Microsoft Azure
Azure connections to the CipherTrust Manager can be configured using the following:
Note
If you wish to use external certificate authentication for an Azure Cloud connection, you must first create a valid external certificate.
Managing Azure Connections using GUI
Client ID - this is an Application ID of the Azure application. It can be used either with Client Secret or Certificate to authenticate the application.
Tenant ID - this is the Office365 tenant ID. It is a globally unique identifier (GUID). For more details, refer to the Azure documentation.
Cloud Name - the name of the Azure cloud to connect to. Currently, only the following options are available:
Azure Cloud - For Azure Cloud configuration, refer to Creating an Azure Cloud Connection.
Azure China Cloud
Azure US Government
Azure Stack - For Azure Stack configuration, refer to Configure Azure Stack.
Authentication - you can use either Client Secret or Certificate for authentication purpose.
Client Secret – this authentication method uses the application password of the Client ID to enable communication between Azure and CipherTrust Manager.
Certificate - this authentication method is used to enable password-less communication between Azure and CipherTrust Manager.
Note
Azure Stack does not support Certificate authentication.
Select the Certificate radio button
Select Application or External as the Certificate Type.
The Application certificate type is generated by CipherTrust Manager and self-signed.
The External certificate type is a pre-existing certificate generated on CipherTrust Manager and then signed by a CA local or external to the CipherTrust Manager. To use this option, you first need to create a valid external certificate.
Click the Generate and Download button.
Upload the downloaded certificate on Salesforce for the provided Client ID.
Once the upload is done, verify the Thumbprint on the CipherTrust Manager and Azure. Both the thumbprints must match.
Specify Certificate Duration in Days, if desired. The default certificate duration is 730 days (2 years).
Ensure that you have fulfilled the prerequisites to create a valid external certificate.
Do one of the following:
Select File Upload and click the Upload Certificate to upload the external certificate as a file.
Select Text and paste the certificate contents in the text box.
Note
The CipherTrust Manager allows you to modify the external certificate in the existing connection. Any unused certificate will be automatically deleted after 24 hours.
- Click the Test Credentials button to verify if the certificate authentication is working.
Note
This configuration is applicable to Azure Stack only.
Configuring an Azure Stack connection requires various URLs, described below. To get these URLs, run the command
Get AzureRmEnvironment
in your Azure AD VM. Refer to Connect with Azure AD for details.
Azure Stack Connection Type - Azure stack supports two types backed by Active Directory as an identity provider:
AAD - Azure Active Directory
ADFS - Active Directory Federation Services
Active Directory Endpoint - this is a URL at which the identity providers can be reached. For example, https://login.microsoftonline.com/
Key Vault DNS Suffix - this is a DNS suffix for the key vault in the Azure Stack. For example, vault.local.azurestack.external.
Management URL - this is the URL with a unique identifier for Azure Resource Manager registered with your identity provider.
Resource Manager URL - this URL is the location of the Azure Resource Manager service. For example, https://management.azure.com or https://management.local.azurestack.external
Vault Resource URL - this is the URL to access vault resources. For example, https://vault.local.azurestack.external
