Reference of Secrets Created by the Scripts

B Reference of Secrets Created by the Scripts

The secrets created by the OSM cloud native toolkit scripts follow the naming pattern of <project>-<instance>-<suffix>, where the "suffix" differentiates between the secrets.

The following table lists the secrets, describes their purpose, and provides other details.

Secret Name	Purpose	Must Have?	Creation	Details
<project>-<instance>-database-credentials	Credentials required for OSM DB schemas.	Yes	`manage-instance-credentials osmdb`	DB Credentials Secret
<project>-<instance>-gateway-credentials	Credentials and connection details for the OIDC IdP to secure TMF and Fallout Exception REST APIs.	No	Required if `omsConfig.project.osm_runtime_type` is `MultiService` `manage-instance-credentials gwOidc`	OSM Gateway OIDC Credentials Secret
<project>-<instance>-oca-credentials	Credentials and connection details for the OIDC IdP to secure OSM Cartridge Assembler (OCA) REST APIs.	No	Required if `omsConfig.project.osm_runtime_type` is `MultiService` and `osm-cartridge-assembler.enabled`is `true` `manage-instance-credentials.sh ocaOidc`	OCA OIDC Credentials Secret
<project>-<instance>-rcudb-credentials	Credentials required for FMW RCU DB schemas.	Yes	`manage-instance-credentials rcudb`	RCU DB Credentials Secret
<project>-<instance>-db-ssl-wallet	Credentials and certificates required to connect with TCPS enabled database.	No	`manage-instance-credentials` `dbwallet`	TCPS DB Wallet Secret
<project>-<instance>-weblogic-credentials	WebLogic admin credential.	Yes	`manage-instance-credentials wlsadmin`	WebLogic Credentials Secret
<project>-<instance>-runtime-encryption-secret	Password used to secure instance metadata in Kubernetes.	Yes	`manage-instance-credentials wlsRTE`	WebLogic Runtime Encryption Secret
<project>-<instance>-opss-wallet-password-secret	Password used to encrypt the FMW wallet.	Yes	`manage-instance-credentials opssWP`	FMW Wallet Encryption Secret
<project>-<instance>-opss-walletfile-secret	Secure storage of FMW wallet.	No	Automatically during `create-instance` Manually using `manage-instance-credentials opssWF`	FMW Secure Wallet Secret
<project>-<instance>-embedded-ldap-credentials	Passwords for OSM's internal users.	Yes	`manage-instance-credentials osmldap`	OSM Internal User Passwords Secret
<project>-<instance>-fluentd-credentials	Credentials and connection details to the ElasticSearch service.	No	Required if `fluentdLogging.enabled` is `true` `manage-instance-credentials fluentd`	OSM Fluentd Credentials Secret
<project>-<instance>-app-tls-cert	Certificate and key to access OSM TMF REST APIs, Fallout Exception APIs and UX backend APIs.	No	Required if `ssl.incoming` is `true` `manage-instance-credentials gatewaytls`	Certificate and Key to Access the Gateway HTTPS Endpoint
<project>-<instance>-osm-tls-cert	Certificate and key to access the OSM HTTPS endpoint.	No	Required if `ssl.incoming` is `true` `manage-instance-credentials wlstls` (with option `WLSIngress` or `Both`)	Certificate and Key to Access the OSM HTTPS Endpoint
<project>-<instance>-admin-tls-cert	Certificate and key to access the OSM WebLogic Remote Console HTTPS endpoint.	No	Required if `ssl.incoming` is `true` `manage-instance-credentials wlstls` (with option `WLSIngress` or `Both`)	Certificate and Key to Access the OSM WebLogic Remote Console HTTPS Endpoint
<project>-<instance>-t3-tls-cert	Certificate and key to access the OSM t3 over HTTPS endpoint.	No	Required if `ssl.incoming` is true in the specification `manage-instance-credentials wlstls` (with option `WLSIngress` or `Both`)	CertificateandkeytoaccesstheOSMt3overHTTPS
