Delphix database hosts authentication and dSource linking with Hashicorp Vault

Sanjeev Rohila
5 min readJul 19, 2021

For security teams, the focus has been shifted from the network because the network in the cloud is inherently “low trust” and securing the infrastructure and application services themselves.

Another advantage of using vaults is to minimize the number of places where credentials need to be stored and, therefore the risk of insecure storage.

Delphix provides creating data environments on-demand, in minutes. These data environments can be added to the Delphix engine using Vaults. Delphix supports Hashicorp Open Source, Hashicorp Enterprise, and Cyberark Vaults.

Getting the Hashicorp Opensource vault Ready to be used with Delphix

We will authenticate the Delphix engine with the Hashicorp Open Source vault and explore the various authentication methods available in the Delphix Engine for demonstration purposes.

Authentication methods are the components in Vault that perform authentication and are responsible for assigning identity and a set of policies to a user. Delphix supports 3 auth mechanisms that are suited for servers authentication.



TLS Certificate

But after the authentication, we need to ensure that we also have defined the credentials in the Vault.

Here in Delphix, we have support for KV Secrets Engine version 2 and have defined the credential in an engine named kv-v2/delphix-secrets on path win-2012 and have used the keys user and password to hold the credentials.

Credentials managed at Vault

Defining vaults in the Delphix Engine

For instance, we are adding token authentication to Delphix Engine to interact with the Vault.

Supported Vaults in Delphix
Adding a Hashicorp vault to Delphix

Vault is added to Delphix Engine, now no more need to use the host authentication credentials because they are fetched from Hashicorp vault.

Adding host environment to Delphix Engine Using Vault

Here will see how Delphix allows the users to fetch the credentials from Vault avoiding them being stored at insecure storage like workstations or in the code at repositories like GitHub.

Navigate to the Manage->Environment and Add Environment by clicking the 3 dots the top menu

Now it's time to use these credentials to add the database host environments to the Delphix Engine. We will select the radio button Password Vault provided under the Login Type.

Selecting the Password Vault Login Type

When we select the Login Type as Password Vault radio button we are all set to use the Password vault. Now we need to select the appropriate Vault definition from the dropdown Select the Enterprise Vault System, using what we want to use to fetch the credentials from the Vault system, here we are selecting hashicorp-os-token-auth, which is defined in the steps above.

Now Delphix Engine needs to specify the Secret Engine and Path to find the keys that are holding the credentials to add the host. As per our definition, we have below parameters to fetch the credentials from the vault

Engine — kv-v2/delphix-secrets

Path — win-2012

Username Key — user

Secret Key — password

After supplying the above parameters when we hit the Validate button, Boom! the host is authenticated from the Delphix Engine and as ready to be added as an environment.

Similar way after adding the source environment our source and targets and ready to create the copies of the databases present on the source database environment.However, we canr also change the definition used by the host when added to the engine with a different password vault definition and add additional definitions as environment users.

Linking Databases

So far we have added the definition and linked the host environment to the Delphix Engine, now we may want to link the databases present in the source MSSQL environment to create the copies for various purposes.

Navigate to the Manage->Datasets section from the top menu and select the + to chose the Add dSource from the menu to link the available databases available in the source environment

There we go ahead with SQL2019SA database instance to link with Delphix Engine and select the Domain User with Vault Credentials option from the radio buttons from the bottom right Database Authentications options

Now we will supply the same parameters provided to add the environment section and hit Validate to authenticate the database instance present in the environment and there we go we have successfully used the vault for database authentication to link the database to the Delphix Engine.

A couple of more typical configuration items and after hitting the Submit

Here the database is linked to the Delphix Engine as a data source using the Hashicorp Vault.