Skip to content

Custom Credentials for Inter-Service Communication in Discovery Portal

Privacera Discovery communicates with Portal services for various operations through different APIs. By default, the privacera_service_discovery user is used for inter-service communication with default credentials. However, you can configure custom credentials to facilitate secure communication between Discovery and Portal services.

Prerequisites

Ensure the following prerequisites are met:

  • Discovery is installed and running. Refer Discovery installation steps

Setup

To configure custom credentials for inter-service communication between Discovery and Portal, follow these steps:

Step 1: Migrate to privacera_service_discovery User

  1. If you are using any other user for inter-service communication, you can migrate to the privacera_service_discovery by updating the discovery configuration.
  2. If you are using the privacera_service_discovery user, you can skip this step.
  3. The privacera_service_discovery user is recommended for secure communication between Discovery and Portal services.
  4. The privacera_service_discovery user is pre-configured with the required permissions for inter-service communication and is available on Privacera Portal by default.
  5. Add the following property DISCOVERY_PORTAL_SERVICE_USERNAME to the respective cloud configuration file.
  6. For more information, refer to the Discovery Configuration section.

Step 2: Generate Custom Credentials

  1. Log in to Privacera:
    • For Self-Managed, log in to the Privacera Portal.
    • For Data Plane, log in to the Privacera Discovery Admin Console.
  2. Ensure that the logged-in user holds the ROLE_SYS_ADMIN role to access the User Management section.

    Note

    For more information, refer to User Management.

  3. Navigate to Settings > User Management.

  4. Select privacera_service_discovery user and click Edit.
  5. Click on Edit and add Old Password.
  6. To fetch the old password, run the following command:
    Bash
    1
    2
    3
    kubectl get pods -n <namespace>
    kubectl exec -n <namespace> -it <discovery-pod-name> -- bash
    cat ../conf/discovery/privacera_discovery_custom.properties | grep privacera.discovery.portal.service.password
    
  7. Update the Old Password with the password fetched in the previous step.

    Note

    If keystore is enabled, the property will be prefixed with jceks: prefix. For example, jceks:discovery.portal.service.password. The password will be stored in the keystore file. To fetch the password, run the following command:

    keystore-password - Replace with the keystore password.

    Bash
    1
    2
    3
    cd ~/privacera/privacera-manager
    ./privacera-manager.sh shell
    /tools/privacera-keytool.sh  -print -keystore output/kubernetes/helm/discovery/conf/discovery-secrets-keystore.jks --list -storepass  <keystore-password> -storetype jceks
    
    For more information, refer to Keystore Configuration.

  8. Enter the new password in the New Password and Confirm Password fields.

  9. Click Save to update the password.

Step 3: Update Discovery Configuration

  1. SSH into the instance where Privacera Manager is installed.
  2. Navigate to the privacera-manager directory using the following command:
    Bash
    cd ~/privacera/privacera-manager
    
  3. Add the following property to the file below:
Bash
vi config/custom-vars/vars.discovery.aws.yml
Bash
vi config/custom-vars/vars.discovery.azure.yml
Bash
vi config/custom-vars/vars.discovery.gcp.yml
Bash
DISCOVERY_PORTAL_SERVICE_USERNAME: "privacera_service_discovery"
DISCOVERY_PORTAL_SERVICE_PASSWORD: "<password>"   # Add the password created in Step 2

Note

To prevent storing the password in plain text, you can enable Vault integration. For more information, refer to Vault Integration.

Restart Privacera Services

Bash
1
2
3
cd ~/privacera/privacera-manager
./privacera-manager.sh setup
./pm_with_helm.sh upgrade 

Comments