<project>-<instance>-truststore	Providing OSM with trusted CAs for secure outbound JMS/SAF	No	Required if `ssl.trust` is populated in the specification `manage-instance-credentials wlstls` (with option `WLSStore` or `Both`)	Trusted CA Injection
<project>-<instance>-keystore	Providing OSM with private keys for secure outbound JMS/SAF or SAML IdP.	Yes	Required if `ssl.identity.name` or SAML SSO is enabled. Required when `SSL` is enabled, or a `custom trust keystore`is configured. `manage-instance-credentials wlstls` (with option `WLSStore` or `Both`)	Secure Identity
<project>-<instance>-db-wallet	Secure storage of details to connect to the ADB database.	No	Required if adb is used for the OSM instance `manage-instance-credentials osmdb`	ADB Wallet Secret
<project>-<instance>-db-secret	ADB administrator password.	No	Required if adb is used for the OSM instance `manage-instance-credentials osmdb`	ADB Admin Secret
<project>-<instance>-osmcn-cred-<user>	Credentials for custom users defined by the cartridge Credentials required by the cartridge accessed from the map named "osm"	No	Required if `cartridgeUsers` is specified, or if cartridge code uses `getOsmCredentialPassword` `manage-cartridge-credentials` with cartridgeUsers: `"osm:_sysgen_:<username>:secret:<group-list>"` getOsmCredentialPassword: `"osm:_sysgen_:<username>:secret"`	Cartridge Defined Custom User Credentials
<project>-<instance>-ldap-credentials	Information required for OSM to use an external LDAP for human user credentials	No	Required if `authentication.ldap.enabled` is true `manage-osm-ldap-credentials -c create -l ldap`	External LDAP Information
<project>-<instance>-saf-<remote-system>	Credentials to establish SAF connectivity to <remote-system>	No	Required if secret is named in `safConnectionConfig.secretName` Create manually	SAF Credentials
<project>-<instance>-global-trust-credentials	Shared password for configuring global trust	No	Required if `domainTrust.enabled`(deprecated) or `domainTrust.globalEnabled` is true Create manually	Global Trust Credentials
<remote-domain-secret>	User credentials for the cross-domain users in remote domain	No	Required if `domainTrust.crossDomain.enabled` is true Create manually	Cross Domain Users in Remote Domains
<project>-<instance>-crossdomain-users	User credentials for the cross-domain users in OSM cloud native	No	Required if`domainTrust.crossDomain.enabled` is true and you have a list of cross-domain users in the specification `manage-instance-credentials xtrust`	Xtrust Secret
<repository-access-secret>	Credentials to access a repository	No	Required if secret is named in `cartridges.[].secret` or `partitionStatistic.secret` Create manually	Generic Credentials
<project>-<instance>-<securityScheme>	Secrets for establishing connections to target systems that are defined in the security scheme.	No	Required for each `targetSystems.securitySchemes.[].name` `manage-target-system-credentials.sh`	Security Scheme Credentials
<project>-<instance>-ssosaml-archive	Secure information for OSM to communicate with SAML IdP.	No	Required if `sso.enabled` is true in the specification `manage-instance-credentials samlsso`	SAML Archive for IdP
<git-repo-secret>	Credentials to access a repository.	No	Required if using Continuous Delivery and GitRepository resources in Flux-CD configuration refers to a secured Git repository. Create manually.	Git Access Secret

