Environment data in Vault

Vault is supported for storing sensitive key-value pairs for Docker configuration. If you want to use this method of environment configuration, set CONFIGURE_MODE to Vault. With this setting, startup scripts fetch environment-related data from Vault when you start a Docker container.

You can have a Vault Tenant to represent your company (For example, MyCompany), EnvironmentName (For example, Non-production), and EnvironmentType (For example, auth).

Storing key-value pairs in Vault

To set up Vault, see the Vault website. When you have a Vault ready for use, you can complete the following steps to store and retrieve key-value pairs.
  1. Create a mount point based on the {Tenant}.
    For example,
    init_json='json_data={"type":"generic","description":"description","config":{"max_lease_ttl":"876000"}}'
    header="X-Vault-Token:vaultToken"
    curl -X POST -H $header -H "Content-Type:application/json" -d '{"type":"generic","description":"description","config":{"max_lease_ttl":"876000"}}' http://vaultIP:vaultPort/v1/sys/mounts/tenant
  2. Store key-value pair data by using the following command.
    curl -X POST -H "X-Vault-Token:vaultToken" -d '{"value":"value"}' http://vaultIP:vaultPort/v1/tenant/environmentName/enviromentType/targetKey
    For example, to store the value "mall" for a key name "dbName" under path MyCompany/Non-production/auth/dbName:
    curl -X POST -H "X-Vault-Token:7f47efbb-b162-619b-0ced-448079d91b77" -d '{"value":"mall"}' http://myhostname.com:8200/v1/MyCompany/Non-production/auth/dbName

Retrieving key-value pairs in Vault

Retrieve key-value pair data by using the following command.
curl -X GET -H "X-Vault-Token:vaultToken" http://VaultIP:VaultPort/v1/tenant/environmentName/enviromentType/targetKey | jq -r .data.value

Key-value data structure in Consul/Vault

The following tables list all of the default key-value paths on Consul/Vault.

The default EnvType values are auth and live.

You can add your key-value paths based on your business requirements and define custom logic to fetch them.

The structure of the HCL Commerce deployment key-value pair reference is broken down into the following sections by function, and ordered by release level:
Name, port, security scheme, and certificate configurations
Vault path Requirement Description
${VAULT_URL}/${TENANT}/${ENVIRONMENT}/domainName Optional Specify the internal service domain name. If the deployed environment is on a special namespace on Kubernetes, then the domain name should be .svc.cluster.local.

If no value is specified, then the default, default.svc.cluster.local, is used.

${VAULT_URL}/${TENANT}/${ENVIRONMENT}/externalDomainName Optional This value specifies the store-web external domain name, which can be recognized by your browser.

For example, in the hostname store.demo4qaauth.hcl.com, hcl.com is the external domain name.

${VAULT_URL}/${TENANT}/${ENVIRONMENT}/kafkaServers Optional Specify a value if you want to enable ZooKeeper and Kafka.
The format for this key-value pair is:
"kafkaServers": server1:port1,server1:port2
${VAULT_URL}/${TENANT}/${ENVIRONMENT}/${ENVTYPE}/kafkaTopicPrefix Optional Specify a value if you want to config ZooKeeper and Kafka. If no value is specified, the following default value is applied.

${TENANT}${ENVIRONMENT}${ENVTYPE}

${VAULT_URL}/${TENANT}/${ENVIRONMENT}/${ENVTYPE}/kafkaTopicPrefix Optional The Kafka authentication user ID.
${VAULT_URL}/${TENANT}/${ENVIRONMENT}/${ENVTYPE}/kafkaTopicPrefix Optional The Kafka authentication user password.
${VAULT_URL}/${TENANT}/${ENVIRONMENT}/zooKeeperServers
Deprecated featureNote: Deprecated and removed in HCL Commerce 9.1.12.0.
Optional

