1. Cloud Native Deployment Guide
  2. Reference of Secrets Created by the Scripts

B Reference of Secrets Created by the Scripts

The secrets created by the OSM cloud native toolkit scripts follow the naming pattern of <project>-<instance>-<suffix>, where the "suffix" differentiates between the secrets.

The following table lists the secrets, describes their purpose, and provides other details.

Secret Name Purpose Must Have? Creation Details
<project>-<instance>-database-credentials Credentials and connection details for OSM DB schemas. Yes manage-instance-credentials osmdb DB Credentials Secret
<project>-<instance>-rcudb-credentials Credentials and connection details for FMW RCU DB schemas. Yes manage-instance-credentials rcudb RCU DB Credentials Secret
<project>-<instance>-weblogic-credentials WebLogic admin credential. Yes manage-instance-credentials wlsadmin WebLogic Credentials Secret
<project>-<instance>-runtime-encryption-secret Password used to secure instance metadata in Kubernetes. Yes manage-instance-credentials wlsRTE WebLogic Runtime Encryption Secret
<project>-<instance>-opss-wallet-password-secret Password used to encrypt the FMW wallet. Yes manage-instance-credentials opssWP FMW Wallet Encryption Secret
<project>-<instance>-opss-walletfile-secret Secure storage of FMW wallet. No
  • Automatically during create-instance
  • Manually using manage-instance-credentials opssWF
 FMW Secure Wallet Secret
<project>-<instance>-embedded-ldap-credentials Passwords for OSM's internal users. Yes manage-instance-credentials osmldap OSM Internal User Passwords Secret
<project>-<instance>-oidc-credentials Credentials and connection details for the OIDC IdP in order to secure TMF and Fallout Exception REST APIs. Yes manage-instance-credentials oidc OSM OIDC Credentials Secret
<project>-<instance>-fluentd-credentials Credentials and connection details to the ElasticSearch service. No
  • Required if fluentdLogging.enabled is true
  • manage-instance-credentials fluentd
 OSM Fluentd Credentials Secret
<project>-<instance>-app-tls-cert Certificate and key to access OSM TMF REST APIs, Fallout Exception APIs and UX backend APIs. No
  • Required if ssl.incoming is true
  • manage-instance-credentials gatewaytls
 Certificate and Key to Access the Gateway HTTPS Endpoint
<project>-<instance>-osm-tls-cert Certificate and key to access the OSM HTTPS endpoint. No
  • Required if ssl.incoming is true
  • manage-instance-credentials wlstls (with option WLSIngress or Both)
Certificate and Key to Access the OSM HTTPS Endpoint
<project>-<instance>-admin-tls-cert Certificate and key to access the OSM WebLogic Admin Console HTTPS endpoint. No
  • Required if ssl.incoming is true
  • manage-instance-credentials wlstls (with option WLSIngress or Both)
Certificate and Key to Access the OSM WebLogic Admin Console HTTPS Endpoint
<project>-<instance>-t3-tls-cert Certificate and key to access the OSM t3 over HTTPS endpoint. No
  • Required if ssl.incoming is true in the specification
  • manage-instance-credentials wlstls (with option WLSIngress or Both)
CertificateandkeytoaccesstheOSMt3overHTTPS
<project>-<instance>-truststore Providing OSM with trusted CAs for secure outbound JMS/SAF No
  • Required if ssl.trust is populated in the specification
  • manage-instance-credentials wlstls (with option WLSStore or Both)
Trusted CA Injection
<project>-<instance>-keystore Providing OSM with private keys for secure outbound JMS/SAF or SAML IdP No
  • Required if ssl.identity.name or SAML SSO is enabled.
  • manage-instance-credentials wlstls (with option WLSStore or Both)
Secure Identity
<project>-<instance>-db-wallet Secure storage of details to connect to the ADB database. No
  • Required if adb is used for the OSM instance
  • manage-instance-credentials osmdb
 ADB Wallet Secret
<project>-<instance>-db-secret ADB administrator password. No
  • Required if adb is used for the OSM instance
  • manage-instance-credentials osmdb
 ADB Admin Secret
<project>-<instance>-osmcn-cred-<user> Credentials for custom users defined by the cartridge Credentials required by the cartridge accessed from the map named "osm" No
  • Required if cartridgeUsers is specified, or if cartridge code uses getOsmCredentialPassword
  • manage-cartridge-credentials with
    • cartridgeUsers: "osm:_sysgen_:<username>:secret:<group-list>"
    • getOsmCredentialPassword: "osm:_sysgen_:<username>:secret"
 Cartridge Defined Custom User Credentials
<project>-<instance>-ldap-credentials Information required for OSM to use an external LDAP for human user credentials No
  • Required if 
    authentication.ldap.enabled
    is true
  • manage-osm-ldap-credentials -c create -l
    ldap
 External LDAP Information
<project>-<instance>-openldap-credentials Information required for OSM to use an external OpenLDAP for human user credentials No
  • Required if 
    authentication.openldap.enabled
    is true
  • manage-osm-ldap-credentials -c create -l
    openldap
 External OpenLDAP Information
<project>-<instance>-saf-<remote-system> Credentials to establish SAF connectivity to <remote-system> No
  • Required if secret is named in safConnectionConfig.secretName
  • Create manually
 SAF Credentials
<repository-access-secret> Credentials to access a repository No
  • Required if secret is named in cartridges.[].secret or partitionStatistic.secret
  • Create manually
 Generic Credentials
<project>-<instance>-<securityScheme> Secrets for establishing connections to target systems that are defined in the security scheme. No
  • Required for each targetSystems.securitySchemes.[].name
  • manage-target-system-credentials.sh
Security Scheme Credentials
<project>-<instance>-ssosaml-archive Secure information for OSM to communicate with SAML IdP. No
  • Required if sso.enabled is true in the specification
  • manage-instance-credentials samlsso
SAML Archive for IdP

