Securely store credentials and secrets.
Reference → Modules → Security → UI → RuntimeUsers | Users | Permissions | Policies | Secrets | Monitor
Security Secrets (Reference): Securely store and manage sensitive credentials such as passwords, API keys, and connection strings without exposing plain-text values in your configuration.
Security Secrets provide:
- Centralized credential storage
- Encrypted value protection
- Integration with Datasets (DB connections)
- Integration with Devices/TagProviders (MQTT, OPC UA, etc.)
- Administrative control over sensitive values
Configuration Properties
Access at: Security → Secrets
| Property | Description | Required | Access Control |
|---|---|---|---|
| Name | Unique identifier for the secret | Yes | All users |
| SecretType | Type of credential (Password, APIKey, Token) | Yes | All users |
| SecretValue | Encrypted credential value | Yes | Administrators only |
| Description | Documentation of usage/purpose | No | All users |
Important: Only administrators can view or edit SecretValue. Standard users can reference secrets in configurations but cannot see the actual values.
Secret Types
| Type | Use Case | Example |
|---|---|---|
| Password | Database connections, user authentication | SQL Server password |
| APIKey | Web service authentication | REST API key |
| Token | Bearer tokens, OAuth tokens | JWT token |
| Certificate | SSL/TLS certificates | Client certificate |
| ConnectionString | Full connection strings | MongoDB connection |
Usage in Configurations
Datasets Integration
When configuring database connections:
- Navigate to Datasets → DBs
- In connection settings, select Use Secret
- Choose from dropdown list of configured secrets
- Connection uses encrypted value at runtime
Example:
Database: RuntimeUsers
Authentication: SQL Server Auth
Username: dbuser
Password: [Secret: DBRuntimePass]Device/TagProvider Integration
For MQTT, OPC UA, and other protocols:
- Navigate to Devices → Channels or TagProviders
- In authentication fields, use secret reference syntax
- Format:
/secret-<SecretName>
Example:
MQTT Broker Authentication:
Username: mqttuser
Password: /secret-MQTTBrokerPassScript Access
Secrets can be referenced in scripts:
csharp
// Get secret value (requires admin permission)
string password = @Security.GetSecret("DBPassword");
// Use in connection string
string connStr = $"Server=localhost;User={user};Password={password}";Configuration Examples
Basic Secret Setup
| Name | SecretType | SecretValue | Description |
|---|---|---|---|
| DBProductionPass | Password | ******** | Production SQL Server |
| MQTTBrokerKey | APIKey | ******** | MQTT cloud broker API |
| OPCServerCert | Certificate | ******** | OPC UA client certificate |
| AzureStorageKey | Token | ******** | Azure blob storage access |
Runtime Users Database Example
- Create secret:
- Name:
RuntimeUsersDBPass - Type:
Password - Value:
[encrypted] - Description:
RuntimeUsers SQL authentication
- Name:
- Use in Dataset:
- Go to Datasets → DBs → RuntimeUsers
- Set Password field to:
[Secret: RuntimeUsersDBPass]
Security Considerations
Access Control Matrix
| Action | Administrator | Engineer | Guest |
|---|---|---|---|
| Create Secret | Yes | Yes | Yes |
| Edit SecretValue | Yes | No | No |
| View SecretValue | No | No | No |
| Reference in Config | Yes | Yes | Yes |
| View Secret List | Yes | Yes | Yes |
Encryption Details
- Values encrypted using AES-256
- Stored encrypted in solution file
- Decrypted only at runtime when needed
- Never logged in plain text
- Not included in solution exports
Best Practices
Naming Conventions
| Pattern | Example | Use For |
|---|---|---|
DB<System>Pass | DBHistorianPass | Database passwords |
API<Service>Key | APIWeatherKey | API keys |
MQTT<Broker>Pass | MQTTAzurePass | MQTT credentials |
OPC<Server>Cert | OPCPlantCert | OPC certificates |
Implementation Guidelines
- Create secrets before configuration
- Define all secrets in Security module first
- Then reference in other modules
- Use descriptive names
- Good:
ProductionSQLPass - Bad:
Secret1
- Good:
- Document usage
- Always fill Description field
- Include where secret is used
- Note rotation schedule if applicable
- Regular rotation
- Change production secrets periodically
- Update all references after rotation
- Test thoroughly after changes
- Environment separation
- Use different secrets for Dev/Test/Production
- Name accordingly:
DevDBPass,ProdDBPass
Migration and Portability
Exporting Solutions
When exporting solutions:
- Secret names and types are exported
- Secret values are NOT exported
- Target system must recreate values
Import Process
- Import solution to new system
- Navigate to Security → Secrets
- For each secret, enter appropriate value
- Test all connections
Environment Variables Alternative
For containerized deployments:
FRAMEWORKX_SECRET_DBPassword=actualpassword
FRAMEWORKX_SECRET_MQTTKey=actualkeyTroubleshooting
Common Issues
| Issue | Cause | Solution |
|---|---|---|
| "Secret not found" | Typo in reference | Check exact secret name |
| "Access denied" | Insufficient permissions | Use administrator account |
| Connection fails | Wrong secret value | Verify and re-enter value |
| Secret list empty | Filter applied | Check module filter settings |
Validation
Test secret configuration:
- Create test secret
- Reference in test connection
- Verify connection succeeds
- Check runtime logs for errors
Audit Trail
Secret operations are logged:
- Creation/modification timestamp
- User who made changes
- NOT the actual values
See Also
- Security Module (Reference) - Complete security documentation
- Datasets Configuration (How-to) - Using secrets in databases
- Device Connections (How-to) - Using secrets in devices
- Security Best Practices (Guide) - Security guidelines
In this section...
Overview
Content Tools
Tasks