Note: This article is an example reference on how license can be applied to a DR cluster for vault running 1.7.x version and prior.
Title: How to install license in Vault DR cluster (Vault 1.7.x and prior)
Introduction: Vault enterprise need license to be installed or updated based on license expiry status. Vault API endpoint /sys/license is used to check/update vault license. Through reading and updating license on vault Primary and Performance Replication cluster is straight forward, Vault DR cluster requires dr_operation_token to authorize request to this API endpoint.
Any operations on vault DR cluster which requires authentication and/or authorization require dr_operation_token to be provided with request. This dr_operation_token can be generated in two ways.
1. Create a batch DR operation token on Primary cluster with correct permission to read/create/update license details on DR cluster. This batch token can be generated on Primary Cluster by admin (with correct permissions).
2. Generate a DR operation token on DR secondary cluster. The process below is similar to Generating a Root Token (via CLI). The dr operation token created in this way has all permissions but requires unseal/recovery keys, which can be troublesome since you may have to coordinate amongst the key holders to generate the DR operation token.
Expected Outcome: This article provide steps to apply license on vault DR cluster.
Assumption:
- This guide assumes that you already have Disaster Recovery replication enabled and functioning between a primary and secondary cluster. It also assumes that the clusters are in a healthy "stream-wals" state. For more details about replication monitoring please follow https://learn.hashicorp.com/tutorials/vault/monitor-replication.
- The original Primary is referred to as "clusterA" and the original DR Secondary "clusterB".
- vault is running version 1.7.x and prior.
Procedure:
1. Create a batch DR operation token on Primary cluster - clusterA (vault version 1.4.x or higher):
-
Step1: On Primary Cluster (clusterA) create a policy with permissions to read/create/update DR secondary cluster license. Below policy gives permission to create, update and read on /sys/license endpoint on DR secondary cluster.
$ vault policy write dr-secondary-license - <<EOF
# Manage license for DR Secondary
path "sys/replication/dr/secondary/license" {
capabilities = ["create", "update", "read"]
}
EOF
- Step2: check above policy on clusterA
# example:
$ vault policy read dr-secondary-license
# Manage license for DR Secondary
path "sys/replication/dr/secondary/license" {
capabilities = ["create", "update", "read"]
}
-
Step3: create a batch token on clusterA with above policy and ttl of 30min. TTL for this token can be setup as required. This command will generate a batch token with ttl of 30min.
$ vault token create -orphan -type=batch -policy=dr-secondary-license -ttl=30m
#example:
$ vault token create -orphan -type=batch -policy=dr-secondary-license -ttl=30m
Key Value
--- -----
token b.AAAAAQLNH4ad-s6-ZV-ZrnCEfJ9u3iJaKjqOos8dDVzogNgt1f1QtTILtlUHYmZz-uprw-bttB33h3PKi0G7P24p4DA-CJdtzMies4vOAACPAzG7USC5yN_7Xz7ZZbz0tTJdSaV96FnJPGeIwl_sNTo
token_accessor n/a
token_duration 30m
token_renewable false
token_policies ["default" "dr-secondary-license"]
identity_policies []
policies ["default" "dr-secondary-license"]
-
Step4: To read/write license details on DR cluster (ClusterB):
# to write license details
$ vault write sys/license "text=LICENSE_KEY_HERE" dr_operation_token="DR_OPERATION_TOKEN_HERE"
# to read license details
$ vault read sys/license dr_operation_token="DR_OPERATION_TOKEN_HERE"
#example
$ vault read sys/license dr_operation_token=b.AAAAAQLNH4ad-s6-ZV-ZrnCEfJ9u3iJaKjqOos8dDVzogNgt1f1QtTILtlUHYmZz-uprw-bttB33h3PKi0G7P24p4DA-CJdtzMies4vOAACPAzG7USC5yN_7Xz7ZZbz0tTJdSaV96FnJPGeIwl_sNTo
Key Value
--- -----
expiration_time xxx
features [xxx]
license_id xxx
performance_standby_count 9999
start_time xxx
2. Generate a DR operation token on DR secondary cluster (clusterB):
- Step1: Start the DR operation token generation process.
$ vault operator generate-root -dr-token -init
#example:
$ vault operator generate-root -dr-token -init
A One-Time-Password has been generated for you and is shown in the OTP field.
You will need this value to decode the resulting root token, so keep it safe.
Nonce 871d4c51-9cc8-1414-bae5-feb8462114ce
Started true
Progress 0/1
Complete false
OTP MpgvX26IQA9K79FOqgmQ7XWBNs
OTP Length 26
- Step2: In order to generate a DR operation token, the following operation must be executed by each unseal/recovery key holder. Once all keys are supplied vault will provide "Encoded Token" in output.
$ vault operator generate-root -dr-token \
-nonce=YOUR_NONCE_HERE \
PRIMARY_UNSEAL/Recovery_KEY_1
#example (there is only one recovery key in this example)
$ vault operator generate-root -dr-token \
> -nonce=871d4c51-9cc8-1414-bae5-feb8462114ce \
> iKJ1K2ufMaw0ehm8G2YmlzBFaDdujvJ4TeJEU3P6b8I=
Nonce 871d4c51-9cc8-1414-bae5-feb8462114ce
Started true
Progress 1/1
Complete true
Encoded Token Pl4eGj9CdAITKVIfbUgjFRcxLAhyNTF2Oho
- Step3: Decode the encoded DR operation token that is returned to get dr_operation_token from vault.
$ vault operator generate-root -dr-token -otp="OTP_HERE" -decode="ENCODED_TOKEN_HERE"
#example:
$ vault operator generate-root -dr-token -otp="MpgvX26IQA9K79FOqgmQ7XWBNs" -decode=Pl4eGj9CdAITKVIfbUgjFRcxLAhyNTF2Oho
s.ylgpBKBhkTZqeZfVAYEmf4ti
Step4: To read/write license details on DR cluster (ClusterB):
# to write license details
$ vault write sys/license "text=LICENSE_KEY_HERE" dr_operation_token="DR_OPERATION_TOKEN_HERE"
# to read license details
$ vault read sys/license dr_operation_token="DR_OPERATION_TOKEN_HERE"
#example
vault read sys/license dr_operation_token=s.ylgpBKBhkTZqeZfVAYEmf4tiKey Value
--- -----
expiration_time xxx
features [xxx]
license_id xxx
performance_standby_count 9999
start_time xxx
Additional Information: