Delinea Credential Cache Containerization

Delinea Credential Cache (DCC) is available as a Docker container image. Running DCC in a container provides a portable, repeatable deployment. This approach does not require installing .NET Core or configuring a reverse proxy on the host operating system.

This topic covers downloading and loading the DCC Docker image, configuring certificates for HTTPS and Secret Server trust, running the container, and basic container management.

Prerequisites

Before running DCC in a container, ensure the following components are available:

Component	Purpose
Docker	Runs the DCC container
PowerShell, Command Prompt, or a Linux terminal	Executes Docker commands
Secret Server instance	Source vault from which DCC retrieves and caches secrets

Downloading the DCC Docker Image

Download the DCC container image.

Required Certificates

The DCC container uses two certificates:

Certificate	Purpose
ASP.NET Core HTTPS certificate (aspnetapp.pfx)	Kestrel uses this certificate inside the container to serve the API over HTTPS (port 8443)
Secret Server certificate (SecretServerCertificate.crt)	Establishes trust with the Secret Server HTTPS endpoint when the container communicates with Secret Server APIs

Creating the ASP.NET Core HTTPS Certificate

Kestrel requires this certificate to enable HTTPS inside the container.

1. Create a certificate directory on the host machine.

   Windows:

   mkdir C:\DCC\Certificates
cd C:\DCC\Certificates

   Linux / macOS:

   mkdir -p ~/dcc/certificates
cd ~/dcc/certificates

2. Generate the HTTPS certificate. Replace <your-certificate-password> with a strong password.

   Windows:

   dotnet dev-certs https -ep C:\DCC\Certificates\aspnetapp.pfx -p <your-certificate-password>

   Linux / macOS:

   dotnet dev-certs https -ep ~/dcc/certificates/aspnetapp.pfx -p <your-certificate-password>

   This creates the file aspnetapp.pfx in the certificate directory.

   Record this password. The Docker run command requires it during container configuration.

3. (Optional) Trust the certificate for local testing.

   dotnet dev-certs https --trust

   This allows a browser on the host machine to trust the certificate. This step applies only to local development or testing scenarios.

4. Verify that the certificate file exists.

   Windows:

   dir C:\DCC\Certificates

   Linux / macOS:

   ls ~/dcc/certificates

   Confirm that aspnetapp.pfx appears in the output.

Exporting the Secret Server Certificate

The container requires this certificate to trust the Secret Server HTTPS endpoint. This procedure applies when Secret Server uses an internal or self-signed certificate.

1. Open the Secret Server URL in Chrome: https://<your-secret-server-url>

2. Click the lock icon in the address bar.

3. Click Connection is secure.

4. Click Certificate is valid.

5. On the Details tab, click Copy to File.

6. Select the export format Base-64 encoded X.509 (.CER).

7. Save the file as SecretServerCertificate.crt in the same certificate directory created earlier.

8. Verify that both certificate files exist in the directory.

   Windows:

   dir C:\DCC\Certificates

   Linux / macOS:

   ls ~/dcc/certificates

   Expected files: aspnetapp.pfx and SecretServerCertificate.crt.

Loading the DCC Docker Image

1. Load the image into Docker:

   docker load -i <path-to-tar-file>/delinea-credential-cache-<version>.tar

2. Verify that the image appears in Docker:

   docker images

   The output includes a row for delinea-credential-cache with the tag matching the deployed version.

Running the DCC Container

The following command starts DCC with both HTTP and HTTPS enabled, logging turned on, and the Secret Server trust certificate mounted.

Replace <your-certificate-password> with the password set during HTTPS certificate generation, <version> with the image version, and update the volume mount paths to match the certificate directory on the host machine.

