Managing Azure Vaults
This section describes how to manage Azure vaults on CCKM.
Before proceeding, make sure to fulfill prerequisites.
Adding Existing Vaults
To add an existing Azure vault to the CCKM:
Log on to the CipherTrust Manager GUI as administrator.
Open the Cloud Key Manager application.
In the left pane, click Containers > Azure Key Vaults. The Vaults tab of the Azure Key Vaults page is displayed.
Click Add Existing Vault. The Add Existing Key Vaults dialog box is displayed.
Select/enter the following details:
From the Azure Connection drop-down list, select the desired connection.
From the Subscription drop-down list, select the desired subscription.
Select the vaults that you want to add to the CCKM.
To select a vault from an Azure Managed HSM pool:
Select Managed HSM.
Use the Vault Name check boxes to select vaults from an Azure Managed HSM pool.
To select an Azure vault:
Make sure that Managed HSM is clear.
Use the Vault Name check boxes to select Azure vaults.
Click Save. The Azure vault is added to the CCKM.
A message vault added successfully... is displayed on the screen.
Refreshing Azure Keys
Refreshing is the process of downloading keys created on the Azure vaults to CCKM. You can refresh keys from individual vaults or all vaults at once.
Refreshing Specific Vaults
To refresh keys of a specific vault:
Open the Cloud Key Manager application.
In the left pane, click Containers > Azure Key Vaults. The Vaults tab of the Azure Key Vaults page is displayed. This tab displays the list of Azure key vaults.
Click the overflow icon () corresponding to the desired Azure vault and click Refresh Now.
A message Refresh started... is displayed on the screen.
After successful refresh, the refreshed keys are listed on the Cloud Keys > Azure > Azure Keys page. Refer to Viewing Azure Keys for details.
Refreshing All Vaults
To refresh keys of all vaults:
Open the Cloud Key Manager application.
In the left pane, click Containers > Azure Key Vaults. The Vaults tab of the Azure Key Vaults page is displayed. This tab displays the list of Azure key vaults.
Click Refresh All. The This may take a while... message is displayed.
Note
Refresh all Azure Key Vaults is a time intensive operation that could take several hours or days to complete. It will continue running in the background. Do you want to continue?
Click Refresh All to continue.
A message Refresh started... is displayed on the screen. To cancel the refresh, click Cancel Refresh.
After successful refresh, the refreshed keys are listed on the Cloud Keys > Azure > Azure Keys page. Refer to Viewing Azure Keys for details.
Viewing/Editing Details of Azure Vaults
Viewing Azure Vaults Details
The Vaults tab of the Azure Key Vaults page shows the list of existing Azure key vaults. Search for the key vaults by Vault Name, Subscription ID, or Subscription Name.
To view the details of Azure vaults:
Open the Cloud Key Manager application.
In the left pane, click Containers > Azure Key Vaults. The Vaults tab of the Azure Key Vaults page displays the following details.
Column Description Name Name of the Azure vault. Last Refreshed Time when the vault was last refreshed. Connection Name of the connection. Cloud Cloud name. Managed HSM Whether the vault is inside an Azure Managed HSM pool. Location Location in which the vault is added. Sku Pricing Tier information of the vault. Subscription Name Name of the subscription. Subscription ID ID of the subscription. Vault URI URI of the Azure vault. By default, this column is not visible. Click the Customize View () icon, select Vault URI, and click OK to display the column.
Modifying Azure Vault Details
To edit the details of an Azure vault:
Open the Cloud Key Manager application.
In the left pane, click Containers > Azure Key Vaults. The Vaults tab of the Azure Key Vaults page displays the list of added Azure vaults.
Click the overflow icon () corresponding to the desired Azure vault and click View/Edit Details.
You can modify the user permission and the Azure connection linked with the Azure vaults. Refer to the following sections:
Adding/Editing Rotation Schedules
Adding a Rotation Schedule to an Azure Vault
To add a rotation schedule to an Azure vault.
Open the Cloud Key Manager application.
In the left pane, click Containers > Azure Key Vaults. The Vaults tab of the Azure Key Vaults page displays the list of added Azure vaults.
Click the overflow icon () corresponding to the desired Azure vault and click Add/Edit Schedule. The Add Schedule to Vault wizard is displayed.
Note
If a rotation schedule is not already added to the vault, then the Add Schedule to Vault wizard is displayed.
Select the desired Rotation Schedule from the drop-down list.
Select Schedule Setting. You can select either Ignore Keys With Schedules or Override Existing Key Schedules.
Click Save.