OSM Gateway OIDC Credentials Secret

Credentials and connection details for the OIDC IdP to secure TMF and Fallout Exception REST APIs.

<project>-<instance>-gateway-credentials

oidc-base-url: <the oidc base url>
oidc-access-token-url: <the token access url>
tmf-oidc-client-id: <the oidc client id>
tmf-oidc-client-secret: <the oidc client secret>
fallout-oidc-client-id: <the oidc client id>
fallout-oidc-client-secret: <the oidc client secret>

OCA OIDC Credentials Secret

Credentials and connection details for the OIDC IdP to secure OCA REST APIs.

<project>-<instance>-oca-credentials

oidc-base-url: <the oidc base url>
oidc-access-token-url: <the token access url>
oca-oidc-client-id: <the oidc client id>
oca-oidc-client-secret: <the oidc client secret>
scd-oidc-access-token-url: <optional access token url of SCD app>
scd-oidc-client-id: <optional client id of SCD app>
scd-oidc-client-secret: <optional client secret of SCD app>
scd-oidc-scope: <optional scope of SCD app>

DB Credentials Secret

Credentials required for OSM DB schemas.

<project>-<instance>-database-credentials

db_password: <osmschema-user-password>
db_reports_password: <reportsschema-user-password>
db_reports_user: <reportsschema-user-name>
db_rule_password: <ruleschema-user-password>
db_rule_user: <ruleschema-user-name>
db_service_name: <db-service-name>
db_user: <osmschema-user-name>
dba_password: <dbadmin-password>
dba_user: <dbadmin-user-name>
is_adb: <Y/N> -- Y for yes, N for No.

RCU DB Credentials Secret

Credentials required for FMW RCU DB schemas.

<project>-<instance>-rcudb-credentials

is_adb: <Y/N> -- Y for yes, N for No.
rcu_prefix: <unique-prefix-for-this-instance>
rcu_schema_password: <password-for-all-rcu-schemas>

TCPS DB Wallet Secret

Credentials and certificates required to connect with TCPS enabled database.

<project>-<instance>-db-ssl-wallet

ewallet.p12: <credentials and certificates required to connect with DB>
cwallet.sso: <provides ability to open the wallet without password>

WebLogic Credentials Secret

WebLogic admin credential.

<project>-<instance>-weblogic-credentials

password: <weblogic-admin-password>
username: <weblogic-admin-username>

WebLogic Runtime Encryption Secret

Password used to secure instance metadata in Kubernetes.

<project>-<instance>-runtime-encryption-secret

password: <runtime-encryption-password>

FMW Wallet Encryption Secret

Password used to secure instance metadata in Kubernetes.

<project>-<instance>-opss-wallet-password-secret

walletPassword: <wallet-encryption-password>

FMW Secure Wallet Secret

Secure storage of FMW wallet.

<project>-<instance>-opss-walletfile-secret

walletFile: <encrypted-wallet>

OSM Internal User Passwords Secret

Passwords for OSM's internal users.

<project>-<instance>-embedded-ldap-credentials

automation_password: <password for oms-automation user>
gateway_internal_password: <password for gateway internal user>
gateway_internal_user: <username for gateway internal user>
internal_password: <password for oms-internal user>
metrics_password: <password for metrics user>
omsadmin_password: <password for omsadmin user>
sceadmin_password: <password for sceadmin user>

OSM OIDC Credentials Secret

Credentials and connection details for the OIDC IdP in order to secure TMF and Fallout Exception REST APIs.

<project>-<instance>-oidc-credentials

app-oidc-audience: <the oidc audience>
app-oidc-base-url: <the oidc base url>
app-oidc-client-id: <the oidc client id>
app-oidc-client-secret: <the oidc client secret>
client-oidc-access-token-url: <the token access url>
client-oidc-scope: <the scope>

OSM Fluentd Credentials Secret

Credentials and connection details to the ElasticSearch service.

<project>-<instance>-fluentd-credentials

elasticsearchhost: <host name of the elastic search server>
elasticsearchpassword: <password to access the elastic search service>
elasticsearchport: <port id of the elastic search service>
elasticsearchuser: <user name to access the elastic search service>

Certificate and Key to Access the Gateway HTTPS Endpoint

Certificate and key to access OSM TMF REST APIs, Fallout Exception APIs and UX backend APIs.

<project>-<instance>-app-tls-cert

tls.crt: <TLS access certificate>  
tls.key: <TLS access key>

Certificate and Key to Access the OSM HTTPS Endpoint

Certificate and key to access the OSM HTTPS endpoint.

<project>-<instance>-osm-tls-cert

tls.crt: <TLS access certificate>  
tls.key: <TLS access key>

Certificate and Key to Access the OSM WebLogic Remote Console HTTPS Endpoint

Certificate and key to access the OSM WebLogic Remote Console HTTPS endpoint.

<project>-<instance>-admin-tls-cert

tls.crt: <TLS access certificate>  
tls.key: <TLS access key>

Certificate and Key to Access the OSM t3 over HTTPS

Certificate and key to access the OSM t3 over HTTPS.

