On your system where you have your EDB Postgres distribution, assume root user to create the key on the Hashicorp Vault Secrets Engine. 2. Type `python3` and then input the following, making adjustments per your system setup and directory paths: @@ -64,14 +107,14 @@ ca_certs=/tmp/ca.pem ## Verify Encryption and Decryption -To ensure that your key that you created will be able to encrypt and decrypt data, run the following two commands as the root user on your system where you have your EDB Postgres Advanced Server 15.2 instance. +To ensure that your key you created will be able to encrypt and decrypt data, run the following two commands as the root user on your system with your EDB Postgres distribution. 1. `printf secret | python3 /tmp/edb_tde_kmip_client.py encrypt --out-file=test.bin --pykmip-config-file=/tmp/pykmip.conf --key-uid='key_output_here’ --variant=pykmip` - Location of the KMIP Client: /tmp/edb_tde_kmip_client.py - Output file: test.bin - Location of pykmip configuration file: /tmp/pykmip.conf - Encrypted Key Output: TDE key output -- Variant: Allows compatibility with KMIP servers +- Variant: Allows for KMIP compatibility with HashiCorp Vault 2. `python3 /tmp/edb_tde_kmip_client.py decrypt --in-file=test.bin --pykmip-config-file=/tmp/pykmip.conf --key-uid='key_output_here' --variant=pykmip` @@ -88,7 +131,7 @@ root@ip-172-31-46-134:/etc/vault.d# After you have completed the above steps you will be able to export the PGDATAKEYWRAPCMD and PGDATAKEYUNWRAPCMD to wrap and unwrap your encryption key and initialize your database. -1. Login to your EDB Postgres Advanced Server system as enterprisedb user, `sudo su - enterprisedb`. +1. Login to your EDB Postgres distribution as the Superuser. For our example: **enterprisedb user**, `sudo su - enterprisedb`. 2. Navigate to the `/bin` directory where your executables live. In our example it is `/usr/lib/edb-as/15/bin`. @@ -237,7 +280,7 @@ Success. You can now start the database server using: ``` -7. Start your database and navigate to your `/data` directory to view the postgresql.conf file to ensure that your `data_encryption_key_unwrap_command` that you set with your `export PGDATAUNWRAPCMD` is present under the Authentication section. +7. Start your database and navigate to your `/data` directory to view the postgresql.conf file to ensure that your `data_encryption_key_unwrap_command`, which you set with your `export PGDATAUNWRAPCMD`, is present under the Authentication section. ```bash # - Authentication - @@ -273,5 +316,5 @@ data_encryption_key_unwrap_command = 'python3 /tmp/edb_tde_kmip_client.py decryp ``` -For more information on how TDE is incorporated with EDB Postgres Advanced Server visit the [EDB Transparent Data Encryption](https://www.enterprisedb.com/docs/tde/latest/) documentation. +For more information on how TDE is incorporated with EDB Postgres Advanced Server and EDB Postgres Extended Server visit the [EDB Transparent Data Encryption](https://www.enterprisedb.com/docs/tde/latest/) documentation. diff --git a/advocacy_docs/partner_docs/HashicorpVault/06-CertificationEnvironment.mdx b/advocacy_docs/partner_docs/HashicorpVault/06-CertificationEnvironment.mdx new file mode 100644 index 00000000000..7fe7f9fb06a --- /dev/null +++ b/advocacy_docs/partner_docs/HashicorpVault/06-CertificationEnvironment.mdx @@ -0,0 +1,11 @@ +--- +title: 'Certification Environment' +description: 'Overview of the Certification Environment' +--- + +| | | +| ----------- | ----------- | +| **Certification Test Date** | May 3rd, 2023 | +| **EDB Postgres Advanced Server** | 15.2 | +| **EDB Postgres Extended Server** | 15.2 | +| **Thales CipherTrust Manager** | Vault v1.12.6+ent, Vault