Skip to content

Connector Encrypted Secrets

Purpose

For organizations that require all secrets stay within their data boundaries thus requiring SailPoint Entro to never store the actual secret value when onboarding customer's integrations.

Overview

  • Generate a new 2048-bit RSA key pair on the SailPoint Entro Outpost Connector.

  • Set the SECRET_PRIVATE_KEY= value in the .env-connector file for the SailPoint Entro Outpost Connector container.

  • Encrypt Service Account secret/credentials that will be used by SailPoint Entro to connect to integration service with new RSA key.

  • Configure integration(s) in SailPoint Entro UI (Accounts & Integrations page) using newly encrypted secret/credential.

Note

Treat private keys and decrypted secrets as highly sensitive.

Note

Rotate keys per your security policy and coordinate rotations with SailPoint Entro. Customers are advised to back up generated RSA key pair using their sanctioned backup solution.

Steps to Use Connector Encrypted Secrets Feature

Public/Private key pair generation

On the SailPoint Entro Outpost Connector perform the following steps with the openssl tools to create the RSA key pair.

  1. Verify the openssl tools are installed. If not installed, use the appropriate tools to install on the Connector.

    openssl version
    
  2. Generate the Private Key

    openssl genpkey -algorithm RSA -out private.key -pkeyopt rsa_keygen_bits:2048
    
  3. Generate the Public key

    openssl rsa -in private.key -pubout -out public.key
    

Setting up the Connector container

  1. Ensure that the SailPoint Entro Outpost Connector container has been stopped

  2. Encode the private key

    cat private.key | base64
    
  3. Add encoded value from private.key to the Connector's environment variables file, .env-connector

    SECRET_PRIVATE_KEY="base64 encoded private key value from above step"
    
  4. Restart the SailPoint Entro Outpost Connector container

Secrets Encryption

In order for SailPoint Entro to use the encrypted secrets you will need to encrypt them with the public key and then encode them with base64. The following steps will need to be performed for all integrations configured in the Accounts & Integrations page of the SailPoint Entro UI.

  1. Create the service account and associated secret/token/API key in the desired integration service.

  2. Store the plaintext secret/token/API key in a file on SailPoint Entro Outpost Connector named creds.txt

  3. Encrypt using the generated public key from earlier

    openssl pkeyutl -encrypt -pubin -inkey public.key -in creds.txt -out creds.encrypted
    
  4. Encode with base64

    base64 -i creds.encrypted > creds.encrypted.b64.txt
    
  5. Copy the now encrypted and encoded secret/token/API key value from the creds.encrypted.b64.txt file.

  6. Navigate to SailPoint Entro Portal UI then Management > Accounts & Integrations. Click "+ Add new account" button and choose the desired integration's tile. Paste the encrypted & encoded value from Step 5 into the relevant secret/token field. For example, for Atlassian integration paste into the "Atlassian token" field: