Introduction
Vault
Reading and updating license in Vault 1.7.x and earlier requires the parameter dr_operation_token. Autoloading license features were introduced in Vault 1.8.x where the explicit parameter dr_operation_token is no longer required for updating license. Although, a dr_operation_token will still be required for reading license status or performing other licenses related API operations on a DR Secondary cluster.
Updating DR Secondary license on Vault 1.8.x or later(tested till vault version 1.17)
- Check whether environment variables (VAULT_LICENSE or VAULT_LICENSE_PATH) or the HCL parameter license_path is used to configure the licenses in your setup. Add or update the new license file accordingly.
- Repeat the step above ensuring that the same file & configuration conditions are met on all Vault nodes in the cluster.
-
Restart Vault systemctl restart vault on all nodes of DR cluster in rolling manner ending with the Vault leader node last.
Inspecting License File on all Nodes
The license file intended to be applied may also be read on all Vault cluster nodes prior to restarting Vault in order to verify it's validity - like for example
vault license inspect /etc/vault.d/vault_license.txt
# // perform above on all nodes
Example output :
Source: /etc/vault.d/vault_license.txt
Product: vault
License ID: c9db8ad3-ce27-0912-944a-56ac6a4e75d2
Customer ID: d0ffe0ca-3eca-0237-33dd-b25bda4e97b3
Installation ID: *
Issue Time: 2022-06-13 09:26:16.078699758 +0000 UTC
Start Time: 2022-06-13 00:00:00 +0000 UTC
Expiration Time: 2023-06-13 23:59:59.999 +0000 UTC
Termination Time: 2023-06-13 23:59:59.999 +0000 UTC
{"license_id":"c9db8ad3-ce27-0912-944a-56ac6a4e75d2","customer_id":"d0ffe0ca-3eca-0237-33dd-b25bda4e97b3","installation_id":"*","issue_time":"2022-06-13T09:26:16.078699758Z","start_time":"2022-06-13T00:00:00Z","expiration_time":"2023-06-13T23:59:59.999Z","termination_time":"2023-06-13T23:59:59.999Z","flags":{"modules":["multi-dc-scale","governance-policy","advanced-data-protection","advanced-data-protection-key-management","advanced-data-protection-transform"]},"features":["HSM","Performance Replication","DR Replication","MFA","Sentinel","Seal Wrapping","Control Groups","Performance Standby","Namespaces","KMIP","Entropy Augmentation","Transform Secrets Engine","Lease Count Quotas","Key Management Secrets Engine","Automated Snapshots","Key Management Transparent Data Encryption"],"performance_standby_count":9999}
License is valid
You may then restart the Vault process having successfully verified the expected license file on all Vault nodes.
Generating DR Operations Token
A dr_operation_token is required to run license check commands. The steps to Generate DR Operation Token are demonstrated below:
vault operator generate-root -dr-token -init
#// Grab NONCE & OTP values
export NONCE='...'
export OTP="..."
vault operator generate-root -dr-token -nonce=${NONCE}
# // will ask for unseal keys
# // repeat per unseal key till encoded value is returned.
export ENCODED="..."
vault operator generate-root -dr-token -decode="${ENCODED}" -otp="${OTP}"
# // grab operations token
export DRTOKEN="..."
Verifying Current License Status Using DR Operations Token
Use the CLI operation below for an overview of the license in current use:
VAULT_TOKEN="${DRTOKEN}" vault license get
Example output :
Key Value
--- -----
expiration_time 2023-06-13T23:59:59.999Z
features [HSM Performance Replication DR Replication MFA Sentinel Seal Wrapping Control Groups Performance Standby Namespaces KMIP Entropy Augmentation Transform Secrets Engine Lease Count Quotas Key Management Secrets Engine Automated Snapshots Key Management Transparent Data Encryption]
license_id c9db8ad3-ce27-0912-944a-56ac6a4e75d2
performance_standby_count 9999
start_time 2022-06-13T00:00:00Z
termination_time 2023-06-13T23:59:59.999Z
Further read the current license status using:
VAULT_TOKEN="${DRTOKEN}" vault read sys/license/status
Output:
Key Value
--- -----
autoloaded map[expiration_time:2023-06-13T23:59:59.999Z features:[HSM Performance Replication DR Replication MFA Sentinel Seal Wrapping Control Groups Performance Standby Namespaces KMIP Entropy Augmentation Transform Secrets Engine Lease Count Quotas Key Management Secrets Engine Automated Snapshots Key Management Transparent Data Encryption] license_id:c9db8ad3-ce27-0912-944a-56ac6a4e75d2 performance_standby_count:9999 start_time:2022-06-13T00:00:00Z termination_time:2023-06-13T23:59:59.999Z]
autoloading_used true
persisted_autoload map[expiration_time:2023-06-13T23:59:59.999Z features:[HSM Performance Replication DR Replication MFA Sentinel Seal Wrapping Control Groups Performance Standby Namespaces KMIP Entropy Augmentation Transform Secrets Engine Lease Count Quotas Key Management Secrets Engine Automated Snapshots Key Management Transparent Data Encryption] license_id:c9db8ad3-ce27-0912-944a-56ac6a4e75d2 performance_standby_count:9999 start_time:2022-06-13T00:00:00Z termination_time:2023-06-13T23:59:59.999Z]
If "autoloaded" and "persisted_autoloaded" license_id do not match a restart to the vault service is required that will also resolve any license related warning message.