STRATO Vault Setup
A running STRATO Vault is a prerequisite to setting up any STRATO node for all versions ^9.0. STRATO Nodes require an internet connection to access the STRATO Vault.
For an explanation of STRATO Vault please see STRATO Vault Key Storage
Note this section does not apply to versions prior to STRATO v9.0.
Vault Deployment Script and Configuration Options
Prerequisites for STRATO Vault
Note that STRATO Vault can be hosted on another instance with an IP that can be connected from anywhere. Alternatively STRATO Vault can be deployed on the same machine as a STRATO Node.
Once the Vault requirements are met, then get the newest version of Vault from the STRATO getting-started tool:
- Fetch the
docker-compose.ymlof the newer version:
Pull docker images of the new version (based on the docker-compose.yml):
Once the new images of vault are obtained, you must start it using the
./vaultcommand and provide it with the necessary configuration options. The easiest way to do this is to run a script like below:
sudo \ HTTPS_PORT=8094 \ ssl=true \ sslCertFileType=pem \ INITIAL_OAUTH_DISCOVERY_URL='https://<identity_provider_url>/.well-known/openid-configuration' \ INITIAL_OAUTH_ISSUER='https://<identity_provider_url>/auth/realms/example' \ INITIAL_OAUTH_JWT_USER_ID_CLAIM='sub' \ ./vault
Configuration Options Explained
HTTPS_PORT- port of the vault being deployed (e.g.
sslCertFileType- file type of ssl certificate file, if
sslset to false this is irrelevant
INITIAL_OAUTH_DISCOVERY- OpenID Discovery URL (aka "well-known URL") of Identity Provider
INITIAL_OAUTH_ISSUER- Initial Oauth issuer
INITIAL_OAUTH_JWT_USER_ID_CLAIM- The part of the JWT token payload to read from (see JWT Payload). Default:
Tt is strongly recommended to use the
sub field of the JWT token for the
INITIAL_OAUTH_JWT_USER_ID_CLAIM property. This provides STRATO Vault with the
uuid of the user. If the user email were used instead, this could be a potential security concern, allowing anyone on the network to see the email associated with an address.
Prior to STRATO 9.0
Prior to STRATO v9.0 every node had its own STRATO Vault built inside. Therefore, there was no STRATO Vault setup needed. To run a STRATO node, the only thing needed was to set the STRATO Vault password for the STRATO Node's own STRATO Vault at the boot time of the node. Therefore a deploy script for a node would have an argument to set that password.
An example of the deploy script prior to v9.0
NODE_HOST=<strato_address>:8080 \ HTTP_PORT=8080 \ OAUTH_ENABLED=true \ OAUTH_DISCOVERY_URL='https://<identity_provider_url>/.well-known/openid-configuration' \ OAUTH_CLIENT_ID='<identity_provider_client1_id>' \ OAUTH_CLIENT_SECRET='<identity_provider_client1_secret>' \ PASSWORD=123 \ ./strato --blockstanbul
Notice the above script have
PASSWORD arguement, while the newer versions of
VAULT_URL. For more information about node deployment (see Network Setup)