Hello Ashish, Inline
Le 21/06/26 10:45, Ashish Vijaywargiya a écrit : > Hello Gil, > [...] > > First I had some concerns about the fact that secret management, in my > > experience, is an infra domain subject. There are tools which goals are > > to retrieve and share those secrets into application environment. > > > Can you please share the name of few tools that can help us on this? > I was referring to Kubernetes secret operators, such as https://developer.hashicorp.com/vault/docs/deploy/kubernetes/vso In my view, in a project configuration that includes: * The client for whom the implementation is being carried out * The integrator who customizes and develops the solution * The operations team: which manages and monitors the infrastructure Some of the secrets must be managed solely by the OPS team, without being shared with the integrator; so I thought that secret management should take place outside of OFBiz. But not all project follow that structure :) [...] > > > > I feel like the EncryptValue value feature is for simple production grade > > architecture, for example an OFBiz instance hosted in one server. > > Or maybe, since I am not familiar with PCI-DSS, SOC2, etc., those > > present some specific requirement that make config encryption mandatory ? > > > I am not the expert of Compliance part but I presented Apache OFBiz project > in front of external Auditor in SOC2 compliance. The Auditor said that you > should not put plain text password in entityengine.xml file and nor in > password.properties file. They have said that you should encrypt the > password with master key and use the encrypted password either on the file > system or external Secret Managers service or Vault service. > > https://www.imperva.com/learn/data-security/soc-2-compliance/ Thanks for the info ! Gil
