Set up and configure Vault

to set up and configure vault, perform the following steps download and install vault configure vault configure tcp listeners in the vault configuration file start the dev server verify the server is running access the vault ui and modify the default acl policy (optional) restart the dev server if it times out the following sections show you how to perform these tasks this integration guide assumes you are running the vault server in dev mode when deploying vault in a production setting, you must consider other things, such as the storage backend, but most concepts apply to dev and production for specifics on how to deploy vault in a production environment, refer to the hashicorp vault documentation https //learn hashicorp com/tutorials/vault/getting started deploy https //learn hashicorp com/tutorials/vault/getting started deploy for more information about how the dev server works, refer to https //www vaultproject io/docs/concepts/dev server download and install vault refer to the hashicorp vault documentation at the following link for instructions on how to download and install the vault application https //www vaultproject io/docs/install https //www vaultproject io/docs/install the second installation option at the preceding link uses a precompiled binary download these binaries at the following url https //www vaultproject io/downloads https //www vaultproject io/downloads to verify vault works, run the following command on your system you should see the help output if you execute it from the command line, make sure the vault command is on your path or you might get an error about vault not being found vault h configure vault vault uses documented sane defaults, so you need to set only non default values in the configuration file run the following command to create the /etc/vault d directory sudo mkdir parents /etc/vault d run the following command to create a vault configuration file, vault hcl sudo touch /etc/vault d/vault hcl run the following command to create a unique, non privileged system user to run vault sudo useradd system home /etc/vault d shell /bin/false vault run the following command to set the ownership of the /etc/vault d directory sudo chown recursive vault\ vault /etc/vault d run the following command to set the file permissions sudo chmod 640 /etc/vault d/vault hcl configure tcp listeners in the vault configuration file to configure the tcp listener addresses, you must edit the listener stanza, or selection of lines, in the vault hcl fle on your server the tcp listener configures vault to listen on a tcp address and port, as shown in the following example listener "tcp" { address = "127 0 0 1 8200" } you can specify the listener stanza more than once to make vault listen on multiple interfaces if you configure multiple listeners, you also need to specify api addr and cluster addr so vault advertises the correct address to other nodes the following sample vault hcl configuration file (used for demonstration in this guide) shows vault listening on a private interface, as well as localhost you must customize the values defined in the vault hcl file for each specific use case (such as ip addresses, ports, and file paths to certificates) \# configure the storage backend for vault storage "file" { path = "/tmp/vault" } \# address and port on which vault responds to requests from the kmes series 3 listener "tcp" { address = "10 0 5 118 8210" tls disable = false tls cert file = "/home/bbarrows/documents/vault/client cert pem" tls key file = "/home/bbarrows/documents/vault/client privatekey pem" } \# enable the vault web ui ui = true \# lock process memory pages, preventing them from being swapped to disk disable mlock = true the comments above each block in the file explain what the define lines do critically, note that 10 0 5 118 is the ip address of the machine that vault is installed on, and 8210 is the port on which vault listens for requests from the kmes series 3 also, make sure that the client certificate common name matches the ip address set in vault hcl otherwise, the kmes series 3 does not verify the certificates presented by vault to the kmes series 3 cluster address is not defined in the sample vault hcl file because this demo uses only a single vault server for more information about configuring the vault configuration file, see the vault documentation at the following url https //learn hashicorp com/tutorials/vault/configure vault https //learn hashicorp com/tutorials/vault/configure vault start the dev server to start the vault dev server, run the following command vault server dev config=/etc/vault d/vault hcl you should see output similar to the following example notice that unseal key and root token values display $ vault server dev config=/etc/vault d/vault hcl \==> vault server configuration api address https //10 0 5 118 8210 cgo disabled cluster address https //10 0 5 118 8211 go version go1 14 7 