Versions Compared

Old Version 3

changes.mady.by.user admin

Saved on

compared with

New Version 4

changes.mady.by.user admin

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Security Secrets (Reference)let you securely store sensitive values : Securely store and manage sensitive credentials such as passwords or keys. These secrets can then be reused in Datasets and Device/TagProvider configurations , API keys, and connection strings without exposing plain-text credentialsvalues in your configuration.

Security Secrets provide:

  • Centralized
    • storage of credentials
  • credential storage
  • Encrypted value protection
  • Integration with Datasets (DB connections)
  • Integration with
    • Device
  • Devices/TagProviders (MQTT, OPC UA, etc.)
  • Administrative control
    • — only admins can edit SecretValue
  • over sensitive values

On this page:

Table of Contents
maxLevel2
minLevel2
indent10px
excludeSteps
stylenone


Scripts → Tutorial | Concept | How-to Guide | Reference


Configuration

onfiguration Properties

Each Secret has the following properties:

PropertyDescriptionRequired

NameUnique identifier for the secretYes

SecretTypeDefines type of secret (e.g., Password)Yes

SecretValueEncrypted credential valueYes

DescriptionOptional notes or purposeNo

Access at: Security → Secrets

PropertyDescriptionRequiredAccess Control
NameUnique identifier for the secretYesAll users
SecretTypeType of credential (Password, APIKey, Token)YesAll users
SecretValueEncrypted credential valueYesAdministrators only
DescriptionDocumentation of usage/purposeNoAll users

Important: Only administrators can view or

Only administrators can

edit SecretValue. Standard users can reference

existing

secrets

but not view them.

Example

NameSecretTypeSecretValueDescription
Secret1Password******Used for Runtime Users DB connection

Usage in Configuration

  • In Datasets, select Secret instead of a raw password to bind connection strings.
  • In Device/TagProviders (MQTT, OPC UA, etc.), reference secrets using /secret-<name>.
  • Secrets allow safer credential management and support configuration portability.

Example: Assigning Secret1 to RuntimeUsers database login password.

Best Practices

  • Create secrets centrally in Security → Secrets.
  • Always prefer Secret over plain passwords in datasets and devices.
  • Restrict edit permissions — only admins should manage secret values.
  • Use descriptive names for clarity (e.g., DBRuntimePass instead of Secret1).

    • in configurations but cannot see the actual values.

    Secret Types

    TypeUse CaseExample
    PasswordDatabase connections, user authenticationSQL Server password
    APIKeyWeb service authenticationREST API key
    TokenBearer tokens, OAuth tokensJWT token
    CertificateSSL/TLS certificatesClient certificate
    ConnectionStringFull connection stringsMongoDB connection

    Usage in Configurations

    Datasets Integration

    When configuring database connections:

    1. Navigate to Datasets → DBs
    2. In connection settings, select Use Secret
    3. Choose from dropdown list of configured secrets
    4. Connection uses encrypted value at runtime

    Example:

    Database: RuntimeUsers
Authentication: SQL Server Auth
Username: dbuser
Password: [Secret: DBRuntimePass]

    Device/TagProvider Integration

    For MQTT, OPC UA, and other protocols:

    1. Navigate to Devices → Channels or TagProviders
    2. In authentication fields, use secret reference syntax
    3. Format: /secret-<SecretName>

    Example:

    MQTT Broker Authentication:
Username: mqttuser
Password: /secret-MQTTBrokerPass

    Script Access

    Secrets can be referenced in scripts:

    csharp

    // Get secret value (requires admin permission)
string password = @Security.GetSecret("DBPassword");

// Use in connection string
string connStr = $"Server=localhost;User={user};Password={password}";

    Configuration Examples

    Basic Secret Setup

    NameSecretTypeSecretValueDescription
    DBProductionPassPassword********Production SQL Server
    MQTTBrokerKeyAPIKey********MQTT cloud broker API
    OPCServerCertCertificate********OPC UA client certificate
    AzureStorageKeyToken********Azure blob storage access

    Runtime Users Database Example

    1. Create secret:
      • Name: RuntimeUsersDBPass
      • Type: Password
      • Value: [encrypted]
      • Description: RuntimeUsers SQL authentication
    2. Use in Dataset:
      • Go to Datasets → DBs → RuntimeUsers
      • Set Password field to: [Secret: RuntimeUsersDBPass]

    Security Considerations

    Access Control Matrix

    ActionAdministratorEngineerOperator
    Create Secret???
    Edit SecretValue???
    View SecretValue???
    Reference in Config???
    View Secret List???

    Encryption Details

    • Values encrypted using AES-256
    • Stored encrypted in solution file
    • Decrypted only at runtime when needed
    • Never logged in plain text
    • Not included in solution exports

    Best Practices

    Naming Conventions

    PatternExampleUse For
    DB<System>PassDBHistorianPassDatabase passwords
    API<Service>KeyAPIWeatherKeyAPI keys
    MQTT<Broker>PassMQTTAzurePassMQTT credentials
    OPC<Server>CertOPCPlantCertOPC certificates

    Implementation Guidelines

    1. Create secrets before configuration
      • Define all secrets in Security module first
      • Then reference in other modules
    2. Use descriptive names
      • Good: ProductionSQLPass
      • Bad: Secret1
    3. Document usage
      • Always fill Description field
      • Include where secret is used
      • Note rotation schedule if applicable
    4. Regular rotation
      • Change production secrets periodically
      • Update all references after rotation
      • Test thoroughly after changes
    5. Environment separation
      • Use different secrets for Dev/Test/Production
      • Name accordingly: DevDBPass, ProdDBPass

    Migration and Portability

    Exporting Solutions

    When exporting solutions:

    • Secret names and types are exported
    • Secret values are NOT exported
    • Target system must recreate values

    Import Process

    1. Import solution to new system
    2. Navigate to Security → Secrets
    3. For each secret, enter appropriate value
    4. Test all connections

    Environment Variables Alternative

    For containerized deployments:

    FRAMEWORKX_SECRET_DBPassword=actualpassword
FRAMEWORKX_SECRET_MQTTKey=actualkey

    Troubleshooting

    Common Issues

    IssueCauseSolution
    "Secret not found"Typo in referenceCheck exact secret name
    "Access denied"Insufficient permissionsUse administrator account
    Connection failsWrong secret valueVerify and re-enter value
    Secret list emptyFilter appliedCheck module filter settings

    Validation

    Test secret configuration:

    1. Create test secret
    2. Reference in test connection
    3. Verify connection succeeds
    4. Check runtime logs for errors

    Audit Trail

    Secret operations are logged:

    • Creation/modification timestamp
    • User who made changes
    • NOT the actual values

    See Also

    Document secret usage in the Description field for auditability.
    In this section...

    Page Tree
    root@parent
    spaces93DRAF