Removed in 9.1.12.0+

Specify a value if you want to enable ZooKeeper and Kafka.
The format for this key-value pair is:
"zooKeeperServers": server1:port1,server2:port2
${VAULT_URL}/${TENANT}/${ENVIRONMENT}/${ENVTYPE}/txnHost Optional Specify a value if you want to set txnHost, instead of using the default value.
Note: This value is used for the Transaction server Docker container only. The txHost value is used for all other containers.
${VAULT_URL}/${TENANT}/${ENVIRONMENT}/${ENVTYPE}/txnPort Optional Specify a value if you want to set txnPort, instead of using the default value.
Note: This value is used for the Transaction server Docker container only. The txPort value is used for all other containers.
${VAULT_URL}/${TENANT}/${ENVIRONMENT}/${ENVTYPE}/txHost Optional Specify a value if you want to set txHost, instead of using the default value.
Note: This value is used for all containers other than the Transaction server Docker container. To set the value for the Transaction server Docker container, use the txnHost value.
${VAULT_URL}/${TENANT}/${ENVIRONMENT}/${ENVTYPE}/txPort Optional Specify a value if you want to set txPort, instead of using the default value.
Note: This value is used for all containers other than the Transaction server Docker container. To set the value for the Transaction server Docker container, use the txnPort value.
${VAULT_URL}/${TENANT}/${ENVIRONMENT}/${ENVTYPE}/xcHost Optional Specify a value if you want to set a host name for the Customization server, instead of using the default value.
${VAULT_URL}/${TENANT}/${ENVIRONMENT}/${ENVTYPE}/xcPort Optional Specify a value if you want to set a port number for the Customization server, instead of using the default value.
${VAULT_URL}/${TENANT}/${ENVIRONMENT}/${ENVTYPE}/storeHost Optional Specify a value if you want to set a value for the Store server Commerce Remote Store (CRS) store host, instead of using the default value.

The default value is the crs-app service name.

${VAULT_URL}/${TENANT}/${ENVIRONMENT}/${ENVTYPE}/storePort Optional Specify a value if you want to set a value for the Store server Commerce Remote Store (CRS) store port, instead of using the default value.

The default value is 8443.

${VAULT_URL}/${TENANT}/${ENVIRONMENT}/${ENVTYPE}/previewPort Specify a value if you want to set previewPort, instead of using the default value.

The default value is 443.

${VAULT_URL}/${TENANT}/${ENVIRONMENT}/${ENVTYPE}/storeWebHost Optional Specify a value if you want to set storeWebHost, instead of using the default value.

The default value is store.${TENANT}${ENVIRONMENT}${ENVTYPE}${EXTERNAL_DOMAIN_NAME}.

${VAULT_URL}/${TENANT}/${ENVIRONMENT}/${ENVTYPE}/storeWebPort Optional Specify a value if you want to set storeWebPort, instead of using the default value.

The default value is 443.

Optional Specify if you want to set the store access non-security port to NONSSLPort.
${VAULT_URL}/${TENANT}/${ENVIRONMENT}/${ENVTYPE}/searchPort Optional Specify a value if you want to set searchPort, instead of using the default value.
${VAULT_URL}/${TENANT}/${ENVIRONMENT}/${ENVTYPE}/searchScheme Optional Specify a value if you want to set searchScheme, instead of using the default value.
${VAULT_URL}/${TENANT}/${ENVIRONMENT}/${ENVTYPE}/searchMasterHost Optional The Search server host name.
Note: This parameter is only required with the solr-based search solution auth environment. The default value is the solr search master service name.
${VAULT_URL}/${TENANT}/${ENVIRONMENT}/${ENVTYPE}/searchSlaveHost Optional The Search server host name.
Note: This parameter is only required to be defined within the live environment. The default value is the solr search slave service name.
${VAULT_URL}/${TENANT}/${ENVIRONMENT}/${ENVTYPE}/searchRepeaterHost Optional The Search server host name.
Note: This parameter is only required to be defined within the live environment. The default value is the solr search repeater service name.
${VAULT_URL}/${TENANT}/${ENVIRONMENT}/certs/CertName Optional Specify third-party certificate records.

demo2/qa/certs/demo2qa-test={‘certificate’: ‘asdfadsfadsfads’, ‘destination_host’: ‘adsfadsf’, ‘issuing_ca’: ‘fadsfadsfads’, ‘keystorepass’: ‘adsfadsfads’, ‘private_key’: ‘adsfadsfasd’}

${VAULT_URL}/${TENANT}/${ENVIRONMENT}/certsBundle Optional Specify third-party certificate records.

demo2/qa/certsBundle={‘crsapp’: ‘demo2qa-testky’, ‘searchapp’: ‘demo2qa-test’, ‘storeapp’: ‘’, ‘tsapp’: ‘demo2qa-test’, ‘tsweb’: ‘’, ‘xcapp’: ‘’}

${VAULT_URL}/${TENANT}/${ENVIRONMENT}/${ENVTYPE}/spiUserPwd Mandatory The ASCII encrypted spiuser user password.

