Hello Ashish,

Inline

Le 21/06/26 10:45, Ashish Vijaywargiya a écrit :
> Hello Gil,
> 
[...]
> > First I had some concerns about the fact that secret management, in my
> > experience, is an infra domain subject. There are tools which goals are
> > to retrieve and share those secrets into application environment.
> 
> 
> Can you please share the name of few tools that can help us on this?
> 

I was referring to Kubernetes secret operators, such as
https://developer.hashicorp.com/vault/docs/deploy/kubernetes/vso

In my view, in a project configuration that includes:
* The client for whom the implementation is being carried out
* The integrator who customizes and develops the solution
* The operations team: which manages and monitors the infrastructure

Some of the secrets must be managed solely by the OPS team, without
being shared with the integrator; so I thought that secret management
should take place outside of OFBiz.

But not all project follow that structure :)

[...]
> >
> > I feel like the EncryptValue value feature is for simple production grade
> > architecture, for example an OFBiz instance hosted in one server.
> > Or maybe, since I am not familiar with PCI-DSS, SOC2, etc., those
> > present some specific requirement that make config encryption mandatory ?
> 
> 
> I am not the expert of Compliance part but I presented Apache OFBiz project
> in front of external Auditor in SOC2 compliance. The Auditor said that you
> should not put plain text password in entityengine.xml file and nor in
> password.properties file. They have said that you should encrypt the
> password with master key and use the encrypted password either on the file
> system or external Secret Managers service or Vault service.
> 
> https://www.imperva.com/learn/data-security/soc-2-compliance/

Thanks for the info !

Gil

Reply via email to