OpenBao configuration parameters

Sergei Tikhomirov
Cluster settings
Parameter Description Default value

Web UI enabled

Determines whether web UI is enabled

true

Cluster port

Specifies the port to advertise to other OpenBao servers in a cluster

8201

API port

Specifies the port to advertise for client communication

8200

Cluster name

Specifies the identifier for the OpenBao cluster. If omitted, OpenBao will generate a value

 — 
Listener settings
Parameter Description Default value

Listener port

Specifies the port to bind to for listening

8200

tls_disable

Specifies if TLS should be disabled

true

tls_cert_file

Specifies the path to the certificate for TLS. It has to be a PEM-encoded file. To configure the listener to use a CA certificate, concatenate the primary certificate and the CA certificate together. The primary certificate should appear first in the combined file

/etc/openbao/conf/openbao.crt

tls_key_file name

Specifies the path to the private key for the certificate. It has to be a PEM-encoded file. If the key file is encrypted, you will be prompted to enter the passphrase on server startup

/etc/openbao/conf/openbao.key

http_idle_timeout

Specifies the maximum amount of time to wait for the next request when keep-alives are enabled. If http_idle_timeout is 0, the value of http_read_timeout is used. If both are 0, the value of http_read_header_timeout is used. This is specified using a label suffix like 30s or 1h

5m

http_read_header_timeout

Specifies the amount of time allowed to read request headers. This is specified using a label suffix like 30s or 1h

30s

http_read_timeout

Specifies the maximum duration for reading the entire request, including the body. This is specified using a label suffix like 30s or 1h

60s

http_write_timeout

Specifies the maximum duration before timing out writes of the response and is reset whenever a new request’s header is read. The default value of 0 means infinity. This is specified using a label suffix like 30s or 1h

0
Storage settings
Parameter Description Default value

Storage type

Type of storage to use

postgresql

Database host and port

Database host and port in form of <db_host>:<db_port>,<db_host>:<db_port>

{{ groups['adpg.adpg'][0] | d(groups['adpg.adpg.maintenance_mode'][0]) | d(omit) }}:5432

Database username

Username of a database user

openbao

Database password

Password for a database user

 — 

ha_enabled

Determines whether HA support is enabled. Requires PostgreSQL version 9.5 or later

true

ha_table

Name of the table used for storing the high availability state. OpenBao will try to create it automatically if it’s missing

openbao_ha_locks

table

Name of the table used to store OpenBao data. OpenBao will attempt to create it automatically if it’s missing

openbao_kv_store

max_idle_connections

Sets the maximum number of idle connections in the pool

2

max_parallel

Specifies the maximum number of concurrent requests to PostgreSQL

128

upsert_function

Name of the user-defined function used for upsert support on PostgreSQL versions earlier than 9.5. The function must already exist in the database

openbao_kv_put

skip_create_table

Defines whether OpenBao should attempt to automatically create tables (false means that OpenBao will attempt to create tables). This is useful when the database user lacks sufficient privileges. Requires PostgreSQL version 9.5 or later

false

max_connect_retries

Maximum number of retries OpenBao will make when attempting to connect to the database. Uses exponential backoff starting at 15 ms up to 5 s. If set to 0, retries will continue indefinitely

3
Seal settings
Parameter Description Default value

Seal type

 — 

pkcs11

lib

Full path to the PKCS#11 library (.so file) to use for the HSM communication. Must point to a valid and accessible PKCS#11 provider (e.g. SoftHSM2 or hardware HSM driver)

/usr/lib/arenadata_softhsm2/lib/softhsm/libsofthsm2.so

slot

Slot number for token

0

token_label

The label of the HSM token created during initialization. OpenBao will use this token to find the sealing key

OpenBao

pin

The PIN used to log into the HSM token

 — 

key_label

The label of the AES key that will be used to encrypt the root key (seal key). This key must already exist on the token

bao-root-key-aes

mechanism

The PKCS#11 mechanism to use for encryption. For AES-256 wrap with padding, use 0x1087 (CKM_AES_KEY_WRAP_PAD). Ensure your HSM supports the selected mechanism

0x1087
Logging settings
Parameter Description Default value

log_level

Log verbosity level

info

log_format

Log format. Supported values are standard and json

standard

log_file

The absolute path where OpenBao should save log messages

/var/log/openbao/

log_rotate_duration

The maximum duration a log should be written to before it needs to be rotated

24h

log_rotate_max_files

The maximum number of older log file archives to keep. Set to 0 so that no files are ever deleted. Set to -1 to discard old log files when a new one is created

30

log_requests_level

Determines whether completed requests should be logged

false
General lockout settings
Parameter Description Default value

disable_lockout

Determines whether lockout should be disabled

false

lockout_threshold

Specifies the number of failed login attempts after which the user is locked out

10

lockout_duration

Specifies the duration for which an user will be locked out

10m

lockout_counter_reset

Specifies the duration after which the lockout counter is reset with no failed login attempts

10m
Userpass lockout settings
Parameter Description Default value

disable_lockout

Determines whether lockout should be disabled

false

lockout_threshold

Specifies the number of failed login attempts after which the user is locked out

10

lockout_duration

Specifies the duration for which an user will be locked out

10m

lockout_counter_reset

Specifies the duration after which the lockout counter is reset with no failed login attempts

10m
LDAP lockout settings
Parameter Description Default value

disable_lockout

Determines whether lockout should be disabled

false

lockout_threshold

Specifies the number of failed login attempts after which the user is locked out

10

lockout_duration

Specifies the duration for which an user will be locked out

10m

lockout_counter_reset

Specifies the duration after which the lockout counter is reset with no failed login attempts

10m
Approle lockout settings
Parameter Description Default value

disable_lockout

Determines whether lockout should be disabled

false

lockout_threshold

Specifies the number of failed login attempts after which the user is locked out

10

lockout_duration

Specifies the duration for which an user will be locked out

10m

lockout_counter_reset

Specifies the duration after which the lockout counter is reset with no failed login attempts

10m
Security settings
Parameter Description Default value

Recovery keys

List of recovery keys in the form of [<recovery_key>, <recovery_key>, …​, <recovery_key>]. This value will be updated during the initial setup of server

 — 

Root token

Token that have the root policy attached to it. This value will be updated during the initial setup of server

 — 
Found a mistake? Seleсt text and press Ctrl+Enter to report it