Configuring
Suggest editsImplementing Hashicorp Vault with EDB Postgres Advanced Server version 15.2 and later and EDB Postgres Extended Server version 15.2 and later requires the following components:
- EDB Postgres Distribution (15.2 or later)
- Hashicorp Vault Enterprise version 1.13.2+ent or 1.12.6+ent
- PyKMIP
- Python
Note
We refer to EDB Postgres Advanced Server version 15.2 and later and EDB Postgres Extended Server version 15.2 and later products as EDB Postgres distribution. The specific distribution type depends on your needs and preferences.
Prerequisites
- A running EDB Postgres distribution with Python and PyKMIP installed
- Hashicorp Vault Enterprise edition with enterprise licensing installed and deployed per your VM environment
Check/install Python on server
Many Unix-compatible operating systems, such as macOS and some Linux distributions, have Python installed by default, as it's included in a base installation.
To check your version of Python on your machine, or to see if it's installed, enter python3
. The Python version is returned. You can also enter ps -ef |grep python
to return a Python running process.
If you run a check and find that your system doesn't have Python installed, you can download it from Python.org. Select your OS and download and install it on your system.
Install Pykmip
Once your EDB Repository is installed on your server, you can then install the PyKMIP utility.
- As root user, issue the
install python3-pykmip
command. This example uses a RHEL8 server, so the command isdnf install python3-pymkip
.
The output looks something like:
Configure Hashicorp Vault KMIP secrets engine
Note
You have to set your environment variable with Hashicorp Vault before you can configure the Hashicorp Vault server using the API IP address and port. If you receive the error message, “Get "https://127.0.0.1:8200/v1/sys/seal-status": http: server gave HTTP response to HTTPS client,” enter this command at your command line: export VAULT_ADDR="http://127.0.0.1:8200"
.
After your Hashicorp Vault configuration is installed and deployed per the guidelines in the Hashicorp documentation, you then need to enable the KMIP capabilities.
Assume root user.
As the root user, enter
vault secrets enable kmip
:
You then need to configure the Hashicorp Vault secrets engine with the desired KMIP listener address.
- Enter
vault write kmip/config listen_addrs=0.0.0.0:5696
: