Prerequisites for Azure Stack Cloud with Azure AD
Before adding an Azure Stack cloud with Azure AD in CCKM:
Register CCKM App on Azure Portal
Before adding an Azure cloud to CCKM, you must register the CCKM app and assign required permissions on the Azure portal. Then, depending on the type of app credential you plan to employ, either create a key (client secret) on the Azure portal or generate a certificate from CCKM, download it, and then upload it to Azure. This entire process generates the connection data needed to configure the Azure cloud.
To register the app:
Create an Azure Active Directory application on the Azure Portal:
On Azure Active Directory > App registrations > New registration, provide the following parameters:
Choose a Name for the app that CCKM will use to access Azure.
Select the account type under Supported account types. Select either of the following:
Accounts in this organizational directory only (<acount-name> (Default Directory) only - Single tenant)
Accounts in any organizational directory (Any Azure AD directory - Multitenant)
Click Register. The CCKM app creation starts. The app creation might take some time.
Access the new app under App registrations.
From App registrations > {App Name} > Overview, copy Application (client) ID and Directory (tenant) ID.
Navigate to App registrations > {App Name} > Manage > Certificates & secrets.
Create a new client secret or upload the certificate:
Secret (password) — The user will generate a secret key in Azure when registering the app, and then copy the secret key and provide it to the app.
Certificate (public key) — The user will create a private key and public key pair locally, create a certificate for the public key, and then provide the certificate to Azure when registering the app. For the private key, the app will create a client assertion and send it to Azure when making OAuth authentication calls.
Depending on your requirements, you can use a self-signed or CA-signed certificate. Refer to Certificate creation methods in the Azure documentation for details.
Set Required Permissions on CCKM App on Azure Portal
Access App Registrations > {App Name} > Manage > API permissions.
Click + Add a permission and add the following APIs and their associated permissions:
Azure Key Vault
(Delegated permissions): Have full access to the Azure Key Vault service.Azure Service Management
(Delegated permissions): Access Azure Service Management as organization users (preview).
Connect with Azure AD
Log on to your Azure AD VM.
Connect to Azure Stack Hub with PowerShell as a user. Refer to Connect to Azure Stack Hub with PowerShell as a user - Azure Stack Hub for details.
Run the following command in Windows PowerShell:
Get-AzureRmEnvironment -name AzureStackUser | Format-List
A sample output is shown below:
Name : AzureStackUser EnableAdfsAuthentication : False OnPremise : False ActiveDirectoryServiceEndpointResourceId : https://management.azurecckm.onmicrosoft.com/7f683eac-8000-2a43-3f9e-86d9117cc571 AdTenant : GalleryUrl : https://providers.azurestack.local:30016/ ManagementPortalUrl : ServiceManagementUrl : PublishSettingsFileUrl : ResourceManagerUrl : https://management.local.azurestack.external SqlDatabaseDnsSuffix : StorageEndpointSuffix : local.azurestack.external ActiveDirectoryAuthority : https://login.microsoftonline.com/ GraphUrl : https://graph.windows.net/ GraphEndpointResourceId : https://graph.windows.net/ TrafficManagerDnsSuffix : AzureKeyVaultDnsSuffix : vault.local.azurestack.external DataLakeEndpointResourceId : AzureDataLakeStoreFileSystemEndpointSuffix : AzureDataLakeAnalyticsCatalogAndJobEndpointSuffix : AzureKeyVaultServiceEndpointResourceId : https://vault.local.azurestack.external AzureOperationalInsightsEndpointResourceId : AzureOperationalInsightsEndpoint : AzureAnalysisServicesEndpointSuffix : VersionProfiles : {} ExtendedProperties : {} BatchEndpointResourceId
The sample output above lists a number of links that are required while creating an Azure connection on the CipherTrust Manager. Use the actual links that are returned by the command on your setup. Refer to Add Azure Connection on CipherTrust Manager for details.
The fields in the sample output and on the Configure Azure Stack page of the Add Connection dialog box on the CipherTrust Manager differ slightly. Here is the mapping to help you configure the connection appropriately.
Sample Output Azure Connection Manager ActiveDirectoryServiceEndpointResourceId Management URL ResourceManagerUrl Resource Manager URL ActiveDirectoryAuthority Active Directory Endpoint AzureKeyVaultDnsSuffix Key Vault DNS Suffix AzureKeyVaultServiceEndpointResourceId Vault Resource URL Download the SSL certificate of the Azure Stack portal. Refer to online resources for details.
Subscribe CCKM App on Azure Stack Portal
Access Subscriptions > {Subscription name} > Access control (IAM).
Click Add > Add role assignment. The Add role assignment pane is displayed.
Select Reader from the Role drop-down list.
Select User, group, or service principal from the Assign access to drop-down list.
Under Select, enter the name of your CCKM app.
Click Save.
Assign CCKM App Permissions to Required Key Vault on Azure Stack Portal
Azure supports two types of permission models, vault access policy and azure role-based access control. Steps to assign CCKM app permissions to your key vaults on Azure portal vary based on the permission model of the vault, as described below.
Vault Access Policy
Access Key vaults > {Key Vault Name} > Settings > Access policies.
On the right, click + Add Access Policy.
Add the following details:
From the Key permissions list, select Key Management Operations and Privileged Key Operations.
From the Secret permissions list, select Secret Management Operations and Privileged Secret Operations.
From the Certificate permissions list, select Certificate Management Operations and Privileged Certificate Operations.
Next to the Select principal label, click None selected, browse the CCKM app, and select it.
Click Add.
Azure Role-based Access Control
Access Key vaults > {Key Vault Name} > Access control (IAM). The right pane provides options to view your existing level of access, assign a role, and view access to the vault.
Under Grant access to this resource, click Add role assignment.
On the Roles tab of the Add role assignment page, select Key Vault Administrator. Use the search field to search for the role.
Click Next.
On the Members tab, make sure that Assign access to is set to User, group, or service principal.
Click + Select members.
On the right, in the Select members pane, select the desired CCKM app. Use the search field to search for your CCKM app. The Selected members section shows the selected app.
In the right pane, click Select.
(Optional) Provide a basic Description of the member.
Click Next.
Review the details. If the details are incorrect or you want to modify them, click Previous and update the details.
Click Review + assign. The selected role with desired permissions is assigned to the CCKM app.
Add Azure Connection on CipherTrust Manager
Before you can add an Azure vault to the CCKM, an Azure connection must already exist on the CipherTrust Manager. A CipherTrust Manager administrator manages connections to external resources on the Access Management > Connections Management page of the CipherTrust Manager GUI. Refer to Connections Management for details.
Now, Azure vaults and Azure keys can be managed on the CipherTrust Manager.