Skip to content
This repository has been archived by the owner on Nov 13, 2023. It is now read-only.

Managing Secure Properties

Gene Johnston edited this page Apr 25, 2022 · 1 revision

Secure by default

The Zowe Secure Credential Store (SCS) plug-in has been integrated into the Imperative framework. The installation of a separate plug-in is no longer required. See the section named Remove unused artifacts from a previous zowe-v1-lts release within the document Working with Team Configuration. The inclusion of the secure credential store enables Zowe commands to automatically store sensitive values securely.

When profile properties are defined as secure and they are defined for inclusion in a team config template, Zowe commands ensure that those properties will be securely stored.

When you first run the zowe config init --global command, the user and password properties for the "my_base" profile are included in the "secure" array within the team configuration file that is generated by the "config init" command. The "config init" command also prompts the user for that user name and password, but those values are never stored in the team config file. Those values are automatically stored within the secure storage mechanism of your operating system.

You can use an editor to manually add new profile properties to the secure array in zowe.config.json. Any property that you define in the secure array will then also be stored only in the secure storage of your operating system.

You can issue the zowe config secure command to re-prompt for all secure fields when you want to update them. You might use this command after you have added new secure fields. You might use this command when your organization requires you to change your password.

You can also secure a specific property. Use the command zowe config set --secure <property-path>. For example, you can issue zowe config set --secure profiles.my_base.properties.password. You will be prompted for the value of the property. If that property had already been secured, the value that you enter will replace the previous value in the secure credential store.

Keytar is a security building block

The Zowe Imperative framework interfaces with the npm package node-keytar to store any profile properties marked as secure. The Zowe CLI installs Keytar as a dependency, so the use of Keytar is largely transparent for interactive end-users.

Keytar Considerations for developers

If you are developing an app which uses the Imperative framework, you must provide Keytar with your app to enable secure storage. The following are considerations for obtaining and integrating Keytar with an application.

Windows

When installing Keytar via npm from behind a strict proxy or offline, you will need node-gyp to build the binary on the users machine. In this case, Windows users will also need windows-build-tools (or equivalent compiler tools).

Linux

Linux users must provide additional configuration with the libsecret Node module before keytar can function with the framework. When you use Linux, install the packages gnome-keyring and libsecret (or libsecret-1-0 on Debian and Ubuntu).

For more information on Keytar, see node-keytar.