Managing Azure Resources
This section describes the prerequisites to manage Azure resources on CCKM. Perform the following steps:
Register CCKM App on Azure Portal
Before adding an Azure cloud to CCKM, you must register the CCKM app and assign required permissions on the Azure portal. Then, depending on the type of app credential you plan to employ, either create a key (client secret) on the Azure portal or generate a certificate from CCKM, download it, and then upload it to Azure. This entire process generates the connection data needed to configure the Azure cloud.
To register the app:
Create an Azure Active Directory application on the Azure Portal:
On Azure Active Directory > App registrations > New registration, provide the following parameters:
Choose a Name for the app that CCKM will use to access Azure.
Select the account type under Supported account types. Select either of the following:
Accounts in this organizational directory only (azuredeveloperadminsafeneti (Default Directory) only - Single tenant)
Accounts in any organizational directory (Any Azure AD directory - Multitenant)
Click Register. The CCKM app creation starts. The app creation might take some time.
Access the new app under App registrations.
From App registrations > {App Name} > Overview, copy Application (client) ID and Directory (tenant) ID.
Navigate to App registrations > {App Name} > Manage > Certificates & secrets.
Create a new client secret or upload the certificate:
Secret (password)—The user will generate a secret key in Azure when registering the app, and then copy the secret key and provide it to the app.
Certificate (public key)—the user will create a private key and public key pair locally, create a certificate for the public key, and then provide the certificate to Azure when registering the app. For the private key, the app will create a client assertion and send it to Azure when making OAuth authentication calls.
Subscribe CCKM App on Azure Portal
Access Subscriptions > {Subscription name} > Access control (IAM).
Click Add > Add role assignment. The Add role assignment pane is displayed.
Select Reader from the Role drop-down list.
Select User, group, or service principal from the Assign access to drop-down list.
Under Select, enter the name of your CCKM app.
Click Save.
Assign CCKM App Permissions to Required Key Vault on Azure Portal
Access Key vaults > {Key Vault Name} > Settings > Access policies.
On the right, click + Add Access Policy.
Add the following details:
Select Key management operations and Privileged Key operations from the Key permissions drop-down list.
Next to the Select principal label, click None selected, browse the CCKM app, and select it.
Click Add.
Add Azure Connection on CipherTrust Manager
Before you can add an Azure vault to the CCKM, an Azure connection must already exist on the CipherTrust Manager. A CipherTrust Manager administrator manages connections to external resources on the Access Management > Connections Management page of the CipherTrust Manager GUI. Refer to Connections Management for details.
Now, Azure vaults and Azure keys can be managed on the CipherTrust Manager.