Windows (PowerShell):

docker run -d `
			--name delinea-credential-cache `
			-p 8083:8080 `
			-p 8443:8443 `
			-e ASPNETCORE_URLS="http://+:8080;https://+:8443" `
			-e ASPNETCORE_Kestrel__Certificates__Default__Password=<your-certificate-password> `
			-e ASPNETCORE_Kestrel__Certificates__Default__Path=/https/aspnetapp.pfx `
			-e CredSettings__CredCacheExpirationInMinutes=5 `
			-e CredSettings__EnableLogging=true `
			-e CredSettings__LogPath=/app/logs `
			-v C:\DCC\Certificates:/https `
			-v C:\DCC\logs:/app/logs `
			-v C:\DCC\Certificates\SecretServerCertificate.crt:/usr/local/share/ca-certificates/customer-root.crt `
		delinea-credential-cache:<version>

Linux / macOS:

docker run -d \
			--name delinea-credential-cache \
			-p 8083:8080 \
			-p 8443:8443 \
			-e ASPNETCORE_URLS="http://+:8080;https://+:8443" \
			-e ASPNETCORE_Kestrel__Certificates__Default__Password=<your-certificate-password> \
			-e ASPNETCORE_Kestrel__Certificates__Default__Path=/https/aspnetapp.pfx \
			-e CredSettings__CredCacheExpirationInMinutes=5 \
			-e CredSettings__EnableLogging=true \
			-e CredSettings__LogPath=/app/logs \
			-v ~/dcc/certificates:/https \
			-v ~/dcc/logs:/app/logs \
			-v ~/dcc/certificates/SecretServerCertificate.crt:/usr/local/share/ca-certificates/customer-root.crt \
		delinea-credential-cache:<version>

After the container starts:

• HTTP: http://<hostname>:8083/swagger

• HTTPS: https://<hostname>:8443/swagger

For more information about the API endpoints available after startup, see Delinea Credential Cache Supported Endpoints.

Configurable Settings

Administrators can adjust DCC behavior using environment variables passed to docker run with the -e flag:

Setting	Example Value	Description
ASPNETCORE_URLS	http://+:8080;https://+:8443	URLs that DCC listens on inside the container
CredSettings__CredCacheExpirationInMinutes	5	Duration in minutes before cached credentials expire
CredSettings__EnableLogging	true	Enables file-based logging
CredSettings__LogPath	/app/logs	Directory inside the container where DCC writes log files

Container Management

Check Container Status

docker ps -a --filter "name=delinea-credential-cache"

View Container Logs

docker logs delinea-credential-cache

To stream logs in real time:

docker logs -f delinea-credential-cache

Access the Container Shell

For advanced troubleshooting, open an interactive shell:

docker exec -it delinea-credential-cache /bin/bash

Stop and Remove a Container

docker stop delinea-credential-cache
docker rm delinea-credential-cache

Remove the Docker Image

docker rmi delinea-credential-cache:<version>

Running Multiple Instances

To run more than one DCC instance, assign a unique container name and a unique host port to each instance:

docker run -d --name dcc-1 -p 8081:8080 -e ASPNETCORE_URLS=http://+:8080 delinea-credential-cache:<version>

		docker run -d --name dcc-2 -p 8082:8080 -e ASPNETCORE_URLS=http://+:8080 delinea-credential-cache:<version>

Each instance requires a unique container name (--name) and host port (-p). The container-internal port stays the same across instances.

Troubleshooting

Issue	Cause	Solution
Port already in use	Another application or container occupies the host port	Change the host port, for example: -p 9090:8080
Container exits immediately	Startup failure inside the container	Check logs: docker logs delinea-credential-cache
HTTPS does not work	Incorrect certificate password or file path	Verify that the .pfx file exists in the mounted directory and that the password matches
Certificate not found	Missing or incorrect volume mount	Confirm the host path contains the certificate files and that the -v mount paths are correct
Secret Server connection untrusted	Mounted .crt not activated	Run docker exec delinea-credential-cache update-ca-certificates or verify the container entrypoint runs this automatically
<none> image tag	The image loaded without a tag	Re-tag the image: docker tag <image-id> delinea-credential-cache:<version>