Skip to content

Additional Considerations

Encrypt the Database Password

Important: Encryption is only supported for Tomcat application servers.

Volt MX Foundry provides a 256-bit AES/GCM/NoPadding encryption utility, which can be used to encrypt your database password. To encrypt your database password, follow these steps:

  1. After you download and extract the installation zip file, navigate to the lib folder.

  2. From the lib folder, open a terminal (console), and then execute the following command:

    java -jar EncryptionUtility.jar</code></pre>

  3. In the Enter Password to be Encrypted field, type the password that is used to access your database.

  4. In the Enter Key to be Encrypted field, type the key that must be used to encrypt the password.

The console then displays the Encrypted Password and Encrypted Key. These values must be added to the DB_PASS and DB_PASS_SECRET_KEY parameters in the config.properties file. For more information, refer to Database Details.

How to Use verify-cosign.sh

Overview

It verifies the Cosign signatures of HCL Volt MX Foundry Docker images to confirm they are authentic and haven't been tampered with. It pulls each image from the registry and validates it against the bundled cosign.pub public key.

Prerequisites

  • cosign CLI must be installed.
  • Docker must be installed and running.
  • You must be logged into the Harbor registry before running the script.
  • Both verify-cosign.sh and cosign.pub must be in the same directory.

Running the Script

Run from the cosign/ directory. There are three ways to supply the image tag:

Option 1 — Pass tag as argument

cd cosign/

./verify-cosign.sh <image-tag>

Option 2 — Set TAG environment variable

export TAG=<image-tag>

./verify-cosign.sh

Option 3 — Use a version.txt file

Place a version.txt file in the cosign/ directory (or its parent) with the format:

Build: <image-tag>

Then run:

./verify-cosign.sh

Verified Images

  • Image Name.

  • voltmx-foundry-db.

  • voltmx-foundry-all.

  • voltmx-foundry-engagement.

  • voltmx-foundry-integration.

  • voltmx-foundry-apiportal.

  • voltmx-foundry-console.

  • voltmx-foundry-identity.

  • All images are pulled from (hclcr.io/voltmx-qa).

Logging In to the Harbor Registry

docker login.

Use your own Harbor registry credentials.

Successful Verification

Verification successful for voltmx-foundry-console.

Failure Verification

If the signature check fails:

Verification failed for voltmx-foundry-console

If the image cannot be pulled (for example, not logged in):

Failed to pull <tag>

Please login to Harbor registry with your own credentials and retry:

docker login

Note : The script continues to the next image even if one fails — it does not exit early on pull or verification failures.

Behavior When Tag Is Not Provided

The script exits and displays an error message:

Unable to determine image tag. Pass tag as arg, set TAG env var, or provide version.txt with 'Build: <tag>'.

Location of the Public Key Storage

The public key is at cosign/cosign.pub. It is an ECDSA key on the P-256 curve and is used exclusively for signature verification — it cannot sign images.

Verifying an Individual Image Instead of All Supported Images

Not with the current script.

Manually Verifying a Single Image:

cosign verify --key cosign/cosign.pub <image-name>:<tag>