v1.13.2+ent | \ No newline at end of file diff --git a/advocacy_docs/partner_docs/HashicorpVault/07-SupportandLogging.mdx b/advocacy_docs/partner_docs/HashicorpVault/07-SupportandLogging.mdx new file mode 100644 index 00000000000..423d58ebc43 --- /dev/null +++ b/advocacy_docs/partner_docs/HashicorpVault/07-SupportandLogging.mdx @@ -0,0 +1,26 @@ +--- +title: 'Support and Logging Details' +description: 'Details of the support process and logging information' +--- + +## Support + +Technical support for the use of these products is provided by both EDB and Hashicorp. A proper support contract is required to be in place at both EDB and Hashicorp. A support ticket can be opened on either side to start the process. If it is determined through the support ticket that resources from the other vendor is required, the customer should open a support ticket with that vendor through normal support channels. This will allow both companies to work together to help the customer as needed. + +## Logging + +**EDB Postgres Advanced Server Logs:** + +Navigate to the `Data` directory in your chosen EDB Postgres Advanced Server instance and from here you can navigate to `log`, `current_logfiles` or you can navigate to the `postgresql.conf` file where you can customize logging options or enable `edb_audit` logs. + +**EDB Postgres Extended Server Logs** + +Navigate to the `Data` directory in your chosen EDB Postgres Extended Server instance and from here you can navigate to `log`, or you can navigate to the `postgresql.conf` file where you can customize logging options. An example of the full path to view EDB Postgres Extended logs: `/var/lib/edb-pge/15/data/log`. + +** Hashicorp Vault Logs** + +Customers can use the `journalctl` function to call logs for Hashicorp Vault. + +If you just want to view the Vault logs you can do so by entering `journalctl -ex -u vault` in the command line. + +If you want to view logs for a specific day and output those results to a `.txt` file you can do so by entering `journalctl -u vault -S today > vaultlog.txt` in the command line, adjusting the date to your needed date and the text title. \ No newline at end of file diff --git a/advocacy_docs/partner_docs/HashicorpVault/Images/HashicorpVaultSolutionSummaryImage.png b/advocacy_docs/partner_docs/HashicorpVault/Images/HashicorpVaultSolutionSummaryImage.png new file mode 100644 index 00000000000..611f1e97abd --- /dev/null +++ b/advocacy_docs/partner_docs/HashicorpVault/Images/HashicorpVaultSolutionSummaryImage.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:43adec6492b85b86447651dbc1c40d843528b87612a829bccc6c593c05d55c38 +size 226678 diff --git a/advocacy_docs/partner_docs/HashicorpVault/Images/PartnerProgram.jpg.png b/advocacy_docs/partner_docs/HashicorpVault/Images/PartnerProgram.jpg.png new file mode 100644 index 00000000000..a51f268a007 --- /dev/null +++ b/advocacy_docs/partner_docs/HashicorpVault/Images/PartnerProgram.jpg.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:6dddb2403778294d50b9c500a3b961fc5ed0aa764d4c425cd44c1c90193915e5 +size 9855 diff --git a/advocacy_docs/partner_docs/HashicorpVault/index.mdx b/advocacy_docs/partner_docs/HashicorpVault/index.mdx new file mode 100644 index 00000000000..357cf020714 --- /dev/null +++ b/advocacy_docs/partner_docs/HashicorpVault/index.mdx @@ -0,0 +1,14 @@ +--- +title: 'Hashicorp Vault Implementation Guide' +indexCards: simple +directoryDefaults: + iconName: handshake +--- + +
+
+
This document is intended to augment each vendor’s product documentation in order to guide the reader in getting the products working together. It is not intended to show the optimal configuration for the certified integration.
