Versions Compared

Old Version 4

changes.mady.by.user admin

Saved on

compared with

New Version Current

changes.mady.by.user eduardo.bogo@tatsoft.com

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Securely store credentials and secrets.

ReferenceModules SecurityUIRuntimeUsers | Users | Permissions | Policies | Secrets | Monitor

Security Secrets (Reference): Securely store and manage sensitive credentials such as passwords, API keys, and connection strings without exposing plain-text values in your configuration.

Security Secrets provide:

  • Centralized credential storage
  • Encrypted value protection
  • Integration with Datasets (DB connections)
  • Integration with Devices/TagProviders (MQTT, OPC UA, etc.)
  • Administrative control over sensitive values

On this page:

Table of Contents
maxLevel2
minLevel2
indent10px
excludeSteps
stylenone

Scripts → Tutorial | Concept | How-to Guide | Reference

onfiguration

Configuration Properties

Access at: Security → Secrets

PropertyDescriptionRequiredAccess Control
NameUnique identifier for the secretYesAll users
SecretTypeType of credential (Password, APIKey, Token)YesAll users
SecretValueEncrypted credential valueYesAdministrators only
DescriptionDocumentation of usage/purposeNoAll users

Important: Only administrators can view or edit SecretValue. Standard users can reference secrets in configurations but cannot see the actual values.

Secret Types

TypeUse CaseExample
PasswordDatabase connections, user authenticationSQL Server password
APIKeyWeb service authenticationREST API key
TokenBearer tokens, OAuth tokensJWT token
CertificateSSL/TLS certificatesClient certificate
ConnectionStringFull connection stringsMongoDB connection

Usage in Configurations

Datasets Integration

When configuring database connections:

  1. Navigate to Datasets → DBs
  2. In connection settings, select Use Secret
  3. Choose from dropdown list of configured secrets
  4. Connection uses encrypted value at runtime

Example:

Database: RuntimeUsers
Authentication: SQL Server Auth
Username: dbuser
Password: [Secret: DBRuntimePass]

Device/TagProvider Integration

For MQTT, OPC UA, and other protocols:

  1. Navigate to Devices → Channels or TagProviders
  2. In authentication fields, use secret reference syntax
  3. Format: /secret-<SecretName>

Example:

MQTT Broker Authentication:
Username: mqttuser
Password: /secret-MQTTBrokerPass

Script Access

Secrets can be referenced in scripts:

csharp

// Get secret value (requires admin permission)
string password = @Security.GetSecret("DBPassword");

// Use in connection string
string connStr = $"Server=localhost;User={user};Password={password}";

Configuration Examples

Basic Secret Setup

NameSecretTypeSecretValueDescription
DBProductionPassPassword********Production SQL Server
MQTTBrokerKeyAPIKey********MQTT cloud broker API
OPCServerCertCertificate********OPC UA client certificate
AzureStorageKeyToken********Azure blob storage access

Runtime Users Database Example

  1. Create secret:
    • Name: RuntimeUsersDBPass
    • Type: Password
    • Value: [encrypted]
    • Description: RuntimeUsers SQL authentication
  2. Use in Dataset:
    • Go to Datasets → DBs → RuntimeUsers
    • Set Password field to: [Secret: RuntimeUsersDBPass]

Security Considerations

Access Control Matrix

ActionAdministratorEngineer
Operator
Guest
Create Secret
?
Yes
?
Yes
?
Yes
Edit SecretValue
?
Yes
?
No
?
No
View SecretValue
?
No
?
No
?
No
Reference in Config
?
Yes
?
Yes
?
Yes
View Secret List
?
Yes
?
Yes
?
Yes

Encryption Details

  • Values encrypted using AES-256
  • Stored encrypted in solution file
  • Decrypted only at runtime when needed
  • Never logged in plain text
  • Not included in solution exports

Best Practices

Naming Conventions

PatternExampleUse For
DB<System>PassDBHistorianPassDatabase passwords
API<Service>KeyAPIWeatherKeyAPI keys
MQTT<Broker>PassMQTTAzurePassMQTT credentials
OPC<Server>CertOPCPlantCertOPC certificates

Implementation Guidelines

  1. Create secrets before configuration
    • Define all secrets in Security module first
    • Then reference in other modules
  2. Use descriptive names
    • Good: ProductionSQLPass
    • Bad: Secret1
  3. Document usage
    • Always fill Description field
    • Include where secret is used
    • Note rotation schedule if applicable
  4. Regular rotation
    • Change production secrets periodically
    • Update all references after rotation
    • Test thoroughly after changes
  5. Environment separation
    • Use different secrets for Dev/Test/Production
    • Name accordingly: DevDBPass, ProdDBPass

Migration and Portability

Exporting Solutions

When exporting solutions:

  • Secret names and types are exported
  • Secret values are NOT exported
  • Target system must recreate values

Import Process

  1. Import solution to new system
  2. Navigate to Security → Secrets
  3. For each secret, enter appropriate value
  4. Test all connections

Environment Variables Alternative

For containerized deployments:

FRAMEWORKX_SECRET_DBPassword=actualpassword
FRAMEWORKX_SECRET_MQTTKey=actualkey

Troubleshooting

Common Issues

IssueCauseSolution
"Secret not found"Typo in referenceCheck exact secret name
"Access denied"Insufficient permissionsUse administrator account
Connection failsWrong secret valueVerify and re-enter value
Secret list emptyFilter appliedCheck module filter settings

Validation

Test secret configuration:

  1. Create test secret
  2. Reference in test connection
  3. Verify connection succeeds
  4. Check runtime logs for errors

Audit Trail

Secret operations are logged:

  • Creation/modification timestamp
  • User who made changes
  • NOT the actual values

See Also

In this section...

Page Tree
93DRAF
root@parentspaces