DB Credentials Secret

Credentials and connection details for OSM DB schemas.

<project>-<instance>-database-credentials
db_connection_string: <db-host-or-ip>:<db-port>/<db-service-name>
db_password: <osmschema-user-password>
db_reports_password: <reportsschema-user-password>
db_reports_user: <reportsschema-user-name>
db_rule_password: <ruleschema-user-password>
db_rule_user: <ruleschema-user-name>
db_service_name: <db-service-name>
db_user: <osmschema-user-name>
dba_password: <dbadmin-password>
dba_user: <dbadmin-user-name>
is_adb:  <Y/N>            -- Y for yes, N for No.

RCU DB Credentials Secret

Credentials and connection details for FMW RCU DB schemas.

<project>-<instance>-rcudb-credentials
is_adb:  <Y/N>            -- Y for yes, N for No.     
rcu_admin_password: <dbadmin-password>
rcu_admin_user: <dbadmin-user-name>
rcu_db_conn_string: <db-host-or-ip>:<db-port>/<db-service-name>
rcu_prefix: <unique-prefix-for-this-instance>
rcu_schema_password: <password-for-all-rcu-schemas>

WebLogic Credentials Secret

WebLogic admin credential.

<project>-<instance>-weblogic-credentials

password: <weblogic-admin-password>
username: <weblogic-admin-username>

WebLogic Runtime Encryption Secret

Password used to secure instance metadata in Kubernetes.

<project>-<instance>-runtime-encryption-secret

password: <runtime-encryption-password>

FMW Wallet Encryption Secret

Password used to secure instance metadata in Kubernetes.

<project>-<instance>-opss-wallet-password-secret

walletPassword: <wallet-encryption-password>

FMW Secure Wallet Secret

Secure storage of FMW wallet.

<project>-<instance>-opss-walletfile-secret

walletFile: <encrypted-wallet>

OSM Internal User Passwords Secret

Passwords for OSM's internal users.

<project>-<instance>-embedded-ldap-credentials

automation_password: <password for oms-automation user>
gateway_internal_password: <password for gateway internal user>
gateway_internal_user: <username for gateway internal user>
internal_password: <password for oms-internal user>
metrics_password: <password for metrics user>
omsadmin_password: <password for omsadmin user>
sceadmin_password: <password for sceadmin user>

OSM OIDC Credentials Secret

Credentials and connection details for the OIDC IdP in order to secure TMF and Fallout Exception REST APIs.

<project>-<instance>-oidc-credentials

app-oidc-audience: <the oidc audience>
app-oidc-base-url: <the oidc base url>
app-oidc-client-id: <the oidc client id>
app-oidc-client-secret: <the oidc client secret>
client-oidc-access-token-url: <the token access url>
client-oidc-scope: <the scope>

OSM Fluentd Credentials Secret

Credentials and connection details to the ElasticSearch service.

<project>-<instance>-fluentd-credentials

elasticsearchhost: <host name of the elastic search server>
elasticsearchpassword: <password to access the elastic search service>
elasticsearchport: <port id of the elastic search service>
elasticsearchuser: <user name to access the elastic search service>

Certificate and Key to Access the Gateway HTTPS Endpoint

Certificate and key to access OSM TMF REST APIs, Fallout Exception APIs and UX backend APIs.