\ No newline at end of file diff --git a/advocacy_docs/partner_docs/HashicorpVaultTransitSecretsEngine/02-PartnerInformation.mdx b/advocacy_docs/partner_docs/HashicorpVaultTransitSecretsEngine/02-PartnerInformation.mdx new file mode 100644 index 00000000000..016eedac129 --- /dev/null +++ b/advocacy_docs/partner_docs/HashicorpVaultTransitSecretsEngine/02-PartnerInformation.mdx @@ -0,0 +1,12 @@ +--- +title: 'Partner Information' +description: 'Details of the partner' + +--- +| | | +| ----------- | ----------- | +| **Partner Name** | Hashicorp | +| **Web Site** | https://www.hashicorp.com/ | +| **Partner Product** | Vault Transit Secrets Engine | +| **Version** | Vault v1.13.3 | +| **Product Description** | Hashicorp Vault is an identity-based secrets and encryption management system. Used in conjunction with EDB Postgres Advanced Server and EDB Postgres Extended Server, Hashicorp Vault Transit secrets engine allows Vault to handle cryptographic functions on data in-transit. | diff --git a/advocacy_docs/partner_docs/HashicorpVaultTransitSecretsEngine/03-SolutionSummary.mdx b/advocacy_docs/partner_docs/HashicorpVaultTransitSecretsEngine/03-SolutionSummary.mdx new file mode 100644 index 00000000000..375f5732b2a --- /dev/null +++ b/advocacy_docs/partner_docs/HashicorpVaultTransitSecretsEngine/03-SolutionSummary.mdx @@ -0,0 +1,11 @@ +--- +title: 'Solution Summary' +description: 'Explanation of the solution and its purpose' +--- + +Hashicorp Vault is an identity-based secrets and encryption management system. Used in conjunction with EDB Postgres Advanced Server versions 15.2 and above or EDB Postgres Extended Server versions 15.2 and above, it allows users to control access to encryption keys and certificates, as well as perform key management. Using Hashicorp Vault’s Transit secrets engine allows Vault to handle cryptographic functions on data in-transit. Hashicorp Vault Transit secrets engine can be referred to as "encryption as a service". + +Hashicorp Vault’s primary use case for Transit secrets engine is to encrypt data from applications while simultaneously storing encrypted data in some primary data store. Hashicorp Vault Transit Secrets Engine can also generate hashes, sign and verify data and generate HMACs of data. Hashicorp Vault Transit Secrets Engine can work with EDB Postgres Advanced Server and EDB Postgres Extended Server by securely storing the data key that is generated by `initdb`. Normally the key, that lives in `pg_encryption/key.bin`, is stored in plaintext format, but using Hashicorp Vault Transit Secrets Engine as an external key store manages the data encryption key and provides further security to the key itself. + +The below image shows how Hashicorp Vault Transit Secrets Engine works to encrypt and decrypt data. +  diff --git a/advocacy_docs/partner_docs/HashicorpVaultTransitSecretsEngine/04-ConfiguringTransitSecretsEngine.mdx b/advocacy_docs/partner_docs/HashicorpVaultTransitSecretsEngine/04-ConfiguringTransitSecretsEngine.mdx new file mode 100644 index 00000000000..71822226255 --- /dev/null +++ b/advocacy_docs/partner_docs/HashicorpVaultTransitSecretsEngine/04-ConfiguringTransitSecretsEngine.mdx @@ -0,0 +1,61 @@ +--- +title: 'Configuration' +description: 'Walkthrough on configuring the integration' +--- + +Implementing Hashicorp Vault with EDB Postgres Advanced Server version 15.2 and above or EDB Postgres Extended Server version 15.2 and above, requires the following components: +!!! Note + The EDB Postgres Advanced Server version 15.2 and above and EDB Postgres Extended Server version 15.2 and above, products will be referred to as EDB Postgres distribution. The specific distribution type will be dependent upon customer need or preference. + +- EDB Postgres distribution (15.2 or later) +- Hashicorp Vault v1.13.3 + +## Prerequisites + +- A