Secrets

Sql

SqlConnection

SqlCursor

Str

Class: Secrets

The built-in functions in the Secrets package allow you to store and retrieve secrets in storages that are managed by Content Server. There are two types of secrets: local and global. In general, local secrets apply to specific Content Server hosts only. However, not all secrets stored with PutLocal() are really local. Whether a specific secret is really local should be determined case by case according to the nature of that secret. For example, the Content Server database password is not local in nature; its change requires restarting all Content Server hosts after the change has been synchronized among them. The Web Administrator password is not local as well; otherwise the Content Server administrators have to use different passwords on different hosts to configure the same Content Server system. This is no different from the settings in the opentext.ini file. Some are local and some are not. If not really local to a specific host, then a change will require synchronization and restarting all hosts afterwards.

Depending on the running environment, some secrets may be read only. For example, not all secrets can be stored or updated using this package's Put() and PutLocal() methods in the container environment. Overall, the methods for global secrets are similar to CAPI's IniDelete(), IniGet() and IniPut() and the methods for local secrets are similar to the corresponding functions provided by $KERNEL.SystemPreferences. The big differences are that secret values are of type String rather than Dynamic; section and keyword are always case sensitive, even for the local versions; and the return value is Undefined if there is no secret for the section/keyword specified. Most importantly, the passed secret is automatically encrypted when stored and decrypted before it is returned. It is guaranteed that the retrieved secret is exactly the same as it was passed into the Put() or PutLocal() method.

The major functionalities offered in the Secrets package are the following:

GetLocal(), Get() get local and global secrets, respectively.
PutLocal(), Put() store local and global secrets, respectively.
DeleteLocal(), (Delete()) delete local and global secrets, respectively.
IsReadOnlyLocal(), IsReadOnly() check if the secret is read only or not.
GetKeys() returns a RecArray with a row for each defined secret.
ValidateName() checks if a string would be valid as a Secrets section or keyword name.

The majority of these functions require a pair of String parameters, section and keyword, and for each of these parameters, the content of the String is limited as follows:

It must be composed solely of the basic alphanumeric characters { A-Za-z0-9 } plus the underscore { _ }, hyphen or minus sign { - }, and the period or full stop { . }.
It must begin with an alphabetic character { A-Za-z }.
The minimum length is 1 character and the maximum length is 128 characters.
As mentioned above, it is treated in a case-sensitive manner. For example, "KEYWORD1", "Keyword1", and "keyword1" are all distinct and would refer to different secrets within a given section.

Class Methods

CheckCryptoMark( CAPILOGIN login )

Checks if "OTHOME/config/secrets/key.bin" has the correct content. Internal use only.

Delete( CAPILOGIN login, String section, String keyword )

Deletes one global secret for the keyword in the section specified.

DeleteLocal( String section, String keyword )

Deletes one local secret for the keyword in the section specified.

Get( CAPILOGIN login, String section, String keyword )

Retrieves one global secret from the global secret storage.

GetKeys( CAPILOGIN login )

Retrieves a RecArray with one row for each key (that is, each section/keyword combination) defined in the underlying secret storages for both local and global secrets.

GetLocal( String section, String keyword )

Retrieves one local secret from the local secret storage.

IsReadOnly( CAPILOGIN login, String section, String keyword )

Tests if the global secret for the specified section/keyword is read only or not.

IsReadOnlyLocal( String section, String keyword )

Tests if the local secret for the specified section/keyword is read only or not.

Put( CAPILOGIN login, String section, String keyword, String val )

Stores one secret in the global secret storage.

PutLocal( String section, String keyword, String val )

Stores one secret in the local secret storage.

SetCryptoMark( CAPILOGIN login )

Inserts into the KSecrets table a certain string for checking if "OTHOME/config/secrets/key.bin" has the correct content. Internal use only.

ValidateName( String name )

Checks if a string would be valid as a Secrets section or keyword name.

Class Methods

CheckCryptoMark

Integer CheckCryptoMark( CAPILOGIN login )

Checks if the KSecrets table has a certain string used to check if "OTHOME/config/secrets/key.bin" has the correct content. If so, this function tries to decrypt the string. If an error occurs while checking or decrypting, or the decrypted value is not as expected, this function logs a message informing the user to copy over the key.bin of the original instance and restart Content Server, then causes the Content Server service to stop. If the string is not in KSecrets, this function instead checks if key.bin has the correct content by checking if it can decrypt all the values in KSecrets. If so, it inserts the string into KSecrets.

Warning: This function is not intended for general use. It is for internal use only. This function accesses the database associated with the login parameter; misuse could render the system inoperative.

Parameters

The CAPILOGIN object.

Returns:

Integer 0

Delete

Integer Delete( CAPILOGIN login,
String section,
String keyword )

Deletes one global secret for the section/keyword specified. Does nothing if there is not such a secret.

Parameters

The CAPILOGIN object.

section

A string specifying the section to affect in the secret storage.

keyword

A string specifying the keyword to delete from the specified section.

Returns:

An Integer 0 if successful, an error otherwise.

DeleteLocal

Integer DeleteLocal( String section,
String keyword )

Deletes one local secret for the section/keyword specified. Does nothing if there is not such a secret.

Parameters

section

A string specifying the section to affect in the secret storage.

keyword

A string specifying the keyword to delete from the specified section.

