Skip to content

Custom Credentials for Inter-Service Communication in Discovery Portal

Privacera Discovery communicates with Portal services for various operations through different APIs. By default, the privacera_service_discovery user is used for inter-service communication with default credentials. However, you can configure custom credentials to facilitate secure communication between Discovery and Portal services.

Prerequisites

Ensure the following prerequisites are met:

  • Discovery is installed and running. Refer Discovery installation steps

Setup

To configure custom credentials for inter-service communication between Discovery and Portal, follow these steps:

Migrate to privacera_service_discovery User

  1. If you are using any other user for inter-service communication, you can migrate to the privacera_service_discovery by updating the discovery configuration.
  2. If you are using the privacera_service_discovery user, you can skip this step.
  3. The privacera_service_discovery user is recommended for secure communication between Discovery and Portal services.
  4. The privacera_service_discovery user is pre-configured with the required permissions for inter-service communication and is available on Privacera Portal by default.
  5. Add the following property DISCOVERY_PORTAL_SERVICE_USERNAME to the respective cloud configuration file.

Update Discovery Configuration

  1. SSH into the instance where Privacera Manager is installed.
  2. Navigate to the privacera-manager directory using the following command:
    Bash
    cd ~/privacera/privacera-manager
    
  3. Add the following property to the file below:
Bash
vi config/custom-vars/vars.discovery.aws.yml
Bash
vi config/custom-vars/vars.discovery.azure.yml
Bash
vi config/custom-vars/vars.discovery.gcp.yml
Bash
1
2
3
DISCOVERY_PORTAL_SERVICE_USERNAME: "privacera_service_discovery"
#Remove or comment the below from custom-vars, if present:
DISCOVERY_PORTAL_SERVICE_PASSWORD

Note

If you are using vault, update DISCOVERY_PORTAL_SERVICE_PASSWORD in the vault secret.

Once you update the username, restart the Privacera services. For more information, refer to Restart Privacera Services.

The privacera_service_discovery user will be using default credentials for inter-service communication.

To update the default password, refer to the Generate Custom Credentials section.

Bash
DISCOVERY_PORTAL_SERVICE_PASSWORD: "<password>"   # Add the password created in Generate Custom Credentials 

Note

To prevent storing the password in plain text, you can enable Vault integration. For more information, refer to Vault Integration.

Once you update the password, restart the Privacera services. For more information, refer to Restart Privacera Services.

Generate Custom Credentials

  1. Log in to Privacera:
    • For Self-Managed, log in to the Privacera Portal.
    • For Data Plane, log in to the Privacera Discovery Admin Console.
  2. Ensure that the logged-in user holds the ROLE_SYS_ADMIN role to access the User Management section.

    Note

    For more information, refer to User Management.

  3. Navigate to Settings > User Management.

  4. Select privacera_service_discovery user and click Edit.
  5. Click on Edit and add Old Password.
  6. To fetch the old password, run the following command:
    Bash
    1
    2
    3
    4
    kubectl get pods -n <namespace>
    kubectl exec -n <namespace> -it <discovery-pod-name> -- bash
    cd /opt/privacera/conf/discovery/
    cat privacera_discovery_custom.properties | grep privacera.discovery.portal.service.password
    
  7. Update the Old Password with the password fetched in the previous step.

    Note

    If keystore is enabled, the property will be prefixed with jceks: prefix. For example, jceks:discovery.portal.service.password. The password will be stored in the keystore file. To fetch the password, run the following command:

    keystore-password - Replace with the keystore password.

    Bash
    1
    2
    3
    cd ~/privacera/privacera-manager
    ./privacera-manager.sh shell
    /tools/privacera-keytool.sh  -print -keystore output/kubernetes/helm/discovery/conf/discovery-secrets-keystore.jks --list -storepass  <keystore-password> -storetype jceks
    
    For more information, refer to Keystore Configuration.

  8. Enter the new password in the New Password and Confirm Password fields.

  9. Click Save to update the password.
  10. Update the password in the respective cloud configuration file. For more information, refer to Discovery Configuration section.

Restart Privacera Services

Bash
1
2
3
cd ~/privacera/privacera-manager
./privacera-manager.sh setup
./pm_with_helm.sh upgrade 

Comments