running EDB Postgres distribution +- Hashicorp Vault installed and deployed per your VM environment + +## Enable Hashicorp Vault Transit Secrets Engine + +!!! Note + You have to set your environment variable with Hashicorp Vault. If you receive this error message “Get "https://127.0.0.1:8200/v1/sys/seal-status": http: server gave HTTP response to HTTPS client” you need to issue this in your command line `export VAULT_ADDR="http://127.0.0.1:8200`". + +1. After your Hashicorp Vault configuration is installed and deployed per the guidelines in the [Hashicorp documentation](https://developer.hashicorp.com/vault/tutorials/getting-started/getting-started-install), you will then need to enable the transit secrets engine. + +2. Assume root user. + +3. First set your two variables, your API address and token you receieved during installation and setup. +```bash +root@ip-172-31-50-151:/home/ubuntu# export VAULT_ADDR='http://127.0.0.1:8200' +root@ip-172-31-50-151:/home/ubuntu# export VAULT_TOKEN="hvs.D9lfoRBZYtdJY2t3lG3f6yUa" +``` +4. Before you enable the Transit Secrets Engine you can check your Vault Server status with `vault status`. +```bash +root@ip-172-31-50-151:/home/ubuntu# vault status +Key Value +--- ----- +Seal Type shamir +Initialized true +Sealed false +Total Shares 1 +Threshold 1 +Version 1.13.3 +Build Date 2023-06-06T18:12:37Z +Storage Type inmem +Cluster Name vault-cluster-18a7ed39 +Cluster ID 83012ee7-18f0-9480-e8b6-3ff02c285ba2 +HA Enabled false +``` + +5. Type `vault secrets enable transit`. +```bash +root@ip-172-31-50-151:/home/ubuntu# vault secrets enable transit +Success! Enabled the transit secrets engine at: transit/ +``` + +6. Next you will create your encryption key with an identifiable name. For example: `vault write -f transit/keys/pg-tde-master-1` +```bash +root@ip-172-31-50-151:/usr/lib/edb-pge/15/bin# vault write -f transit/keys/pg-tde-master-1 +Success! Data written to: transit/keys/pg-tde-master-1 +``` +7. You now have your encryption key set and are ready to export your WRAP and UNWRAP commands and initialize your database. \ No newline at end of file diff --git a/advocacy_docs/partner_docs/HashicorpVaultTransitSecretsEngine/05-UsingTransitSecretsEngine.mdx b/advocacy_docs/partner_docs/HashicorpVaultTransitSecretsEngine/05-UsingTransitSecretsEngine.mdx new file mode 100644 index 00000000000..997ef875d20 --- /dev/null +++ b/advocacy_docs/partner_docs/HashicorpVaultTransitSecretsEngine/05-UsingTransitSecretsEngine.mdx @@ -0,0 +1,217 @@ +--- +title: 'Using' +description: 'Walkthrough of example usage scenarios' +--- + +After you have configured Hashicorp Vault Transit Secrets Engine as stated in the Configuring section, you will be able to then encrypt your EDB Postgres distribution database. + +!!! Note + It is important to note that this doc is intended for versions 15.2 and above of EDB Postgres Advanced Server or versions 15.2 and above of EDB Postgres Extended Server as these versions support Transparent Data Encryption (TDE). + +After the Hashicorp Vault Transit secrets engine is configured and a user/machine has a Vault token with the proper permissions, this was configured during your install and setup of Transit Secrets Engine, it can use this secrets engine to encrypt a key. + +## Perform initdb for the Database + +After you have enabled Hashicorp Vault Transit Secrets Engine and created a key, you will be able to export the PGDATAKEYWRAPCMD and PGDATAKEYUNWRAPCMD to wrap and unwrap your encryption key and initialize your database. + +1. Login to your EDB Postgres distribution as the database superuser, for example `sudo su - enterprisedb`. + +2. Navigate to the `/bin` directory where your executables live. In our example it is `/usr/lib/edb-as/15/bin`. + +3. Type: `export PGDATAKEYWRAPCMD='base64 | vault write -field=ciphertext