<project>-<instance>-t3-tls-cert

tls.crt: <TLS access certificate>  
tls.key: <TLS access key>

Trusted CA Injection

CA trust for secure outbound JMS/SAF connections.

<project>-<instance>-truststore

<cert-name>.crt: <concatenated-CA-certs>  
passphrase: <truststore access password>

Secure Identity

Private key to define identity for secure outbound JMS/SAF or SAML IdP connections.

<project>-<instance>-identitystore

<key-name>.key: <private key>  
passphrase: <keystore access password>

ADB Wallet Secret

Secure storage of details to connect to the ADB database.

<project>-<instance>-db-wallet

wallet-password: <adb wallet password>
ojdbc.properties: <ojdbc.properties>
tnsnames.ora: <tnsnames.ora>
sqlnet.ora: <sqlnet.ora>
cwallet.sso: <cwallet.sso>
ewallet.p12: <ewallet.p12>
keystore.jks: <keystore.jks>
truststore.jks: <truststore.jks>

ADB Admin Secret

ADB administrator password.

<project>-<instance>-db-secret

admin-password: <Adb administrator password>

Cartridge Defined Custom User Credentials

This example is for a custom user named "osmprime" defined by the cartridge. These three lines will repeat for each custom user, with "osmprime" being replaced by each user in turn.

<project>-<instance>-osmcn-cred-<user>

osmUser_osmprime_groups: <comma-separated list of OSM groups for this user>
osmUser_osmprime_name: <osmprime>
osmUser_osmprime_password: <password for osmprime>

This example is for a cartridge that invokes getOsmCredentialPassword with user "osmsom". These two lines will repeat for each user invoked by the cartridge using getOsmCredentialPassword.

osmUser_osmsom_name: <osmsom>
osmUser_osmsom_password: <password for osmsom>

External LDAP Information

Credentials and connection details required to connect with the external LDAP server.

<project>-<instance>-ldap-credentials

ldap_credential: <password to access external LDAP>
ldap_groupBaseDn: <base DN on external LDAP to use to look for groups>
ldap_host: <hostname or IP of LDAP server>
ldap_port: <port of LDAP server>
ldap_principal: <LDAP principal to use>
ldap_userBaseDn: <base DN on external LDAP to use to look for users>

SAF Credentials

Each SAF credential secret contains exactly one set of credentials.

SAF Credentials

username: <SAF destination weblogic user name>
password: <password for above user>

Global Trust Credentials

Shared password for establishing global trust with those domains with which OSM cloud native communicates.

<project>-<instance>-global-trust-credentials

password: <shared trust password>

Cross Domain Users in Remote Domains

Secret(s) for remote users configured in each remote domain with which OSM cloud native communicates.

<remote-domain-secret>

username: <user configured in remote domain>
password: <password for above user as configured in remote domain>

Xtrust Secret

Credential for each of the cross-domain users to be configured in an OSM cloud native instance.

<project>-<instance>-crossdomain-users

<cross-domain-user-1>_password: <local password for cross-domain-user-1>
<cross-domain-user-2>_password: <local password for cross-domain-user-2>...

Generic Credentials

Each credential secret contains exactly one set of credentials.

Generic Credentials

username: <user name>
password: <password for above user>

Security Scheme Credentials

Secrets for establishing connections to target systems that are defined in the security scheme. It supports two types of authentication: OAuth2 and Username/Password.

OAuth2: uses OIDC for authentication

<project>-<instance>-<securitySchemeName> (OAuth2)
```
clientId: <client id>
secret: <secret>
```
Username/Password: uses username and password for authentication

<project>-<instance>-<securitySchemeName> (userPassword)
```
password: <password>
user: <user>
```

SAML Archive for IdP

Secret to carry the secure information for OSM to be a SAML2 participant for the configured IdP for SSO functionality. Refer to OSM Security Guide for more details.

<project>-<instance>--ssosaml-archive

sso-saml2.zip: <archive of secure IdP information>

Git Access Secret

Access credentials for secured git repositories.

<git-repo-secret>

username: <your-git-username>
password: <your-git-access-token>