Returns:

An Integer 0 if successful, an error otherwise.

Get

String Get( CAPILOGIN login,
String section,
String keyword )

Retrieves one global secret, if any, from the global secret storage for the section/keyword specified.

Parameters

The CAPILOGIN object.

section

A string specifying the section in which the keyword is located.

keyword

A string specifying the keyword to retrieve one secret.

Returns:

The string value of the secret for the given keyword in the specified section if successful; Undefined if not existing; or an error otherwise.

GetKeys

RecArray GetKeys( CAPILOGIN login )

Retrieves a RecArray with one row for each key (that is, each section/keyword combination) defined in the underlying secret storages for both local and global secrets. The columns included are 'Section' and 'Keyword' (both String values), 'Global' (Boolean value, true if global, false if local), and 'ReadOnly' (Boolean value). No values are returned.

Parameters

The CAPILOGIN object.

Returns:

The RecArray value with one row for each secret stored in the underlying secret storages, local and global.

Example

Dynamic result
Dynamic rec
Object prgCtx

Assoc checkVal = $LLIApi.PrgSession.GetPrgCtx( 'Admin' )


if ( checkVal.ok )

    prgCtx = checkVal.pSession

    result = Secrets.GetKeys( prgCtx.fDbConnect.fLogin )

    if( IsNotError( result ) )

        for rec in result

            Echo( rec )

        end

    end

end

Output:

16:55:06,168 INFO  R<'Section'='a','Keyword'='b1','Global'=true,'ReadOnly'=false>
16:55:06,168 INFO  R<'Section'='general','Keyword'='AdminPwd','Global'=false,'ReadOnly'=false>
16:55:06,168 INFO  R<'Section'='dbconnection:main','Keyword'='password','Global'=false,'ReadOnly'=false>
16:55:06,168 INFO  R<'Section'='a','Keyword'='b2','Global'=false,'ReadOnly'=false>
16:55:06,168 INFO  R<'Section'='another','Keyword'='k1','Global'=false,'ReadOnly'=false>

GetLocal

String GetLocal( String section,
String keyword )

Retrieves one local secret, if any, from the local secret storage for the section/keyword specified.

Parameters

section

A string specifying the section in which the keyword is located.

keyword

A string specifying the keyword to retrieve one secret.

Returns:

The string value of the secret for the given keyword in the specified section if successful; Undefined if not existing; or an error otherwise.

Example

Dynamic result

result = Secrets.GetLocal('general', 'AdminPwd')

Echo( result )

result = Secrets.GetLocal('general', 'adminpwd') // Note that section and keyword are case sensitive!

Echo( result )

Output:

21:21:33,822 INFO  1$UDe8fmYyXeyMXnAvfBo0KOmRUpuERThKjqccm|Rm4Z56wFHjg0cBm0nxqrTvjOWz0GBxJqR9JHr|U|BmX6w6fg==$EynFthPsK5ZWGzff34Ui7YV0bYItSSzX5pKDquHgK|Ld6q06KmqOOCd+lfZJr2rSeqNuvyAcyeTw70qkw4Pg|w==
21:21:33,823 INFO  ?

IsReadOnly

Boolean IsReadOnly( CAPILOGIN login,
String section,
String keyword )

Tests if the global secret for the specified section/keyword is read only or not.

Parameters

The CAPILOGIN object.

section

A string specifying the section in which the keyword is located.

keyword

A string specifying the keyword to be tested.

Returns:

TRUE if the secret is read only; FALSE if it is writable; Undefined if not existing; or an error otherwise.

IsReadOnlyLocal

Boolean IsReadOnlyLocal( String section,
String keyword )

Tests if the local secret for the specified section/keyword is read only or not.

Parameters

section

A string specifying the section in which the keyword is located.

keyword

A string specifying the keyword to be tested.

Returns:

TRUE if the secret is read only; FALSE if it is writable; Undefined if not existing; or an error otherwise.

Put

Integer Put( CAPILOGIN login,
             String section,
             String keyword,
             String val )

Stores one secret with the specified section/keyword in the global secret storage.

Parameters

The CAPILOGIN object.

section

A string specifying the section in which the keyword is located.

keyword

A string specifying the keyword to store the secret.

val

A string specifying the plaintext value of the secret.

Returns:

An Integer 0 if successful; an error otherwise.

PutLocal

Integer PutLocal( String section,
String keyword,
String val )

Stores one secret with the specified section/keyword in the local secret storage.

Parameters

section

A string specifying the section in which the keyword is located.

keyword

A string specifying the keyword to store the secret.

val

A string specifying the plaintext value of the secret.

Returns:

An Integer 0 if successful; an error otherwise.

SetCryptoMark

Integer SetCryptoMark( CAPILOGIN login )

Inserts into the KSecrets table a certain string for checking if "OTHOME/config/secrets/key.bin" has the correct content.

Parameters

The CAPILOGIN object.

Returns:

An Integer 0 if successful; an error otherwise.

ValidateName

Boolean ValidateName( String name )

Checks if a string would be valid as a Secrets section or keyword name, given the limitations listed above in the Secrets class description. This does not check if the name is currently in use, only if it could be used.

Parameters

name

The name for a Secrets section or keyword.

Returns:

TRUE if the input name meets the limitations, FALSE otherwise.