transit/encrypt/pg-tde-master-1 plaintext=- > %p'` + +4. Type: `export PGDATAKEYUNWRAPCMD='cat %p | vault write -field=plaintext transit/decrypt/pg-tde-master-1 ciphertext=- | base64 --decode'` + +```bash +root@ip-172-31-50-151:/usr/lib/edb-pge/15/bin# su - enterprisedb + +enterprisedb@ip-172-31-50-151:~$ export PGDATAKEYWRAPCMD='base64 | vault write -field=ciphertext transit/encrypt/pg-tde-master-1 plaintext=- > %p' + +enterprisedb@ip-172-31-50-151:~$ export PGDATAKEYUNWRAPCMD='cat %p | vault write -field=plaintext transit/decrypt/pg-tde-master-1 ciphertext=- | base64 --decode' +``` +5. Perform your initdb per your database requirements, for example: `./initdb -D dd12 -y`. + +6. If all is successful you should get an output that looks like this: +```bash + + enterprisedb@ip-172-31-46-134:/usr/lib/edb-as/15/bin$ ./initdb -D /var/lib/edb-as/15/dd12 -y +The files belonging to this database system will be owned by user "enterprisedb". +This user must also own the server process. +The database cluster will be initialized with locale "C.UTF-8". +The default database encoding has accordingly been set to "UTF8". +The default text search configuration will be set to "english". +Data page checksums are disabled. +Transparent data encryption is enabled. +creating directory /var/lib/edb-as/15/dd12 ... ok +creating subdirectories ... ok +selecting dynamic shared memory implementation ... posix +selecting default max_connections ... 100 +selecting default shared_buffers ... 128MB +selecting default time zone ... America/New_York +creating configuration files ... ok +setting up data encryption ... ok +running bootstrap script ... usage: edb_tde_kmip_client.py [-h] [--pykmip-config-file FILENAME] + [--pykmip-config-block NAME] + [--in-file FILENAME] [--out-file FILENAME] + --key-uid KEY_UID --variant {pykmip,thales} + {decrypt,encrypt} +edb_tde_kmip_client.py: error: argument --variant: invalid choice: 'pymip' (choose from 'pykmip', 'thales') +2023-04-12 09:35:27 EDT FATAL: unwrapped key is too small +child process exited with exit code 1 +initdb: removing data directory "/var/lib/edb-as/15/dd12" +enterprisedb@ip-172-31-46-134:/usr/lib/edb-as/15/bin$ export PGDATAKEYWRAPCMD='python3 /tmp/edb_tde_kmip_client.py encrypt --pykmip-config-file=/tmp/pykmip.conf --key-uid=nfTCV2Cp5sffhQuRrOVfgCUyu8qh9kwd --out-file=%p --variant=pykmip' +enterprisedb@ip-172-31-46-134:/usr/lib/edb-as/15/bin$ export PGDATAKEYUNWRAPCMD='python3 /tmp/edb_tde_kmip_client.py decrypt --pykmip-config-file=/tmp/pykmip.conf --key-uid=nfTCV2Cp5sffhQuRrOVfgCUyu8qh9kwd --in-file=%p --variant=pykmip' +enterprisedb@ip-172-31-46-134:/usr/lib/edb-as/15/bin$ +enterprisedb@ip-172-31-46-134:/usr/lib/edb-as/15/bin$ +enterprisedb@ip-172-31-46-134:/usr/lib/edb-as/15/bin$ +enterprisedb@ip-172-31-46-134:/usr/lib/edb-as/15/bin$ +enterprisedb@ip-172-31-46-134:/usr/lib/edb-as/15/bin$ ./initdb -D /var/lib/edb-as/15/dd12 -y +The files belonging to this database system will be owned by user "enterprisedb". +This user must also own the server process. +The database cluster will be initialized with locale "C.UTF-8". +The default database encoding has accordingly been set to "UTF8". +The default text search configuration will be set to "english". +Data page checksums are disabled. +Transparent data encryption is enabled. +creating directory /var/lib/edb-as/15/dd12 ... ok +creating subdirectories ... ok +selecting dynamic shared memory implementation ... posix +selecting default max_connections ... 100 +selecting default shared_buffers ... 