To set the password in your custom Docker containers, see Setting the spiuser password in your Docker images.

${VAULT_URL}/${TENANT}/${ENVIRONMENT}/${ENVTYPE}/adminSpiUserPwd Mandatory The plain text spiuser user password.

The ADMIN_SPIUSER_PWD must be the same value as SPIUSER_PWD but kept as plain text.

To set the password in your custom Docker containers, see Setting the spiuser password in your Docker images.

${VAULT_URL}/${TENANT}/${ENVIRONMENT}/${ENVTYPE}/merchantKeyEncrypted Mandatory The encrypted merchant key, encrypted with the key encryption key. The merchant key was created when you or an administrator loaded the HCL Commerce database schema.
For more information, see:
Important: You must specify your own merchant key and key encryption key values for the security of your HCL Commerce installation. Do not use the default values contained within the provided sample configuration files and documentation examples.
Database configurations
Vault path Requirement Description
${VAULT_URL}/${TENANT}/${ENVIRONMENT}/${ENVTYPE}/dbSSLEnable Optional Specify whether the database connection uses SSL.
Accepted values are:
  • true for an SSL connection.
  • false for an unencrypted connection.
The default value is false.
Note: You can also specify datasource credentials through the start up command if you do not want to retrieve the datasource values from Vault.
${VAULT_URL}/${TENANT}/${ENVIRONMENT}/${ENVTYPE}/dbHost Mandatory The database host name for the environment.
Note: This value is only mandatory in the auth environment for WCPublishDataSource.
${VAULT_URL}/${TENANT}/${ENVIRONMENT}/${ENVTYPE}/dbName Mandatory The database name.
Note: This value is only mandatory in the auth environment for WCPublishDataSource.
${VAULT_URL}/${TENANT}/${ENVIRONMENT}/${ENVTYPE}/dbPort Mandatory The database port number.
Note: This value is only mandatory in the auth environment for WCPublishDataSource.
${VAULT_URL}/${TENANT}/${ENVIRONMENT}/${ENVTYPE}/dbUser Mandatory The HCL Commerce database user name.
Note: This value is only mandatory in the auth environment for WCPublishDataSource.
${VAULT_URL}/${TENANT}/${ENVIRONMENT}/${ENVTYPE}/dbPassword Mandatory The HCL Commerce database user password.
Note: This value is only mandatory in the auth environment for WCPublishDataSource.
HCL Commerce Version 9.0.0.5 or later${VAULT_URL}/${TENANT}/${ENVIRONMENT}/${ENVTYPE}/dbPassEncrypt Mandatory The encrypted HCL Commerce database user password.
HCL Commerce Version 9.0.0.5 or later${VAULT_URL}/${TENANT}/${ENVIRONMENT}/${ENVTYPE}/dbaUser Mandatory The database administrator user name.
HCL Commerce Version 9.0.0.5 or later${VAULT_URL}/${TENANT}/${ENVIRONMENT}/${ENVTYPE}/dbaPassEncrypt Mandatory The encrypted database administrator user password.
HCL Commerce Version 9.0.0.4 or later${VAULT_URL}/${TENANT}/${ENVIRONMENT}/${ENVTYPE}/dbType Optional The database type.
Accepted values are:
  • db2 for IBM Db2 Database.
  • oracle for Oracle Database.
The default value is db2.
${VAULT_URL}/${TENANT}/${ENVIRONMENT}/${ENVTYPE}/dbSchema Optional The database schema.
Logging and health configuration
Vault path Requirement Description
${VAULT_URL}/${TENANT}/${ENVIRONMENT}/${ENVTYPE}/healthCenterEnable/ts-app Optional Specify a value if you want to enable Health Center.
Accepted values are:
  • true for enabling Health Center.
  • false for not enabling Heather Center.
The default value is false.
${VAULT_URL}/${TENANT}/${ENVIRONMENT}/${ENVTYPE}/healthCenterEnable/search-app Optional Specify a value if you want to enable Health Center.
Accepted values are:
  • true for enabling Health Center.
  • false for not enabling Heather Center.
The default value is false.
${VAULT_URL}/${TENANT}/${ENVIRONMENT}/${ENVTYPE}/healthCenterEnable/xc-app Optional Specify a value if you want to enable Health Center.
Accepted values are:
  • true for enabling Health Center.
  • false for not enabling Heather Center.
The default value is false.
${VAULT_URL}/${TENANT}/${ENVIRONMENT}/${ENVTYPE}/healthCenterEnable/crs-app Optional Specify a value if you want to enable Health Center.
Accepted values are:
  • true for enabling Health Center.
  • false for not enabling Heather Center.
The default value is false.
${VAULT_URL}/${TENANT}/${ENVIRONMENT}/${ENVTYPE}/healthCenterEnable/search-query-app Optional Specify a value if you want to enable Health Center.
Accepted values are:
  • true for enabling Health Center.
  • false for not enabling Heather Center.
The default value is false.
${VAULT_URL}/${TENANT}/${ENVIRONMENT}/${ENVTYPE}/healthCenterEnable/search-ingest-app Optional Specify a value if you want to enable Health Center.
Accepted values are:
  • true for enabling Health Center.
  • false for not enabling Heather Center.
The default value is false.
${VAULT_URL}/${TENANT}/${ENVIRONMENT}/${ENVTYPE}/traceSpecification/ts-app Optional If you want to change the trace specification for the Transaction server, specify a value.
${VAULT_URL}/${TENANT}/${ENVIRONMENT}/${ENVTYPE}/traceSpecification/search-app Optional If you want to change the trace specification for the Search server, specify a value.
${VAULT_URL}/${TENANT}/${ENVIRONMENT}/${ENVTYPE}/traceSpecification/crs-app Optional If you want to change the trace specification for the Store server, specify a value.
${VAULT_URL}/${TENANT}/${ENVIRONMENT}/${ENVTYPE}/traceSpecification/xc-app Optional If you want to change the trace specification for the Customization server, specify a value.
Optional
${VAULT_URL}/${TENANT}/${ENVIRONMENT}/${ENVTYPE}/threadMonitorEnable/ts-app Optional Specify a value if you want to enable Thread Monitor.
Accepted values are:
  • true for enabling Thread Monitor.
  • false for not enabling Thread Monitor.
The default value is false.
${VAULT_URL}/${TENANT}/${ENVIRONMENT}/${ENVTYPE}/threadMonitorEnable/xc-app Optional Specify a value if you want to enable Thread Monitor.
Accepted values are:
  • true for enabling Thread Monitor.
  • false for not enabling Thread Monitor.
The default value is false.
${VAULT_URL}/${TENANT}/${ENVIRONMENT}/${ENVTYPE}/threadMonitorEnable/search-app Optional Specify a value if you want to enable Thread Monitor.
Accepted values are:
  • true for enabling Thread Monitor.
  • false for not enabling Thread Monitor.
The default value is false.
${VAULT_URL}/${TENANT}/${ENVIRONMENT}/${ENVTYPE}/threadMonitorEnable/crs-app Optional Specify a value if you want to enable Thread Monitor.
Accepted values are:
  • true for enabling Thread Monitor.
  • false for not enabling Thread Monitor.
The default value is false.
${VAULT_URL}/${TENANT}/${ENVIRONMENT}/${ENVTYPE}/threadMonitorEnable/search-ingest-app Optional Specify a value if you want to enable Thread Monitor.
Accepted values are:
  • true for enabling Thread Monitor.
  • false for not enabling Thread Monitor.
The default value is false.
${VAULT_URL}/${TENANT}/${ENVIRONMENT}/${ENVTYPE}/threadMonitorEnable/search-query-app Optional Specify a value if you want to enable Thread Monitor.
Accepted values are:
  • true for enabling Thread Monitor.
  • false for not enabling Thread Monitor.
The default value is false.
Integration, and other miscellaneous configurations