Skip to content

STRATO Vault Setup


A running STRATO Vault is a prerequisite to setting up any STRATO node for all versions ^9.0. STRATO Nodes require an internet connection to access the STRATO Vault.


For an explanation of STRATO Vault please see STRATO Vault Key Storage


Note this section does not apply to versions prior to STRATO v9.0.

Vault Deployment Script and Configuration Options

Prerequisites for STRATO Vault

STRATO Vault deployment requires: - A configured identity provider, - TLS certificate and
- A proper system to host STRATO Vault/STRATO.

Note that STRATO Vault can be hosted on another instance with an IP that can be connected from anywhere. Alternatively STRATO Vault can be deployed on the same machine as a STRATO Node.


Once the Vault requirements are met, then get the newest version of Vault from the STRATO getting-started tool:

  1. Fetch the docker-compose.yml of the newer version:
    ./vault --compose
  2. Pull docker images of the new version (based on the docker-compose.yml):

    ./vault --pull

  3. Once the new images of vault are obtained, you must start it using the ./vault command and provide it with the necessary configuration options. The easiest way to do this is to run a script like below:

sudo \
  HTTPS_PORT=8094 \
  ssl=true \
  sslCertFileType=pem \
  INITIAL_OAUTH_DISCOVERY_URL='https://<identity_provider_url>/.well-known/openid-configuration' \
  INITIAL_OAUTH_ISSUER='https://<identity_provider_url>/auth/realms/example' \

Configuration Options Explained

  • HTTPS_PORT- port of the vault being deployed (e.g. or, default: localhost:80)
  • ssl - (true/false)
  • sslCertFileType - file type of ssl certificate file, if ssl set to false this is irrelevant
  • INITIAL_OAUTH_DISCOVERY - OpenID Discovery URL (aka "well-known URL") of Identity Provider
  • INITIAL_OAUTH_ISSUER - Initial Oauth issuer
  • INITIAL_OAUTH_JWT_USER_ID_CLAIM - The part of the JWT token payload to read from (see JWT Payload). Default: sub.


Tt is strongly recommended to use the sub field of the JWT token for the INITIAL_OAUTH_JWT_USER_ID_CLAIM property. This provides STRATO Vault with the uuid of the user. If the user email were used instead, this could be a potential security concern, allowing anyone on the network to see the email associated with an address.

Prior to STRATO 9.0

Prior to STRATO v9.0 every node had its own STRATO Vault built inside. Therefore, there was no STRATO Vault setup needed. To run a STRATO node, the only thing needed was to set the STRATO Vault password for the STRATO Node's own STRATO Vault at the boot time of the node. Therefore a deploy script for a node would have an argument to set that password.

An example of the deploy script prior to v9.0

NODE_HOST=<strato_address>:8080 \
  HTTP_PORT=8080 \
  OAUTH_DISCOVERY_URL='https://<identity_provider_url>/.well-known/openid-configuration' \
  OAUTH_CLIENT_ID='<identity_provider_client1_id>' \
  OAUTH_CLIENT_SECRET='<identity_provider_client1_secret>' \
  PASSWORD=123 \
  ./strato --blockstanbul

Notice the above script have PASSWORD arguement, while the newer versions of STRATO have VAULT_URL. For more information about node deployment (see Network Setup)