128MB +selecting default time zone ... America/New_York +creating configuration files ... ok +setting up data encryption ... ok +running bootstrap script ... ok +performing post-bootstrap initialization ... ok +creating edb sys ... ok +loading edb contrib modules ... +edb_redwood_bytea.sql +edb_redwood_date.sql +dbms_alert_public.sql +dbms_alert.plb +dbms_job_public.sql +dbms_job.plb +dbms_lob_public.sql +dbms_lob.plb +dbms_output_public.sql +dbms_output.plb +dbms_pipe_public.sql +dbms_pipe.plb +dbms_rls_public.sql +dbms_rls.plb +dbms_sql_public.sql +dbms_sql.plb +dbms_utility_public.sql +dbms_utility.plb +dbms_aqadm_public.sql +dbms_aqadm.plb +dbms_aq_public.sql +dbms_aq.plb +dbms_profiler_public.sql +dbms_profiler.plb +dbms_random_public.sql +dbms_random.plb +dbms_redact_public.sql +dbms_redact.plb +dbms_lock_public.sql +dbms_lock.plb +dbms_scheduler_public.sql +dbms_scheduler.plb +dbms_crypto_public.sql +dbms_crypto.plb +dbms_mview_public.sql +dbms_mview.plb +dbms_session_public.sql +dbms_session.plb +edb_bulkload.sql +edb_gen.sql +edb_objects.sql +edb_redwood_casts.sql +edb_redwood_strings.sql +edb_redwood_views.sql +utl_encode_public.sql +utl_encode.plb +utl_http_public.sql +utl_http.plb +utl_file.plb +edb_ht_public.sql +edb_ht.plb +utl_tcp_public.sql +utl_tcp.plb +utl_smtp_public.sql +utl_smtp.plb +utl_mail_public.sql +utl_mail.plb +utl_url_public.sql +utl_url.plb +utl_raw_public.sql +utl_raw.plb +commoncriteria.sql +edb_gen_redwood.sql +waitstates.sql +installing extension edb_dblink_libpq ... ok +installing extension edb_dblink_oci ... ok +snap_tables.sql +snap_functions.sql +dblink_ora.sql +sys_stats.sql +ok +finalizing initial databases ... ok +syncing data to disk ... ok +initdb: warning: enabling "trust" authentication for local connections +initdb: hint: You can change this by editing pg_hba.conf or using the option -A, or --auth-local and --auth-host, the next time you run initdb. +Success. You can now start the database server using: + pg_ctl -D /var/lib/edb-as/15/dd12 -l logfile start + +``` + +7. Start your database and navigate to your `/data` directory to view the postgresql.conf file to ensure that your `data_encryption_key_unwrap_command` that you set with your `export PGDATAUNWRAPCMD` is present under the Authentication section. +```bash +# - Authentication - + +#authentication_timeout = 1min # 1s-600s +#password_encryption = scram-sha-256 # scram-sha-256 or md5 +#db_user_namespace = off + +# GSSAPI using Kerberos +#krb_server_keyfile = 'FILE:${sysconfdir}/krb5.keytab' +#krb_caseins_users = off + +# - SSL - + +#ssl = off +#ssl_ca_file = '' +#ssl_cert_file = 'server.crt' +#ssl_crl_file = '' +#ssl_crl_dir = '' +#ssl_key_file = 'server.key' +#ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers +#ssl_prefer_server_ciphers = on +#ssl_ecdh_curve = 'prime256v1' +#ssl_min_protocol_version = 'TLSv1.2' +#ssl_max_protocol_version = '' +#ssl_dh_params_file = '' +#ssl_passphrase_command = '' +#ssl_passphrase_command_supports_reload = off + +# - Data Encryption - + +data_encryption_key_unwrap_command = 'cat %p | vault write -field=plaintext transit/decrypt/pg-tde-master-1 ciphertext=- | base64 --decode' + +``` +## Encrypt Plaintext Data + +Hashicorp Vault Transit Secrets Engine can also encrypt some plaintext data. However any plaintext data needs to be base64-encoded. This is a requirement as Hashicorp Vault does not require that the plaintext data is "text", it could also be another type of file. + +```bash +enterprisedb@ip-172-31-50-151:~$ export VAULT_TOKEN="hvs.D9lfoRBZYtdJY2t3lG3f6yUa" +enterprisedb@ip-172-31-50-151:~$ vault write transit/encrypt/pg-tde-master-1 plaintext=$(echo "my secret data" | base64) +Key Value +--- ----- +ciphertext vault:v1:/laUa+i1RVs4kFDD+a6Dmm+mJvVuo8jW0JHWISlzEe/ur/nUlfswEyYShA== +key_version 1 +``` +As an added note, Hashicorp Vault does not store any data, that is up to the database user. For any more information on Hashicorp Vault Transit Secrets Engine visit the [Hashicorp](https://developer.hashicorp.com/vault/docs/secrets/transit) documentation. + +For more information on how TDE is incorporated with EDB Postgres Advanced Server