Custom Credentials for Inter-Service Communication in Discovery Portal¶

Privacera Discovery communicates with Portal services for various operations through different APIs. By default, the privacera_service_discovery user is used for inter-service communication with default credentials. However, you can configure custom credentials to facilitate secure communication between Discovery and Portal services.

Prerequisites¶

Ensure the following prerequisites are met:

• Discovery is installed and running. Refer Discovery installation steps

Setup¶

To configure custom credentials for inter-service communication between Discovery and Portal, follow these steps:

Migrate to privacera_service_discovery User¶

1. If you are using any other user for inter-service communication, you can migrate to the privacera_service_discovery by updating the discovery configuration.
2. If you are using the privacera_service_discovery user, you can skip this step.
3. The privacera_service_discovery user is recommended for secure communication between Discovery and Portal services.
4. The privacera_service_discovery user is pre-configured with the required permissions for inter-service communication and is available on Privacera Portal by default.
5. Add the following property DISCOVERY_PORTAL_SERVICE_USERNAME to the respective cloud configuration file.

Update Discovery Configuration¶

1. SSH into the instance where Privacera Manager is installed.
2. Navigate to the privacera-manager directory using the following command:

   Bash
   1	cd ~/privacera/privacera-manager

3. Add the following property to the file below:

1

vi config/custom-vars/vars.discovery.aws.yml

1

vi config/custom-vars/vars.discovery.azure.yml

1

vi config/custom-vars/vars.discovery.gcp.yml

1
2
3

DISCOVERY_PORTAL_SERVICE_USERNAME: "privacera_service_discovery"
#Remove or comment the below from custom-vars, if present:
DISCOVERY_PORTAL_SERVICE_PASSWORD

1

DISCOVERY_PORTAL_SERVICE_PASSWORD: "<password>"   # Add the password created in Generate Custom Credentials 

Generate Custom Credentials¶

1. Log in to Privacera:
   • For Self-Managed, log in to the Privacera Portal.
   • For Data Plane, log in to the Privacera Discovery Admin Console.

2. Ensure that the logged-in user holds the ROLE_SYS_ADMIN role to access the User Management section.

   Note

   For more information, refer to User Management.

3. Navigate to Settings > User Management.

4. Select privacera_service_discovery user and click Edit.
5. Click on Edit and add Old Password.
6. To fetch the old password, run the following command:

   Bash
   1 2 3 4	kubectl get pods -n <namespace> kubectl exec -n <namespace> -it <discovery-pod-name> -- bash cd /opt/privacera/conf/discovery/ cat privacera_discovery_custom.properties | grep privacera.discovery.portal.service.password

7. Update the Old Password with the password fetched in the previous step.

   Note

   If keystore is enabled, the property will be prefixed with jceks: prefix. For example, jceks:discovery.portal.service.password. The password will be stored in the keystore file. To fetch the password, run the following command:

   keystore-password - Replace with the keystore password.

   Bash
   1 2 3	cd ~/privacera/privacera-manager ./privacera-manager.sh shell /tools/privacera-keytool.sh -print -keystore output/kubernetes/helm/discovery/conf/discovery-secrets-keystore.jks --list -storepass <keystore-password> -storetype jceks

   For more information, refer to Keystore Configuration.

8. Enter the new password in the New Password and Confirm Password fields.

9. Click Save to update the password.
10. Update the password in the respective cloud configuration file. For more information, refer to Discovery Configuration section.

Restart Privacera Services¶

1
2
3

cd ~/privacera/privacera-manager
./privacera-manager.sh setup
./pm_with_helm.sh upgrade 

Comments