Alternatively, you can do the following.
Click the desired Azure vault from the list of Azure vaults. The Azure Vault Detail screen is displayed.
Go to KEY SCHEDULE section and select the desired Rotation Schedule from the drop-down list.
Select Schedule Setting. You can select either Ignore Keys With Schedules or Override Existing Key Schedules.
Click Update.
Refer to Scheduling Operations for more details.
Editing an Existing Rotation Schedule of an Azure Vault
To edit an existing rotation schedule of an Azure vault.
Open the Cloud Key Manager application.
In the left pane, click Containers > Azure Key Vaults. The Vaults tab of the Azure Key Vaults page displays the list of added Azure vaults.
Click the overflow icon () corresponding to the desired Azure vault and click Add/Edit Schedule. The Edit Schedule to Vault wizard is displayed.
Note
If a rotation schedule is already added to the vault, then the Edit Schedule to Vault wizard is displayed.
Change Rotation Schedule from the drop-down list.
Select Schedule Setting. You can select either Ignore Keys With Schedules or Override Existing Key Schedules.
Click Save.
Alternatively, you can do the following.
Click the desired Azure Vault from the list of the added Azure vaults. The Azure Vault Detail screen is displayed.
Go to KEY SCHEDULE section and change Rotation Schedule from the drop-down list.
Select Schedule Setting. You can select either Ignore Keys With Schedules or Override Existing Key Schedules.
Click Update.
Refer to Scheduling Operations for more details.
Managing User Permissions on Azure Vaults
To work with Azure, users/group must have the minimum set of permissions that allow them to use the Azure resources such as Azure keys, vaults, secrets, and certificates. Initially, the user only has permission to view the keys. However, if required, the CCKM administrator can grant and revoke permissions.
Note
Only the users who are member of the CCKM Users group will be granted permissions to perform operations on the Azure vault. Refer to User Roles for details.
User permissions for Azure resources can be configured on the Vault Access Control section of the Azure vault details page.
To add permission for user/group:
In the Vault Access Control section, click Assign User/Group.
On the Assign User/Group screen, select the user or group to be assigned permissions from the User/Group drop-down list.
Click Save.
The newly added user/group is displayed under Name in the Vault Access Control section.
Note
Use the Keys, Certificates, and Secrets tabs to specify permissions for keys, certificates, and secrets. These tabs display the operations allowed on the Azure vaults.
Note
Depending on the type of the Azure vault, a key is deleted differently.
• Vault with Soft-Delete Enabled: To delete the key permanently, perform the Soft Delete and the Purge operations on the key. However, for this operation to be successful, the user must have the Soft Delete Key and the Purge Key access.
• Vault with Soft-Delete Disabled: To delete the key permanently, use the Delete option. However, for this operation to be successful, the user must have the Soft Delete Key access.
Granting Permission to Perform an Operation
To grant permissions to the user or group to perform any of the above mentioned operations:
Select the check box under the desired operation corresponding to the desired users or groups.
Click Update.
A success message is displayed on the screen.
Removing a Permission
To remove a permission assigned to a user or group:
Clear the check box under the desired operation corresponding to the desired users or groups.
Click Update.
A success message is displayed on the screen.
Removing Permission from a User/Group
To remove current permissions assigned to the user/group:
Under Unassign, click the X button corresponding to the desired user/group.
On the Unassign User / Unassign Group screen, click Unassign.
Note
Unassigning this user/group will remove all permissions currently assigned to the user/group. Are you sure you want to continue?
Click Unassign.
A message Updated access control for this key vault is displayed on the screen.
Changing the Azure Connection
To change the connection linked with the Azure vault:
Open the Cloud Key Manager application.
In the left pane, click KMS Containers > Azure Key Vaults. The Vaults tab of the Azure Key Vaults page displays the list of added Azure vaults.
Click the overflow icon () corresponding to the desired Azure vault and click View/Edit Details.
Expand the GENERAL INFO section.
From the Azure Connection drop-down list, select the desired connection.
Click Update.
Deleting Azure Key Vaults
To delete an Azure key vault:
Open the Cloud Key Manager application.
In the left pane, click Containers > Azure Key Vaults. The Vaults tab of the Azure Key Vaults page displays the list of added Azure vaults.
Click the overflow icon () corresponding to the desired Azure vault and click Delete.
On the Delete Azure Key Vault screen, select Delete Azure Key Vault.
A message Azure Vault deleted is displayed on the screen.
Warning
Be extremely careful when deleting an Azure vault. Once the Azure vault is deleted, it will no longer be available for use.