and EDB Postgres Extended Server visit the [EDB Transparent Data Encryption](https://www.enterprisedb.com/docs/tde/latest/) documentation. + diff --git a/advocacy_docs/partner_docs/HashicorpVaultTransitSecretsEngine/06-CertificationEnvironment.mdx b/advocacy_docs/partner_docs/HashicorpVaultTransitSecretsEngine/06-CertificationEnvironment.mdx new file mode 100644 index 00000000000..11263baf41a --- /dev/null +++ b/advocacy_docs/partner_docs/HashicorpVaultTransitSecretsEngine/06-CertificationEnvironment.mdx @@ -0,0 +1,11 @@ +--- +title: 'Certification Environment' +description: 'Overview of the certification environment' +--- + +| | | +| ----------- | ----------- | +| **Certification Test Date** | June 12, 2023 | +| **EDB Postgres Advanced Server** | 15.2 | +| **EDB Postgres Extended Server** | 15.2 | +| **Hashicorp Vault** | v1.13.3 | \ No newline at end of file diff --git a/advocacy_docs/partner_docs/HashicorpVaultTransitSecretsEngine/07-Support.mdx b/advocacy_docs/partner_docs/HashicorpVaultTransitSecretsEngine/07-Support.mdx new file mode 100644 index 00000000000..423d58ebc43 --- /dev/null +++ b/advocacy_docs/partner_docs/HashicorpVaultTransitSecretsEngine/07-Support.mdx @@ -0,0 +1,26 @@ +--- +title: 'Support and Logging Details' +description: 'Details of the support process and logging information' +--- + +## Support + +Technical support for the use of these products is provided by both EDB and Hashicorp. A proper support contract is required to be in place at both EDB and Hashicorp. A support ticket can be opened on either side to start the process. If it is determined through the support ticket that resources from the other vendor is required, the customer should open a support ticket with that vendor through normal support channels. This will allow both companies to work together to help the customer as needed. + +## Logging + +**EDB Postgres Advanced Server Logs:** + +Navigate to the `Data` directory in your chosen EDB Postgres Advanced Server instance and from here you can navigate to `log`, `current_logfiles` or you can navigate to the `postgresql.conf` file where you can customize logging options or enable `edb_audit` logs. + +**EDB Postgres Extended Server Logs** + +Navigate to the `Data` directory in your chosen EDB Postgres Extended Server instance and from here you can navigate to `log`, or you can navigate to the `postgresql.conf` file where you can customize logging options. An example of the full path to view EDB Postgres Extended logs: `/var/lib/edb-pge/15/data/log`. + +** Hashicorp Vault Logs** + +Customers can use the `journalctl` function to call logs for Hashicorp Vault. + +If you just want to view the Vault logs you can do so by entering `journalctl -ex -u vault` in the command line. + +If you want to view logs for a specific day and output those results to a `.txt` file you can do so by entering `journalctl -u vault -S today > vaultlog.txt` in the command line, adjusting the date to your needed date and the text title. \ No newline at end of file diff --git a/advocacy_docs/partner_docs/HashicorpVaultTransitSecretsEngine/Images/HashicorpVaultTransitSecretsEngineArchitecture(old).png b/advocacy_docs/partner_docs/HashicorpVaultTransitSecretsEngine/Images/HashicorpVaultTransitSecretsEngineArchitecture(old).png new file mode 100644 index 00000000000..2339df92969 --- /dev/null +++ b/advocacy_docs/partner_docs/HashicorpVaultTransitSecretsEngine/Images/HashicorpVaultTransitSecretsEngineArchitecture(old).png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:0793821162ad7af001a1c4102526c1ea0384954246a938ba042e889f3c0d07d3 +size 377715 diff --git a/advocacy_docs/partner_docs/HashicorpVaultTransitSecretsEngine/Images/HashicorpVaultTransitSecretsEngineArchitecture.png b/advocacy_docs/partner_docs/HashicorpVaultTransitSecretsEngine/Images/HashicorpVaultTransitSecretsEngineArchitecture.png new file mode 100644 index 00000000000..737f5f90f2f --- /dev/null +++ b/advocacy_docs/partner_docs/HashicorpVaultTransitSecretsEngine/Images/HashicorpVaultTransitSecretsEngineArchitecture.