listener 1 tcp (addr "127 0 0 1 8200", cluster address "127 0 0 1 8201", max request duration "1m30s", max request size "33554432", tls "disabled") listener 2 tcp (addr "10 0 5 118 8210", cluster address "10 0 5 118 8211", max request duration "1m30s", max request size "33554432", tls "enabled") listener 3 tcp (addr "127 0 0 1 8210", cluster address "127 0 0 1 8211", max request duration "1m30s", max request size "33554432", tls "enabled") log level info mlock supported true, enabled false recovery mode false storage file version vault v1 5 4+ent version sha 1d81c1e64854fb0dcb3323468d95ad5590460a40 warning! dev mode is enabled! in this mode, vault runs entirely in memory and starts unsealed with a single unseal key the root token is already authenticated to the cli, so you can immediately begin using vault you may need to set the following environment variable $ export vault addr='http //127 0 0 1 8200' the unseal key and root token are displayed below in case you want to seal/unseal the vault or re authenticate unseal key i29kteqqvcl2pa3xkgxffcwp9ae0ow157nfug7pj14a= root token s xtzyp0lijtaw3fmatgwhdxxo development mode should not be used in production installations! \==> vault server started! log data will stream in below the dev server stores all its data encrypted in memory, listens on localhost without tls, and automatically unseals and shows you the unseal key and root access key with the dev server started, perform the following steps launch a new terminal session set the vault addr environment variable value by running the following command in the terminal this configures the vault client to talk to the dev server export vault addr='http //127 0 0 1 8200' vault cli uses the vault addr environment variable to determine to which vault servers to send requests save the unseal key somewhere you don't need to save this securely set the vault token environment variable value to the generated root token value displayed in the terminal output when you started the dev server export vault token="s akt1i498dqoy4z2c5zimaslr" to interact with vault, you must provide a valid token setting this environment variable provides the token to vault through the cli verify the server is running verify the server is running by executing the vault status command if it started properly, the output should look similar to the following example $ vault status key value \ seal type shamir initialized true sealed false total shares 1 threshold 1 version 1 5 4+ent cluster name vault cluster 8667d21d cluster id b3977a72 9be9 d900 c0ec c6012b1902da ha enabled false in the enterprise version of vault, the dev server seals itself 30 minutes after you start it this means that for the enterprise version of vault, you must perform the steps in the restart the dev server if it times out section every time the dev server times out for more information about how the dev server works, refer to https //www vaultproject io/docs/concepts/dev server https //www vaultproject io/docs/concepts/dev server access the vault ui go to http //localhost 8200 http //localhost 8200/ in a web browser copy and paste the root token in the token field and select \[ sign in ] the root token displays in the output of the vault server command you used to start the dev server modify the default acl policy after signing in, perform the following steps to modify the default acl policy go to the policies menu, then select the default acl policy select \[ edit policy ] , scroll to the bottom of the policy, and paste the following lines starting at line 89 of the policy path "secret/data/ " { capabilities = \["create", "read", "update", "delete", "list"] } path "secret/ " { capabilities = \["create", "read", "update", "delete", "list"] } path "sys/ " { capabilities = \[ "create", "read", "update", "delete", "list" ] } path "sys/mounts/ " { capabilities = \[ "create", "read", "update", "delete", "list" ] } \# list enabled secrets engine path "sys/mounts" { capabilities = \[ "create", "read", "update", "delete", "list" ] } \# work with pki secrets engine path "pki " { capabilities = \[ "create", "read", "update", "delete", "list", "sudo" ] } select \[ save ] a message confirms that the acl policy default was successfully saved restart the dev server if it times out in the enterprise version of vault, the dev server seals itself 30 minutes after you start it this means that for the enterprise version of vault, you must perform the following steps every time the dev server times out trigger a vault shutdown by using ctrl+c in the terminal window where you started the vault server run the following command in a terminal rm r /tmp/vault/ perform again the steps outlined in the following sections configure vault start the dev server access the vault ui modify the default acl policy re configure either the userpass or tls authentication auth method in vault, as described in section set up authentication between the kmes series 3 and vault