Problem Statement

During the AAP installation process, sensitive data, including system account passwords and encryption keys, are currently handled and stored in plain text. This practice introduces significant security vulnerabilities, including:

• Exposure of Credentials: Plain text storage of passwords and encryption keys on disk or during transfer makes them susceptible to unauthorized access, theft, and compromise.
• Non-Compliance: This approach may violate internal IBM security policies, industry best practices, and external regulatory compliance requirements (e.g., GDPR, HIPAA, PCI DSS) that mandate secure handling of sensitive data.
• Operational Risk: Manual management of these secrets in plain text increases the risk of human error, leading to potential outages or security breaches.
• Lack of Centralized Management: Decentralized and insecure storage hinders auditing, rotation, and lifecycle management of these critical secrets.

Proposed Solution

Leverage IBM's existing investment in HashiCorp Vault to natively integrate its secrets management capabilities into the AAP installation process. This integration should achieve the following:

• Vaulted System Account Passwords: During installation, instead of prompting for or storing system account passwords in plain text, the installer should interact with a pre-configured HashiCorp Vault instance to:
• Retrieve dynamic or static secrets for system accounts (e.g., database users, application users).
• Store newly generated or user-provided system account passwords directly into Vault, if applicable, without ever exposing them in plain text on the filesystem or in logs.
• Facilitate secure injection of these credentials into the application configuration.

• Secure Encryption Key Management: All encryption keys required by the product during installation (e.g., master encryption keys, data encryption keys) must be:
• Generated by or retrieved from HashiCorp Vault.
• Stored exclusively within Vault, with the product accessing them via secure Vault APIs.
• Never stored in plain text on the filesystem or embedded in configuration files.

• Configuration Options: The installer should provide clear configuration options to enable and configure the HashiCorp Vault integration, including:
• Vault address (URL)
• Authentication method (e.g., AppRole, Kubernetes, Token) and associated parameters (Role ID, Secret ID, Token).
• Paths for storing and retrieving secrets within Vault.

• Fallback/Manual Mode (Consideration): While Vault integration should be preferred, a documented manual process or limited fallback for environments without Vault access could be considered, with clear warnings about the security implications.

Business Justification / Benefits

• Enhanced Security Posture: Eliminates plain text storage of sensitive credentials, significantly reducing the attack surface and mitigating risks associated with data breaches.
• Improved Compliance: Aids in meeting internal IBM security standards and external regulatory requirements for secure secrets management.
• Operational Efficiency: Automates the secure handling of credentials, reducing manual effort and potential human error during installation and subsequent operations.
• Centralized Secrets Management: Enables administrators to manage, rotate, and audit all product-related secrets from a single, secure HashiCorp Vault instance.
• Consistency with IBM Strategy: Aligns with IBM's broader adoption of HashiCorp Vault and promotes a consistent security approach across product portfolios.
• Reduced Total Cost of Ownership (TCO): By mitigating security incidents and streamlining operations, this feature can lead to long-term cost savings.

Technical Considerations (Preliminary)

• Define specific Vault policies required for the installer to interact with secrets.
• Determine necessary Vault authentication methods to be supported.
• Outline error handling and retry mechanisms for Vault connectivity.
• Identify any installer framework modifications required to support Vault integration.
• Consider impact on existing upgrade paths.