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:761c2a76e4a5c18f8aa8d9d7397174acbaf5b2bebc17f19b722d635f6105a287 +size 54691 diff --git a/advocacy_docs/partner_docs/HashicorpVaultTransitSecretsEngine/Images/PartnerProgram.jpg.png b/advocacy_docs/partner_docs/HashicorpVaultTransitSecretsEngine/Images/PartnerProgram.jpg.png new file mode 100644 index 00000000000..93e0514710b --- /dev/null +++ b/advocacy_docs/partner_docs/HashicorpVaultTransitSecretsEngine/Images/PartnerProgram.jpg.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:1953f3a5526ab37279a598f1c370c5acbf9f6d18f7902cb538161182fbed3b1f +size 57295 diff --git a/advocacy_docs/partner_docs/HashicorpVaultTransitSecretsEngine/index.mdx b/advocacy_docs/partner_docs/HashicorpVaultTransitSecretsEngine/index.mdx new file mode 100644 index 00000000000..083cc5d871d --- /dev/null +++ b/advocacy_docs/partner_docs/HashicorpVaultTransitSecretsEngine/index.mdx @@ -0,0 +1,14 @@ +--- +title: 'Hashicorp Vault Transit Secrets Engine Implementation Guide' +indexCards: simple +directoryDefaults: + iconName: handshake +--- + +
+
+
This document is intended to augment each vendor’s product documentation in order to guide the reader in getting the products working together. It is not intended to show the optimal configuration for the certified integration.
\ No newline at end of file diff --git a/product_docs/docs/biganimal/release/overview/deployment_options/index.mdx b/product_docs/docs/biganimal/release/overview/deployment_options/index.mdx index 01c789bde7e..7698c8da615 100644 --- a/product_docs/docs/biganimal/release/overview/deployment_options/index.mdx +++ b/product_docs/docs/biganimal/release/overview/deployment_options/index.mdx @@ -15,7 +15,7 @@ When deploying in your own cloud account, you need to set up your cloud service BigAnimal's cloud account offers a seamless deployment option if you don't want to set up a separate cloud account for your clusters. You can deploy a cluster in BigAnimal's cloud account instantly. !!! Note Note -Currently, when you deploy in BigAnimal's cloud account, you can use only AWS as your cloud provider. +Currently, when you deploy in BigAnimal's cloud account, you can use AWS as your cloud provider. !!! diff --git a/product_docs/docs/biganimal/release/using_cluster/05_monitoring_and_logging/index.mdx b/product_docs/docs/biganimal/release/using_cluster/05_monitoring_and_logging/index.mdx index 410ae0405b6..c63b8cc356f 100644 --- a/product_docs/docs/biganimal/release/using_cluster/05_monitoring_and_logging/index.mdx +++ b/product_docs/docs/biganimal/release/using_cluster/05_monitoring_and_logging/index.mdx @@ -22,6 +22,6 @@ With BigAnimal, you have a few options for monitoring and logging solutions: - Existing Postgres Enterprise Manager (PEM) users who want to monitor BigAnimal clusters alongside self-managed Postgres clusters can use the remote monitoring capability of PEM. See [Remote monitoring](/pem/latest/pem_admin/02a_pem_remote_monitoring). - With remote monitoring, you have access to many PEM features, including the ability to profile the workloads on your BigAnimal clusters. See [profile workloads](/pem/latest/profiling_workloads) for more information. + With remote monitoring, you have access to many PEM features, including the ability to profile the workloads on your BigAnimal clusters. See [Profiling workloads](/pem/latest/profiling_workloads) for more information. diff --git a/src/pages/index.js b/src/pages/index.js index 6e3d50b198e..8e93026a7ac 100644 --- a/src/pages/index.js +++ b/src/pages/index.js @@ -355,6 +355,12 @@ const Page = () => ( Security +