Create and Edit Secret Groups (Anypoint Platform)

Secrets Manager enables you to create and edit secrets groups, which is a logical grouping of secrets. Secrets Manager also enables you to create new secret types and add them to a secrets group.

A maximum of 25 secret groups are allowed per environment per business group. Each secret group can contain a maximum of 350 secrets.

Prerequisites

To create and edit secret groups:

Verify that you have the Write secrets permission in Access Management.
Verify that you’re in the correct environment using the environment or business group.

Create a Secret Group

In Anypoint Platform, go to Management Center > Secrets Manager.
Select Create Secret Group.
Enter a name for the secret group that:
- Starts with a letter
- Is at least three characters long and no longer than 35 characters
- Contains only letters, numbers, and dashes; however, the name can’t end with a dash.
Select Secret Group Downloadable to allow authenticated users to download secrets outside of Anypoint Platform.

If you select this option, secrets can be downloaded over public networks.

Next, add the secret types to the secret group.

Add a Truststore

Add a truststore for public certificates of trusted servers. The truststore stores up to 15 certificates from the trusted CA, which are then used to verify certificates presented by the server in an SSL connection.

In the Secret Groups list view, select the secret group to add the truststore to, and click Edit.
Select Truststore > Add Truststore.
In Add Truststore, add the required information:
- Name
  
  Enter a name for your truststore.
- Type
  
  Select the truststore type: PEM JKS PKCS12 JCEKS
- Truststore File
  
  Click Choose File and select the truststore file to upload.
- Override Expiration Date
  
  Select the date to override the default expiration date of the certificate.
  
  If you’re uploading a JKS, PKCS12, or JCEKS truststore file, you must also provide the passphrase for this truststore.
Click Save.

Add a Keystore

Specify the type of keystore to add to the secret group. The keystore is the combination of the authorization certificate, its corresponding private keys, and the certification authority’s path.

In the Secret Groups list view, select the secret group to add a keystore to, and click Edit.
Select Keystore > Add Keystore.
In the Name field, enter a name for the keystore.
In the Type field, select the keystore type.

Supported types include:
- Privacy-Enhanced Mail (PEM)
  
  Base64-encoded ASCII file with a cer, crt, or pem extension
- Java Keystore (JKS)
  
  Repository for authorization or public key certificates. The JKS keystore type doesn’t store secret keys.
- PKCS #12
  
  Stores server and intermediate certificates in an archive file format. The PKCS #12 keystore type doesn’t store secret keys.
- Java Cryptography Extension keystore (JCEKS)
  
  Stores server and intermediate certificates as well as secret keys.
- To add a PEM type keystore, you must provide:
  - Certificate File
    
    Click Choose File to locate and upload the PEM certificate file.
  - Key File
    
    Click Choose File to locate and upload the PEM-formatted file that contains the private key for the certificate.
  - Key Passphrase
    
    Enter the word or phrase that protects the private key.
  - CA Path Certificate File
    
    Click Choose File to locate and upload the certificate signed by a certification authority (CA).
    
    The CA path contains the intermediary and root certificates that are related to the certificate file to use.
  - Override Expiration Date
    
    Select the date to override the default expiration date of the certificate.
- To add a JKS, PKCS12, or JCEKS type keystore, you must provide:
  - Keystore File
    
    Click Choose File to locate and upload the keystore file to use.
  - Keystore Passphrase
    
    Enter the word or phrase that protects the keystore.
  - Alias
    
    The alias used to access the keystore entries (key and trusted certificate entries).
  - Key Passphrase
    
    The word or phrase that protects the private key.
  - Algorithm
    
    The algorithm to use for encryption of keys.
  - Override Expiration Date
    
    Select the date to override the current expiration date of the certificate.
Click Save.

Add a Certificate Pinset

Add a concatenated list of PEM certificates to the secret group.

In the Secret Groups list view, select the secret group to add a certificate pinset to, and click Edit.
Select Certificate Pinset > Add Certificate Pinset.
In the Certificate Pinset screen, add the required information.
- Name
  
  Enter a name for the certificate pinset.
- Certificate File
  
  Click Choose File and select the PEM formatted CA certificate to upload.
- Expiration Date
  
  Select the expiration date for the certificate.
Click Save.

Add a Shared Secret

Add a secret users can share for authentication.

In the Secret Groups list view, select the secret group to add a shared secret to, and click Edit.
Select Shared Secret > Add Shared Secret.
In the Add Shared Secret screen, add the required information:
- Name
  
  Enter a name for your shared secret.
- Type:
  - Username Password
    
    Provide a username and password.
  - Symmetric Key
    
    Provide a Base64 string containing symmetric key.
  - S3 Credential
    
    Provide the access key ID and the secret access key to an S3 bucket.
  - Blob
    
    Provide a Base64-encoded value.
Click Save.

Edit a Secret Group

Edit a secrets group to add secret types such as keystores, truststores, certificates, etc.

In the Secret Groups list view, select the secret group you want to edit, then click Edit.
Make changes to the secrets as required.

As you create or save changes to a secret, the changes are applied immediately. The updated secret group is immediately available the next time the secret group is accessed or when deploying an application.