Azure Server Certificate - this is the Server certificate used by HTTPS protocol for a secure connection.
Managing Azure Connections using ksctl
The following operations can be performed:
Create/Get/Update/Delete an Azure Stack connection
List all Azure Stack connections
Test an existing Azure Stack connection
Test parameters for a Azure Stack connection
Create an Azure Cloud Connection
Note
Examples in this section are for ADFS
connection type. Similarly, you can manage connections for AAD
by changing the connection-type
to AAD
.
Creating an Azure Stack Connection
To create an Azure Stack connection, run:
Syntax
ksctl connectionmgmt azure create --name <Connection-Name> --products <Product-Names> --clientid <Azure-Key-ID> --meta <Key-Values> --tenantid <Tenant-ID> --cloudname <Cloud-Name> --connection-type <Connection-Type> --active-dir-endpoint <Active-Directory-Endpoint> --management-url <Management-URL> --res-manager-url <Resource-Manager-URL> --key-vault-dns-suffix <Keyvault-DNS-Suffix> --vault-res-url <Vault-Resource-URL> --server-cert-file <Server-Certificate-File>
Example Request
ksctl connectionmgmt azure create --name test-azs-adfs --products cckm --clientid client123 --secret secret123 --tenantid 123 --cloudname AzureStack --connection-type ADFS --active-dir-endpoint "https://adfs.local.azurestack.external/adfs" --management-url "https://management.adfs.azurestack.local/2aeeb93d-50a7-415e-8b217-01b5c5e2fasd" --res-manager-url "https://management.local.azurestack.external/" --key-vault-dns-suffix "vault.local.azurestack.external" --vault-res-url "https://vault.local.azurestack.external" --server-cert-file ~/server.pem
Example Response
{
"id": "2cc2d7db-155c-472f-b248-4ca4072d1bb3",
"uri": "kylo:kylo:connectionmgmt:connections:test-azs-adfs-2cc2d7db-155c-472f-b248-4ca4072d1bb3",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2020-12-24T11:06:31.917450971Z",
"updatedAt": "2020-12-24T11:06:31.916445598Z",
"service": "azure",
"category": "cloud",
"last_connection_ok": null,
"last_connection_at": "0001-01-01T00:00:00Z",
"name": "test-azs-adfs",
"products": [
"cckm"
],
"tenant_id": "123",
"client_id": "client123",
"cloud_name": "AzureStack",
"active_directory_endpoint": "https://adfs.local.azurestack.external/adfs",
"vault_resource_url": "https://vault.local.azurestack.external",
"resource_manager_url": "https://management.local.azurestack.external/",
"key_vault_dns_suffix": "vault.local.azurestack.external",
"management_url": "https://management.adfs.azurestack.local/2aeeb93d-50a7-415e-8b217-01b5c5e2fasd",
"azure_stack_server_cert": "-----BEGIN CERTIFICATE-----\nMIIEPDCCAiSgAwIBAgIRALJpeHdhAFCGctcAVJ1fpwMwDQYJKoZIhvcNAQELBQAw\nWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk1EMRAwDgYDVQQHEwdCZWxjYW1wMRAw\nDgYDVQQKEwdHZW1hbHRvMRowGAYDVQQDExFLZXlTZWN1cmUgUm9vdCBDQTAeFw0y\nMDEyMDIwOTIzMTRaFw0yMjEyMDIwOTIzMTRaMCIxDjAMBgNVBAMTBWFkbWluMRAw\nDgYKCZImiZPyLGQBARMAMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA\n2j0VAgq5PlqfFX2A8yoLYayv3NZcwWwC0ErhY3z2tIcnxuJ84OoVTD1O2NXF1SMq\nBK2dS1WrDim4QZpp+ueuLAYpQDHxZAo353tXjQ9W6alvfCTaX621/2clxQ/fn3Zt\nL0zP8aUCO/sv80B6C+nr20g8ooxdUIOrbsYWwVMpis+J39fQNItLJzcib0lWYrYe\n7f1d+yXc+zMMU1tEOh7q504zy142YsFNlk1D3HOzvPB+NHA2D7M8Buj7Z3VH57cr\ny69bDFlBlePO3JDUfo8TKmz+ST0x9TjVBHTtjCDqtENWBqNppAd3SdRIeHKFF8CH\nbHg/oL6z3kQYXwEqbHu5kQIDAQABozUwMzAOBgNVHQ8BAf8EBAMCA4gwEwYDVR0l\nBAwwCgYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQsFAAOCAgEA\nlu2HMN3FnPPYxKt89aBJA1NeZgTTSGPLnE3T5T2VPjy6/RO6rWnvcn3YdaOOHRa2\nWP+mm/Au003pheu8orX0YrRxEVLCYUff3Xq+wKol8zP8EGR3PMB4zOGfdkxGQJZB\n/aVDasU80mLdLi7iwVD5p788fCIKdQWNA1Ln1nmEwF48jBns6p2kx2TCruQU0v9H\npbPKOVq84zs0rrgtioYgF4nlTGXjNP6KvO+F0PdUKby6ZtQptGADz92FD4wnpQr1\nBtGFhkS+c4nD+JzjeWMhu6qyK+NTJ5f5CUF6okxfOIHAzmLja9knwVLsJQ3R4oKo\nLyzp/wBSurdS+ClT9pJ0unPzq7UM0QFkvk2Op0gFswZ5XfewaAaEZifcVnux/ira\ndlZrVM9kBN1Fz2DzWau7itqhXiT8fdDH68qYQwNQwwDe5km3+i44Jz7KWEQi88XO\nKbwO8tMMvd+exLXshLzIbJ/1IVsQklR4N1M7GHrXTbgomCAxBhTkuGyu4hENYHsN\nobEToCx8UNXoZlYUX2f8hE9ad/tGrpwqXUHkSWjnET2+R5OmtS0p2wsRofbmY9in\noE4di6Pk83BMh2RpCDxDPb0UqTGlRlbPuew0mNfI2ePQLoFhyoTmwN1xEgUpex1u\nQb9IovyN2/Bm1QNpt4wRwoDF4sGAgcEM6AAtMVe2uVQ=\n-----END CERTIFICATE-----\n",
"azure_stack_connection_type": "ADFS"
}
Getting Details of an Azure Stack Connection
To get details of an Azure Stack connection, run:
Syntax
ksctl connectionmgmt azure get --id <Connection-Name/ID>
Example Request
ksctl connectionmgmt azure get --id 2cc2d7db-155c-472f-b248-4ca4072d1bb3
Example Response
{
"id": "2cc2d7db-155c-472f-b248-4ca4072d1bb3",
"uri": "kylo:kylo:connectionmgmt:connections:test-azs-adfs-2cc2d7db-155c-472f-b248-4ca4072d1bb3",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2020-12-24T11:06:31.917451Z",
"updatedAt": "2020-12-24T11:06:31.916446Z",
"service": "azure",
"category": "cloud",
"last_connection_ok": null,
"last_connection_at": "0001-01-01T00:00:00Z",
"name": "test-azs-adfs",
"products": [
"cckm"
],
"tenant_id": "123",
"client_id": "client123",
"cloud_name": "AzureStack",
"active_directory_endpoint": "https://adfs.local.azurestack.external/adfs",
"vault_resource_url": "https://vault.local.azurestack.external",
"resource_manager_url": "https://management.local.azurestack.external/",
"key_vault_dns_suffix": "vault.local.azurestack.external",
"management_url": "https://management.adfs.azurestack.local/2aeeb93d-50a7-415e-8b217-01b5c5e2fasd",
"azure_stack_server_cert": "-----BEGIN CERTIFICATE-----\nMIIEPDCCAiSgAwIBAgIRALJpeHdhAFCGctcAVJ1fpwMwDQYJKoZIhvcNAQELBQAw\nWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk1EMRAwDgYDVQQHEwdCZWxjYW1wMRAw\nDgYDVQQKEwdHZW1hbHRvMRowGAYDVQQDExFLZXlTZWN1cmUgUm9vdCBDQTAeFw0y\nMDEyMDIwOTIzMTRaFw0yMjEyMDIwOTIzMTRaMCIxDjAMBgNVBAMTBWFkbWluMRAw\nDgYKCZImiZPyLGQBARMAMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA\n2j0VAgq5PlqfFX2A8yoLYayv3NZcwWwC0ErhY3z2tIcnxuJ84OoVTD1O2NXF1SMq\nBK2dS1WrDim4QZpp+ueuLAYpQDHxZAo353tXjQ9W6alvfCTaX621/2clxQ/fn3Zt\nL0zP8aUCO/sv80B6C+nr20g8ooxdUIOrbsYWwVMpis+J39fQNItLJzcib0lWYrYe\n7f1d+yXc+zMMU1tEOh7q504zy142YsFNlk1D3HOzvPB+NHA2D7M8Buj7Z3VH57cr\ny69bDFlBlePO3JDUfo8TKmz+ST0x9TjVBHTtjCDqtENWBqNppAd3SdRIeHKFF8CH\nbHg/oL6z3kQYXwEqbHu5kQIDAQABozUwMzAOBgNVHQ8BAf8EBAMCA4gwEwYDVR0l\nBAwwCgYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQsFAAOCAgEA\nlu2HMN3FnPPYxKt89aBJA1NeZgTTSGPLnE3T5T2VPjy6/RO6rWnvcn3YdaOOHRa2\nWP+mm/Au003pheu8orX0YrRxEVLCYUff3Xq+wKol8zP8EGR3PMB4zOGfdkxGQJZB\n/aVDasU80mLdLi7iwVD5p788fCIKdQWNA1Ln1nmEwF48jBns6p2kx2TCruQU0v9H\npbPKOVq84zs0rrgtioYgF4nlTGXjNP6KvO+F0PdUKby6ZtQptGADz92FD4wnpQr1\nBtGFhkS+c4nD+JzjeWMhu6qyK+NTJ5f5CUF6okxfOIHAzmLja9knwVLsJQ3R4oKo\nLyzp/wBSurdS+ClT9pJ0unPzq7UM0QFkvk2Op0gFswZ5XfewaAaEZifcVnux/ira\ndlZrVM9kBN1Fz2DzWau7itqhXiT8fdDH68qYQwNQwwDe5km3+i44Jz7KWEQi88XO\nKbwO8tMMvd+exLXshLzIbJ/1IVsQklR4N1M7GHrXTbgomCAxBhTkuGyu4hENYHsN\nobEToCx8UNXoZlYUX2f8hE9ad/tGrpwqXUHkSWjnET2+R5OmtS0p2wsRofbmY9in\noE4di6Pk83BMh2RpCDxDPb0UqTGlRlbPuew0mNfI2ePQLoFhyoTmwN1xEgUpex1u\nQb9IovyN2/Bm1QNpt4wRwoDF4sGAgcEM6AAtMVe2uVQ=\n-----END CERTIFICATE-----\n",
"azure_stack_connection_type": "ADFS"
}
Updating an Azure Stack Connection
To update an Azure Stack connection, run:
Syntax
ksctl connectionmgmt azure modify --id <Connection-Name/ID> --products <Product-Names> --secret <Azure-Client-Secret> --meta <Key-Values>
Example Request
ksctl connectionmgmt azure modify --id 2cc2d7db-155c-472f-b248-4ca4072d1bb3 --tenantid 456
Example Response
{
"id": "2cc2d7db-155c-472f-b248-4ca4072d1bb3",
"uri": "kylo:kylo:connectionmgmt:connections:test-azs-adfs-2cc2d7db-155c-472f-b248-4ca4072d1bb3",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2020-12-24T11:06:31.917451Z",
"updatedAt": "2020-12-24T11:14:12.702605505Z",
"service": "azure",
"category": "cloud",
"last_connection_ok": false,
"last_connection_error": "Post \"https://adfs.local.azurestack.external/adfs/oauth2/token\": dial tcp: lookup adfs.local.azurestack.external on 127.0.0.11:53: no such host",
"last_connection_at": "2020-12-24T11:12:48.403146Z",
"name": "test-azs-adfs",
"products": [
"cckm"
],
"meta": "",
"tenant_id": "456",
"client_id": "client123",
"cloud_name": "AzureStack",
"active_directory_endpoint": "https://adfs.local.azurestack.external/adfs",
"vault_resource_url": "https://vault.local.azurestack.external",
"resource_manager_url": "https://management.local.azurestack.external/",
"key_vault_dns_suffix": "vault.local.azurestack.external",
"management_url": "https://management.adfs.azurestack.local/2aeeb93d-50a7-415e-8b217-01b5c5e2fasd",
"azure_stack_server_cert": "-----BEGIN CERTIFICATE-----\nMIIEPDCCAiSgAwIBAgIRALJpeHdhAFCGctcAVJ1fpwMwDQYJKoZIhvcNAQELBQAw\nWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk1EMRAwDgYDVQQHEwdCZWxjYW1wMRAw\nDgYDVQQKEwdHZW1hbHRvMRowGAYDVQQDExFLZXlTZWN1cmUgUm9vdCBDQTAeFw0y\nMDEyMDIwOTIzMTRaFw0yMjEyMDIwOTIzMTRaMCIxDjAMBgNVBAMTBWFkbWluMRAw\nDgYKCZImiZPyLGQBARMAMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA\n2j0VAgq5PlqfFX2A8yoLYayv3NZcwWwC0ErhY3z2tIcnxuJ84OoVTD1O2NXF1SMq\nBK2dS1WrDim4QZpp+ueuLAYpQDHxZAo353tXjQ9W6alvfCTaX621/2clxQ/fn3Zt\nL0zP8aUCO/sv80B6C+nr20g8ooxdUIOrbsYWwVMpis+J39fQNItLJzcib0lWYrYe\n7f1d+yXc+zMMU1tEOh7q504zy142YsFNlk1D3HOzvPB+NHA2D7M8Buj7Z3VH57cr\ny69bDFlBlePO3JDUfo8TKmz+ST0x9TjVBHTtjCDqtENWBqNppAd3SdRIeHKFF8CH\nbHg/oL6z3kQYXwEqbHu5kQIDAQABozUwMzAOBgNVHQ8BAf8EBAMCA4gwEwYDVR0l\nBAwwCgYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQsFAAOCAgEA\nlu2HMN3FnPPYxKt89aBJA1NeZgTTSGPLnE3T5T2VPjy6/RO6rWnvcn3YdaOOHRa2\nWP+mm/Au003pheu8orX0YrRxEVLCYUff3Xq+wKol8zP8EGR3PMB4zOGfdkxGQJZB\n/aVDasU80mLdLi7iwVD5p788fCIKdQWNA1Ln1nmEwF48jBns6p2kx2TCruQU0v9H\npbPKOVq84zs0rrgtioYgF4nlTGXjNP6KvO+F0PdUKby6ZtQptGADz92FD4wnpQr1\nBtGFhkS+c4nD+JzjeWMhu6qyK+NTJ5f5CUF6okxfOIHAzmLja9knwVLsJQ3R4oKo\nLyzp/wBSurdS+ClT9pJ0unPzq7UM0QFkvk2Op0gFswZ5XfewaAaEZifcVnux/ira\ndlZrVM9kBN1Fz2DzWau7itqhXiT8fdDH68qYQwNQwwDe5km3+i44Jz7KWEQi88XO\nKbwO8tMMvd+exLXshLzIbJ/1IVsQklR4N1M7GHrXTbgomCAxBhTkuGyu4hENYHsN\nobEToCx8UNXoZlYUX2f8hE9ad/tGrpwqXUHkSWjnET2+R5OmtS0p2wsRofbmY9in\noE4di6Pk83BMh2RpCDxDPb0UqTGlRlbPuew0mNfI2ePQLoFhyoTmwN1xEgUpex1u\nQb9IovyN2/Bm1QNpt4wRwoDF4sGAgcEM6AAtMVe2uVQ=\n-----END CERTIFICATE-----\n",
"azure_stack_connection_type": "ADFS"
}
Deleting an Azure Stack Connection
To delete an Azure Stack connection, run:
Syntax
ksctl connectionmgmt azure delete --id <Connection-Name/ID>
Example Request
ksctl connectionmgmt azure delete --id 2cc2d7db-155c-472f-b248-4ca4072d1bb3
There will be no response if Azure Stack connection is deleted successfully.
Getting List of Azure Stack Connections
To list all the Azure Stack connections, run:
Syntax
ksctl connectionmgmt azure list
Example Request
ksctl connectionmgmt azure list
Example Response
{
"skip": 0,
"limit": 10,
"total": 1,
"resources": [
{
"id": "2cc2d7db-155c-472f-b248-4ca4072d1bb3",
"uri": "kylo:kylo:connectionmgmt:connections:test-azs-adfs-2cc2d7db-155c-472f-b248-4ca4072d1bb3",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2020-12-24T11:06:31.917451Z",
"updatedAt": "2020-12-24T11:06:31.916446Z",
"service": "azure",
"category": "cloud",
"last_connection_ok": null,
"last_connection_at": "0001-01-01T00:00:00Z",
"name": "test-azs-adfs",
"products": [
"cckm"
],
"tenant_id": "123",
"client_id": "client123",
"cloud_name": "AzureStack",
"active_directory_endpoint": "https://adfs.local.azurestack.external/adfs",
"vault_resource_url": "https://vault.local.azurestack.external",
"resource_manager_url": "https://management.local.azurestack.external/",
"key_vault_dns_suffix": "vault.local.azurestack.external",
"management_url": "https://management.adfs.azurestack.local/2aeeb93d-50a7-415e-8b217-01b5c5e2fasd",
"azure_stack_server_cert": "-----BEGIN CERTIFICATE-----\nMIIEPDCCAiSgAwIBAgIRALJpeHdhAFCGctcAVJ1fpwMwDQYJKoZIhvcNAQELBQAw\nWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk1EMRAwDgYDVQQHEwdCZWxjYW1wMRAw\nDgYDVQQKEwdHZW1hbHRvMRowGAYDVQQDExFLZXlTZWN1cmUgUm9vdCBDQTAeFw0y\nMDEyMDIwOTIzMTRaFw0yMjEyMDIwOTIzMTRaMCIxDjAMBgNVBAMTBWFkbWluMRAw\nDgYKCZImiZPyLGQBARMAMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA\n2j0VAgq5PlqfFX2A8yoLYayv3NZcwWwC0ErhY3z2tIcnxuJ84OoVTD1O2NXF1SMq\nBK2dS1WrDim4QZpp+ueuLAYpQDHxZAo353tXjQ9W6alvfCTaX621/2clxQ/fn3Zt\nL0zP8aUCO/sv80B6C+nr20g8ooxdUIOrbsYWwVMpis+J39fQNItLJzcib0lWYrYe\n7f1d+yXc+zMMU1tEOh7q504zy142YsFNlk1D3HOzvPB+NHA2D7M8Buj7Z3VH57cr\ny69bDFlBlePO3JDUfo8TKmz+ST0x9TjVBHTtjCDqtENWBqNppAd3SdRIeHKFF8CH\nbHg/oL6z3kQYXwEqbHu5kQIDAQABozUwMzAOBgNVHQ8BAf8EBAMCA4gwEwYDVR0l\nBAwwCgYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQsFAAOCAgEA\nlu2HMN3FnPPYxKt89aBJA1NeZgTTSGPLnE3T5T2VPjy6/RO6rWnvcn3YdaOOHRa2\nWP+mm/Au003pheu8orX0YrRxEVLCYUff3Xq+wKol8zP8EGR3PMB4zOGfdkxGQJZB\n/aVDasU80mLdLi7iwVD5p788fCIKdQWNA1Ln1nmEwF48jBns6p2kx2TCruQU0v9H\npbPKOVq84zs0rrgtioYgF4nlTGXjNP6KvO+F0PdUKby6ZtQptGADz92FD4wnpQr1\nBtGFhkS+c4nD+JzjeWMhu6qyK+NTJ5f5CUF6okxfOIHAzmLja9knwVLsJQ3R4oKo\nLyzp/wBSurdS+ClT9pJ0unPzq7UM0QFkvk2Op0gFswZ5XfewaAaEZifcVnux/ira\ndlZrVM9kBN1Fz2DzWau7itqhXiT8fdDH68qYQwNQwwDe5km3+i44Jz7KWEQi88XO\nKbwO8tMMvd+exLXshLzIbJ/1IVsQklR4N1M7GHrXTbgomCAxBhTkuGyu4hENYHsN\nobEToCx8UNXoZlYUX2f8hE9ad/tGrpwqXUHkSWjnET2+R5OmtS0p2wsRofbmY9in\noE4di6Pk83BMh2RpCDxDPb0UqTGlRlbPuew0mNfI2ePQLoFhyoTmwN1xEgUpex1u\nQb9IovyN2/Bm1QNpt4wRwoDF4sGAgcEM6AAtMVe2uVQ=\n-----END CERTIFICATE-----\n",
"azure_stack_connection_type": "ADFS"
},
]
}
Testing an Existing Azure Stack Connection
To test an existing Azure Stack connection, run:
Syntax
ksctl connectionmgmt azure test --id <Connection-Name/ID> --clientid <Azure-Key-ID> --secret <Azure-Client-Secret> --tenantid <Tenant-ID>
Example Request
ksctl connectionmgmt azure test --id 2cc2d7db-155c-472f-b248-4ca4072d1bb3
Example Response
{
"connection_ok": true
}
Testing Parameters for an Azure Stack Connection
To test parameters for an Azure Stack connection, run:
Syntax
ksctl connectionmgmt azure test --clientid <Azure-Key-ID> --meta <Key-Values> --tenantid <Tenant-ID> --cloudname <Cloud-Name> --connection-type <Connection-Type> --active-dir-endpoint <Active-Directory-Endpoint> --management-url <Management-URL> --res-manager-url <Resource-Manager-URL> --key-vault-dns-suffix <Keyvault-DNS-Suffix> --vault-res-url <Vault-Resource-URL> --server-cert-file <Server-Certificate-File>
Example Request
ksctl connectionmgmt azure test --clientid client123 --secret secret123 --tenantid 123 --cloudname AzureStack --connection-type ADFS --active-dir-endpoint "https://adfs.local.azurestack.external/adfs" --management-url "https://management.adfs.azurestack.local/2aeeb93d-50a7-415e-8b217-01b5c5e2fasd" --res-manager-url "https://management.local.azurestack.external/" --key-vault-dns-suffix "vault.local.azurestack.external" --vault-res-url "https://vault.local.azurestack.external" --server-cert-file ~/server.pem
Example Response
{
"connection_ok": true
}
Creating an Azure Cloud Connection
The Azure Cloud connection can be created using:
Internal certificate
External certificate
Creating an Azure Cloud Connection using internal certificate
To create an Azure Cloud connection using internally generated self-signed certificate, run:
Example
ksctl connectionmgmt azure create --name "azureconnection2" --clientid "a-client-id" --cloudname "AzureCloud" --use-certificate true
Response
{
"id": "525d00e7-e677-4411-9f8c-0af01576d4c5",
"uri": "kylo:kylo:connectionmgmt:connections:azureconnection2-525d00e7-e677-4411-9f8c-0af01576d4c5",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2022-08-23T08:28:00.109946977Z",
"updatedAt": "2022-08-23T08:28:00.108830988Z",
"service": "azure",
"category": "cloud",
"last_connection_ok": null,
"last_connection_at": "0001-01-01T00:00:00Z",
"name": "azureconnection2",
"client_id": "a-client-id",
"cloud_name": "AzureCloud",
"certificate": "-----BEGIN CERTIFICATE-----\nMIIFvjCCA6agAwIBAgIRAIeusgD8lFVBJoLiSXw7EBUwDQYJKoZIhvcNAQELBQAw\nfzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNh\nbiBKb3NlMQ8wDQYDVQQKEwZUaGFsZXMxFDASBgNVBAsTC0NpcGhlclRydXN0MSEw\nHwYDVQQDExhjY2ttLnRoYWxlc2VzZWN1cml0eS5jb20wHhcNMjIwODIzMDgyODAw\nWhcNMjQwODIyMDgyODAwWjB/MQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZv\ncm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxDzANBgNVBAoTBlRoYWxlczEUMBIGA1UE\nCxMLQ2lwaGVyVHJ1c3QxITAfBgNVBAMTGGNja20udGhhbGVzZXNlY3VyaXR5LmNv\nbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAM1CwlTeUj4yIKdbzCtX\nKmKFbroVqbOuZWg+N6pRVqz6r4kfA1wZD4e6fgo5GBBaceQNZDoJEj+pt6uumTRy\nvuH087U6nin+5M432+cKyvNPD/C7/LNB3NtCG6AJS6GNPMYMMxCjqtH5hY5OhEVz\njOTRrzTT4E/mGzPAGHY6adI/v5nO1A6kndeW0TyBqfmo9w/bT1wDH6CAMjfbmTKY\nO7iXqxQVo1CYWl9QbgvIsmj3zOEKZF3DbNAlz4hgc+uyS7e76sqUeJgJZQGh/AYc\n+tizeFsulMlXUPfLgmrZuBqO4h4pt7fmj55EsTnZBJK8nefXfu0yVARradP6VqFA\npOjJDhD7OhILYWfUII9ntBvO4AJ5QxbC8IZwhoJuHYtCiOpR2jxKPGxL8zXWnZZf\nln2BzoVAkIap25DBT/lwGN7jcaOFBBqkohQsGiZ68UpKXMEg+80QwMr7ZlsWqHmP\nlEcAEOCzy85pspdkzkpFn6SgaGxZG+njvdkJOcJe/mkEgeJGPq5/uy4wT+mL7lC7\nHK4zi+9SxDalXXpYqQxw0+EnBmrAIPovh9tL8/Go11SETkHCKKWWqieMHguLTR2t\nYslMfShBkWL3OozyOyC0/IFN3M/Wt1NSIZv/85X994Ry19+E2i1Mtm3qgBsVldYy\ntrCj6MPWFtoEg/yOaM7LWeplAgMBAAGjNTAzMA4GA1UdDwEB/wQEAwIDiDATBgNV\nHSUEDDAKBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUAA4IC\nAQAnZ7b4R4Ox1Vjp8cY+20psSE0Un1QbgmYHwpiP4BKDacHZRaPwhke6QicuYdMB\nkxYgtIJCtJu+1/TORe4Tqa+y0fhH5AGpCuSmuFGO2DFB3nsRDRvIgwf4kLpjnFYg\n3Mg7UfZy9f88kHdeortSD/fc2gx0Sc+oJQAp1zubkaPal5+sPWfhE8O5e6zZOaFA\nf1cZxGOgJ12Hs3XK0/gEItaJJwaj5u0Iagt0w98jwhZ5ZP3e+BX8ZC10fhoxuzKw\neMLAM112DmNwqNFKp3gDdfAaD/Rg7VXBFDpWd+MNeCvDyuoUaPK6JI0cKaNOdVHX\nzG1nwopHodTkBJSH+7UHy/s9mMQLlqSvuCnGbDi8IAt5pw6G4ls+vl6mJZ6nDehK\nk7Mmeh2COVNVtu2GhTiqPzOazlXgJTBPSddCOJVZ51F+6vIMFeV/+CJH53cqBTBJ\nJTv7aYJtV6vzW9tVaCb6nPnLtryc49ucjNeNPFfCxtXrZog7fJeocFsdWimMwlXy\nSqGYAaFdOJJZgAhvlQusl4oJIVZ3Cw9OAk61whTjEMfXAyJHRuwP/0uDZWNo6/z7\n8GmgLrPeEBuc8qyXy26ALoUm2rsDCSjo14qL1u29bVkeFP3ZdPBoapvyzCudmSx2\n2NuDQJO/TaREDGkvx27xyu8thIPRLCb4HuzlDhDi3Xg2tA==\n-----END CERTIFICATE-----\n",
"certificate_thumbprint": "5BB5FC44C0CAFA417773CA4EC80A07232AC02499"
}
Creating an Azure Cloud Connection using external certificate
Note
The external certificate cannot be used with use_certificate
and client_secret
parameters.
To create an Azure cloud connection using an external certificate generated from the custom CSR signed by any internal/external CA:
Generate a new Certificate Signing Request (CSR). The Azure connections do not support RSA 1024-bit keys for creating CSRs. The supported RSA key strengths are 2048 and 4096 bits.
Syntax
ksctl connectionmgmt connections csr --cn <common-name> --csr-outfile <filename>
Example
ksctl connectionmgmt connections csr --cn "test" --csr-outfile "Azurecsr.pem"
Response
{ "csr": "-----BEGIN CERTIFICATE REQUEST-----\nMIHIMHECAQAwDzENMAsGA1UEAxMEdGVzdDBZMBMGByqGSM49AgEGCCqGSM49AwEH\nA0IABPkDWFDb/khM9xaRPAnRKJ0nq7hfkQiX9UY8v03zL/X9YybSB/L3W4CpI0o6\nhLZQtoOjiv6ziRToKDFpq4K/WdegADAKBggqhkjOPQQDAgNHADBEAiA2kC7YOUqU\n0BtS+SDI/OuCd21JhkQoVX0ZcD/e/g5jtQIgTHE79SCJ/G/UXLNHjfmGZyP9zVmH\nObA8stMQDpSMJhM=\n-----END CERTIFICATE REQUEST-----\n" }
This CSR can only be used for one connection in the native domain. Also, this CSR can't be reused in other domains.
Sign the CSR with any local or external CA. It will generate an external certificate.
Upload the generated certificate to the Azure portal.
Create the Azure cloud connection using the external certificate generated above.
Example
ksctl connectionmgmt azure create --name "azureconnecnwithcert" --json-file certazure.json
Response
{ "id": "5c440f1f-650c-497e-bd38-b7ebfe7e4e65", "uri": "kylo:kylo:connectionmgmt:connections:azure-connectio2n-5c440f1f-650c-497e-bd38-b7ebfe7e4e65", "account": "kylo:kylo:admin:accounts:kylo", "createdAt": "2022-08-23T08:16:24.236837416Z", "updatedAt": "2022-08-23T08:16:24.23580786Z", "service": "azure", "category": "cloud", "last_connection_ok": null, "last_connection_at": "0001-01-01T00:00:00Z", "name": "azure-connection", "products": [ "cckm" ], "meta": { "color": "blue" }, "tenant_id": "3bf0dbe6-a2c7-431d-9a6f-4843b74c71285nfjdu2", "client_id": "3bf0dbe6-a2c7-431d-9a6f-4843b74c7e12", "cloud_name": "AzureCloud", "certificate": "-----BEGIN CERTIFICATE-----\nMIIFUzCCAzugAwIBAgIRAIzHRMIS7tVGXVzIXlhGwCMwDQYJKoZIhvcNAQELBQAw\nWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAlRYMQ8wDQYDVQQHEwZBdXN0aW4xDzAN\nBgNVBAoTBlRoYWxlczEcMBoGA1UEAxMTQ2lwaGVyVHJ1c3QgUm9vdCBDQTAeFw0y\nMjA4MjIwODE0MzNaFw0yMzA4MjMwODE0MzNaMGQxCzAJBgNVBAYTAlVTMQswCQYD\nVQQIEwJNRDEQMA4GA1UEBxMHQmVsY2FtcDEVMBMGA1UEChMMVGhhbGVzIEdyb3Vw\nMQwwCgYDVQQLEwNSbkQxETAPBgNVBAMTCGt5bG8uY29tMIIBIjANBgkqhkiG9w0B\nAQEFAAOCAQ8AMIIBCgKCAQEAo0DG/4KcgVsq1mvyQU3ux2hG4Qj2LxjdLc82GlWa\nxGhzsLcdiftvpCBSCTbMhhEBxrG7qv3HZscoskBzTxPi279ewMn6cmsBVimvcF3k\ntS8VnkMPWnz1xf0K0Y97qJqic5seLEwjD4aW3QGvP/FAHDjo+PgwfC+QvulHpy4f\nQn1OltPcHBMlbx7VGfb9wWZxjbngw7vUPM2Lp5e2WAEQgibbJlSOF6FBbCCBdoqQ\n0h/K2B6HDEFt/suKg+GlZZJFDEO4DROLVPIA7t9YkY9+tx5n1oxHr2ss6uAh1Pfu\ngzG0wHxS5Rk93J1tkvJVbrjvufvFQdyS+rN1t4oYZErIYQIDAQABo4IBCDCCAQQw\nDgYDVR0PAQH/BAQDAgOIMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQC\nMAAwHwYDVR0jBBgwFoAUJdaEkkS1PvDamMgSvCe8iXoOUVowTgYDVR0RBEcwRYIR\nKi50aGFsZXNncm91cC5jb22CESoudGhhbGVzZ3JvdXAubmV0gRdjb250YWN0QHRo\nYWxlc2dyb3VwLmNvbYcEAQEBATBeBgNVHR8EVzBVMFOgUaBPhk1odHRwOi8vY2lw\naGVydHJ1c3RtYW5hZ2VyLmxvY2FsL2NybHMvMWNiMTQ5ZDUtNzZhOC00ZDA1LWJj\nZTctZDhiZGZlNTE3NjI4LmNybDANBgkqhkiG9w0BAQsFAAOCAgEATTgmIuNMjV+R\npP4uPnXwSvjPcf9Lluay4Ylk4mhN6ZjHETS8H4PdbDbbXD8IUi2RoYVa2LQp3lY9\np1fBoQkcMm9SNXj3ULqYOMRljw7/H4BJ4hTsZk8i1ggl/7qcCK4izi+chHIr/yET\noJxJAWQ0rrAsuuuPm2x9Jc6f5dVTcRVcj8P96OlqRcwFpzDmohPFteF7BZdO/l9y\nnEyU0KSyLbIkpSGWe64FXCdtlqIfBrXdL90oFhb2YO1b+ql4malQYbrkgK/jwurB\nEflZP+CI9yWyceJO7Hb/yXsIyrPeT7zSsRownD6FQFEY7LCDG9hCC/2WFiVEs8hj\nJjgZWjsr4BKgI1kQAk765k8pgZsSQoG4SU8snawifLCeCLeeDC5MwIBAgXdY9Glg\nJ18SRx9TCMbIg9BkKTo/a7i7u1x+I3ZicVHbzsDXD2Gb3Ce2KGIOkA7i+19fxOi7\n28Q0Cw+3urzJmW/mr689omcHGbUW9DmEYyLiUsvPGh7iL/ZwXKlWB6btKttMC7iG\no0tYrQf8Jtk9xW+TqQfli1QZSfpK7vBypys87hFYRD7I82EA6zDLtIz16rjcFPUG\nitTI7OJsCVX8QhaLGqc3vahhEsEfKhEEOczUwEc9oGAFOLsjrJvVM6/wwebvD0G3\nM+tG8aEYPLphmR4dD5Zp9mmlcVdpUkM=\n-----END CERTIFICATE-----\n", "certificate_thumbprint": "9CECEBFE89C12E201461200070376971B9678374" }
JSON File
{ "name": "azure-connection", "products": [ "cckm" ], "meta": { "color": "blue" }, "cloud_name": "AzureCloud", "client_id": "3bf0dbe6-a2c7-431d-9a6f-4843b74c7e12", "tenant_id": "3bf0dbe6-a2c7-431d-9a6f-4843b74c71285nfjdu2", "certificate": "-----BEGIN CERTIFICATE-----\nMIIFUzCCAzugAwIBAgIRAIzHRMIS7tVGXVzIXlhGwCMwDQYJKoZIhvcNAQELBQAw\nWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAlRYMQ8wDQYDVQQHEwZBdXN0aW4xDzAN\nBgNVBAoTBlRoYWxlczEcMBoGA1UEAxMTQ2lwaGVyVHJ1c3QgUm9vdCBDQTAeFw0y\nMjA4MjIwODE0MzNaFw0yMzA4MjMwODE0MzNaMGQxCzAJBgNVBAYTAlVTMQswCQYD\nVQQIEwJNRDEQMA4GA1UEBxMHQmVsY2FtcDEVMBMGA1UEChMMVGhhbGVzIEdyb3Vw\nMQwwCgYDVQQLEwNSbkQxETAPBgNVBAMTCGt5bG8uY29tMIIBIjANBgkqhkiG9w0B\nAQEFAAOCAQ8AMIIBCgKCAQEAo0DG/4KcgVsq1mvyQU3ux2hG4Qj2LxjdLc82GlWa\nxGhzsLcdiftvpCBSCTbMhhEBxrG7qv3HZscoskBzTxPi279ewMn6cmsBVimvcF3k\ntS8VnkMPWnz1xf0K0Y97qJqic5seLEwjD4aW3QGvP/FAHDjo+PgwfC+QvulHpy4f\nQn1OltPcHBMlbx7VGfb9wWZxjbngw7vUPM2Lp5e2WAEQgibbJlSOF6FBbCCBdoqQ\n0h/K2B6HDEFt/suKg+GlZZJFDEO4DROLVPIA7t9YkY9+tx5n1oxHr2ss6uAh1Pfu\ngzG0wHxS5Rk93J1tkvJVbrjvufvFQdyS+rN1t4oYZErIYQIDAQABo4IBCDCCAQQw\nDgYDVR0PAQH/BAQDAgOIMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQC\nMAAwHwYDVR0jBBgwFoAUJdaEkkS1PvDamMgSvCe8iXoOUVowTgYDVR0RBEcwRYIR\nKi50aGFsZXNncm91cC5jb22CESoudGhhbGVzZ3JvdXAubmV0gRdjb250YWN0QHRo\nYWxlc2dyb3VwLmNvbYcEAQEBATBeBgNVHR8EVzBVMFOgUaBPhk1odHRwOi8vY2lw\naGVydHJ1c3RtYW5hZ2VyLmxvY2FsL2NybHMvMWNiMTQ5ZDUtNzZhOC00ZDA1LWJj\nZTctZDhiZGZlNTE3NjI4LmNybDANBgkqhkiG9w0BAQsFAAOCAgEATTgmIuNMjV+R\npP4uPnXwSvjPcf9Lluay4Ylk4mhN6ZjHETS8H4PdbDbbXD8IUi2RoYVa2LQp3lY9\np1fBoQkcMm9SNXj3ULqYOMRljw7/H4BJ4hTsZk8i1ggl/7qcCK4izi+chHIr/yET\noJxJAWQ0rrAsuuuPm2x9Jc6f5dVTcRVcj8P96OlqRcwFpzDmohPFteF7BZdO/l9y\nnEyU0KSyLbIkpSGWe64FXCdtlqIfBrXdL90oFhb2YO1b+ql4malQYbrkgK/jwurB\nEflZP+CI9yWyceJO7Hb/yXsIyrPeT7zSsRownD6FQFEY7LCDG9hCC/2WFiVEs8hj\nJjgZWjsr4BKgI1kQAk765k8pgZsSQoG4SU8snawifLCeCLeeDC5MwIBAgXdY9Glg\nJ18SRx9TCMbIg9BkKTo/a7i7u1x+I3ZicVHbzsDXD2Gb3Ce2KGIOkA7i+19fxOi7\n28Q0Cw+3urzJmW/mr689omcHGbUW9DmEYyLiUsvPGh7iL/ZwXKlWB6btKttMC7iG\no0tYrQf8Jtk9xW+TqQfli1QZSfpK7vBypys87hFYRD7I82EA6zDLtIz16rjcFPUG\nitTI7OJsCVX8QhaLGqc3vahhEsEfKhEEOczUwEc9oGAFOLsjrJvVM6/wwebvD0G3\nM+tG8aEYPLphmR4dD5Zp9mmlcVdpUkM=\n-----END CERTIFICATE-----\n" }
The CipherTrust Manager allows you to modify the external certificate in the existing connection. Any unused certificate will be automatically deleted after 24 hours.