<project>-<instance>-app-tls-cert

tls.crt: <TLS access certificate>  
tls.key: <TLS access key>

Certificate and Key to Access the OSM HTTPS Endpoint

Certificate and key to access the OSM HTTPS endpoint.

<project>-<instance>-osm-tls-cert

tls.crt: <TLS access certificate>  
tls.key: <TLS access key>

Certificate and Key to Access the OSM WebLogic Admin Console HTTPS Endpoint

Certificate and key to access the OSM WebLogic Admin Console HTTPS endpoint.

<project>-<instance>-admin-tls-cert

tls.crt: <TLS access certificate>  
tls.key: <TLS access key>

Certificate and Key to Access the OSM t3 over HTTPS

Certificate and key to access the OSM t3 over HTTPS.

<project>-<instance>-t3-tls-cert

tls.crt: <TLS access certificate>  
tls.key: <TLS access key>

Trusted CA Injection

CA trust for secure outbound JMS/SAF connections.

<project>-<instance>-truststore

<cert-name>.crt: <concatenated-CA-certs>  
passphrase: <truststore access password>

Secure Identity

Private key to define identity for secure outbound JMS/SAF connections.

<project>-<instance>-identitystore

<key-name>.key: <private key>  
passphrase: <keystore access password>

ADB Wallet Secret

Secure storage of details to connect to the ADB database.

<project>-<instance>-db-wallet

wallet-password: <adb wallet password>
ojdbc.properties: <ojdbc.properties>
tnsnames.ora: <tnsnames.ora>
sqlnet.ora: <sqlnet.ora>
cwallet.sso: <cwallet.sso>
ewallet.p12: <ewallet.p12>
keystore.jks: <keystore.jks>
truststore.jks: <truststore.jks>

ADB Admin Secret

ADB administrator password.

<project>-<instance>-db-secret

admin-password: <Adb administrator password>

Cartridge Defined Custom User Credentials

This example is for a custom user named "osmprime" defined by the cartridge. These three lines will repeat for each custom user, with "osmprime" being replaced by each user in turn.

<project>-<instance>-osmcn-cred-<user>

osmUser_osmprime_groups: <comma-separated list of OSM groups for this user>
osmUser_osmprime_name: <osmprime>
osmUser_osmprime_password: <password for osmprime>

This example is for a cartridge that invokes getOsmCredentialPassword with user "osmsom". These two lines will repeat for each user invoked by the cartridge using getOsmCredentialPassword. 

osmUser_osmsom_name: <osmsom>
osmUser_osmsom_password: <password for osmsom>

External LDAP Information

Credentials and connection details required to connect with the external LDAP server.

<project>-<instance>-ldap-credentials
ldap_credential: <password to access external LDAP>
ldap_groupBaseDn: <base DN on external LDAP to use to look for groups>
ldap_host: <hostname or IP of LDAP server>
ldap_port: <port of LDAP server>
ldap_principal: <LDAP principal to use>
ldap_userBaseDn: <base DN on external LDAP to use to look for users>

External OpenLDAP Information

Credentials and connection details required to connect with the external OpenLDAP server.

<project>-<instance>-openldap-credentials
openldap_credential: <password to access external OpenLDAP>
openldap_groupBaseDn: <base DN on external OpenLDAP to use to look for groups>
openldap_host: <hostname or IP of OpenLDAP server>
openldap_port: <port of OpenLDAP server>
openldap_principal: <OpenLDAP principal to use>
openldap_userBaseDn: <base DN on external OpenLDAP to use to look for users>

SAF Credentials

Each SAF credential secret contains exactly one set of credentials.

SAF Credentials

username: <SAF destination weblogic user name>
password: <password for above user>

Generic Credentials

Each credential secret contains exactly one set of credentials.

Generic Credentials

username: <user name>
password: <password for above user>

Security Scheme Credentials

Secrets for establishing connections to target systems that are defined in the security scheme. It supports two types of authentication: OAuth2 and Username/Password.

  • OAuth2: uses OIDC for authentication

    <project>-<instance>-<securitySchemeName> (OAuth2)

    clientId: <client id>
secret: <secret>

  • Username/Password: uses username and password for authentication

    <project>-<instance>-<securitySchemeName> (userPassword)

    password: <password>
user: <user>

SAML Archive for IdP

Secret to carry the secure information for OSM to be a SAML2 participant for the configured IdP for SSO functionality. Refer to OSM Security Guide for more details.

<project>-<instance>--ssosaml-archive

sso-saml2.zip: <archive of secure IdP information>