Note: This article is an example reference on how license can be applied to a DR cluster for vault running 1.7.x version and prior.
Title: How to install license in Vault DR cluster (Vault 1.7.x and prior)
Introduction: Vault enterprise needs the license to be installed or updated based on license expiry status. Vault API endpoint /sys/license is used to check/update vault license. Through reading and updating license on vault Primary and Performance Replication cluster is straight forward, Vault DR cluster requires dr_operation_token to authorize request to this API endpoint.
Any operations on vault DR cluster which requires authentication and/or authorization require dr_operation_token to be provided with request. This dr_operation_token can be generated in two ways.
First Method - Create a batch DR operation token on Primary cluster with correct permission to read/create/update license details on DR cluster. This batch token can be generated on Primary Cluster by admin (with correct permissions). Helpful if the quorum of unseal keys or recovery keys are not readily available.
OR
Second Method - Generate a DR operation token on DR secondary cluster. The process below is similar to Generate a DR Operations Token. The dr operation token created in this way has all permissions but requires unseal/recovery keys, which can be troublesome since you may have to coordinate amongst the key holders to generate the DR operation token.
Expected Outcome: This article provide steps to apply license on vault DR cluster.
Assumption:
- This guide assumes that you already have Disaster Recovery replication enabled and functioning between a primary and secondary cluster. It also assumes that the clusters are in a healthy "stream-wals" state. For more details about replication monitoring please follow https://learn.hashicorp.com/tutorials/vault/monitor-replication.
- The original Primary is referred to as "clusterA" and the original DR Secondary "clusterB".
- vault is running version 1.7.x and prior.
Procedure:
First Method - Create a batch DR operation token on Primary cluster - clusterA (vault version 1.4.x or higher):
-
Step1: On Primary Cluster (clusterA) create a policy with permissions to read/create/update DR secondary cluster license. Below policy gives permission to create, update and read on /sys/license endpoint on DR secondary cluster.
$ vault policy write dr-secondary-license - <<EOF
# Manage license for DR Secondary
path "sys/replication/dr/secondary/license" {
capabilities = ["create", "update", "read"]
}
EOF
- Step2: check above policy on clusterA
# example:
$ vault policy read dr-secondary-license
# Manage license for DR Secondary
path "sys/replication/dr/secondary/license" {
capabilities = ["create", "update", "read"]
}
-
Step3: create a batch token on clusterA with above policy and ttl of 30min. TTL for this token can be setup as required. This command will generate a batch token with ttl of 30min.
$ vault token create -orphan -type=batch -policy=dr-secondary-license -ttl=30m
#example:
$ vault token create -orphan -type=batch -policy=dr-secondary-license -ttl=30m
Key Value
--- -----
token b.AAAAAQLNH4ad-s6-ZV-ZrnCEfJ9u3iJaKjqOos8dDVzogNgt1f1QtTILtlUHYmZz-uprw-bttB33h3PKi0G7P24p4DA-CJdtzMies4vOAACPAzG7USC5yN_7Xz7ZZbz0tTJdSaV96FnJPGeIwl_sNTo
token_accessor n/a
token_duration 30m
token_renewable false
token_policies ["default" "dr-secondary-license"]
identity_policies []
policies ["default" "dr-secondary-license"]
-
Step4: To read/write license details on DR cluster (ClusterB):
# to write license details
$ vault write sys/license "text=LICENSE_KEY_HERE" dr_operation_token="DR_OPERATION_TOKEN_HERE"
# to read license details
$ vault read sys/license dr_operation_token="DR_OPERATION_TOKEN_HERE"
#example
$ vault read sys/license dr_operation_token=b.AAAAAQLNH4ad-s6-ZV-ZrnCEfJ9u3iJaKjqOos8dDVzogNgt1f1QtTILtlUHYmZz-uprw-bttB33h3PKi0G7P24p4DA-CJdtzMies4vOAACPAzG7USC5yN_7Xz7ZZbz0tTJdSaV96FnJPGeIwl_sNTo
Key Value
--- -----
expiration_time xxx
features [xxx]
license_id xxx
performance_standby_count 9999
start_time xxx
Second Method - Generate a DR operation token on DR secondary cluster (clusterB):
- Step1: Start the DR operation token generation process.
$ vault operator generate-root -dr-token -init
#example:
$ vault operator generate-root -dr-token -init
A One-Time-Password has been generated for you and is shown in the OTP field.
You will need this value to decode the resulting root token, so keep it safe.
Nonce 871d4c51-9cc8-1414-bae5-feb8462114ce
Started true
Progress 0/1
Complete false
OTP MpgvX26IQA9K79FOqgmQ7XWBNs
OTP Length 26
- Step2: In order to generate a DR operation token, the following operation must be executed by each unseal/recovery key holder. Once all keys are supplied vault will provide "Encoded Token" in output.
$ vault operator generate-root -dr-token \
-nonce=YOUR_NONCE_HERE \
PRIMARY_UNSEAL/Recovery_KEY_1
#example (there is only one recovery key in this example)
$ vault operator generate-root -dr-token \
> -nonce=871d4c51-9cc8-1414-bae5-feb8462114ce \
> iKJ1K2ufMaw0ehm8G2YmlzBFaDdujvJ4TeJEU3P6b8I=
Nonce 871d4c51-9cc8-1414-bae5-feb8462114ce
Started true
Progress 1/1
Complete true
Encoded Token Pl4eGj9CdAITKVIfbUgjFRcxLAhyNTF2Oho
- Step3: Decode the encoded DR operation token that is returned to get dr_operation_token from vault.
$ vault operator generate-root -dr-token -otp="OTP_HERE" -decode="ENCODED_TOKEN_HERE"
#example:
$ vault operator generate-root -dr-token -otp="MpgvX26IQA9K79FOqgmQ7XWBNs" -decode=Pl4eGj9CdAITKVIfbUgjFRcxLAhyNTF2Oho
s.ylgpBKBhkTZqeZfVAYEmf4ti
Step4: To read/write license details on DR cluster (ClusterB):
# to write license details
$ vault write sys/license "text=LICENSE_KEY_HERE" dr_operation_token="DR_OPERATION_TOKEN_HERE"
# to read license details
$ vault read sys/license dr_operation_token="DR_OPERATION_TOKEN_HERE"
#example
vault read sys/license dr_operation_token=s.ylgpBKBhkTZqeZfVAYEmf4tiKey Value
--- -----
expiration_time xxx
features [xxx]
license_id xxx
performance_standby_count 9999
start_time xxx
Additional Information: