Azure

Azure connections to the CipherTrust Manager can be configured using the following:

Managing Azure Connections using GUI
Managing Azure Connections using ksctl

Note

If you wish to use external certificate authentication for an Azure Cloud connection, you must first create a valid external certificate.

Managing Azure Connections using GUI

To manage Azure connections using GUI, perform the following steps:

Log on to CipherTrust Data Security Platform Service UI as an administrator.
Navigate to Access Management > Connections.
Click Add Connection.
On the Add Connection screen, select category as Cloud.
Select Select Cloud Type as Azure and click Next.
Specify connection Name and Description and click Next.
Configure the below parameters.
- Client ID - this is an Application ID of the Azure application. It can be used either with Client Secret or Certificate to authenticate the application.
- Tenant ID - this is the Office365 tenant ID. It is a globally unique identifier (GUID). For more details, refer to the Azure documentation.
- Cloud Name - the name of the Azure cloud to connect to. Currently, only the following options are available:
  - Azure Cloud - For Azure Cloud configuration, refer to Creating an Azure Cloud Connection.
  - Azure China Cloud
  - Azure US Government
  - Azure Stack - For Azure Stack configuration, refer to Configure Azure Stack.
- Authentication - you can use either Client Secret or Certificate for authentication purpose.
  - Client Secret – this authentication method uses the application password of the Client ID to enable communication between Azure and CipherTrust Manager.
  - Certificate - this authentication method is used to enable password-less communication between Azure and CipherTrust Manager.
    Note
    Azure Stack does not support Certificate authentication.
    - Select the Certificate radio button
    - Select Application or External as the Certificate Type.
      The Application certificate type is generated by CipherTrust Data Security Platform Service and self-signed.
      The External certificate type is a pre-existing certificate generated on CipherTrust Data Security Platform Service and then signed by a CA external to the CipherTrust Data Security Platform Service. To use this option, you first need to create a valid external certificate.
      Configure Application Certificate
      Click the Generate and Download button.
      Upload the downloaded certificate on Salesforce for the provided Client ID.
      Once the upload is done, verify the Thumbprint on the CipherTrust Data Security Platform Service and Azure. Both the thumbprints must match.
      Specify Certificate Duration in Days, if desired. The default certificate duration is 730 days (2 years).
      Configure External Certificate
      Ensure that you have fulfilled the prerequisites to create a valid external certificate.
      Do one of the following:
      Select File Upload and click the Upload Certificate to upload the external certificate as a file.
      Select Text and paste the certificate contents in the text box.
      Note
      The CipherTrust Data Security Platform Service allows you to modify the external certificate in the existing connection. Any unused certificate will be automatically deleted after 24 hours.
Click the Test Credentials button to check whether the connection is configured correctly. If the test is successful, the status is OK else the status is Fail.
Click Next to move to the Add Products screen of the Add Connection wizard.
- Configure Azure Stack
  Note
  - This configuration is applicable to Azure Stack only.
  - Configuring an Azure Stack connection requires various URLs, described below. To get these URLs, run the command Get AzureRmEnvironment in your Azure AD VM. Refer to Connect with Azure AD for details.
  - Azure Stack Connection Type - Azure stack supports two types backed by Active Directory as an identity provider:
    - AAD - Azure Active Directory
    - ADFS - Active Directory Federation Services
  - Active Directory Endpoint - this is a URL at which the identity providers can be reached. For example, https://login.microsoftonline.com/
  - Key Vault DNS Suffix - this is a DNS suffix for the key vault in the Azure Stack. For example, vault.local.azurestack.external.
  - Management URL - this is the URL with a unique identifier for Azure Resource Manager registered with your identity provider.
  - Resource Manager URL - this URL is the location of the Azure Resource Manager service. For example, https://management.azure.com or https://management.local.azurestack.external
  - Vault Resource URL - this is the URL to access vault resources. For example, https://vault.local.azurestack.external
  - Azure Server Certificate - this is the Server certificate used by HTTPS protocol for a secure connection.

Managing Azure Connections using ksctl

The following operations can be performed:

Create/Get/Update/Delete an Azure Stack connection
List all Azure Stack connections
Test an existing Azure Stack connection
Test parameters for a Azure Stack connection
Create an Azure Cloud Connection

Parameter Details

Parameter	Mandatory/Optional	Description
name	Mandatory	Unique name of the connection.
description	Optional	Connection description.
products	Optional	List of products.
clientid	Mandatory	Unique Identifier (client ID) for the Azure application.
meta	Optional	meta information in json format. This information is provided in pair. For example, `--meta "{\"color\":\"blue\",\"foo\":\"bar\"}"`.
tenantid	Mandatory	Tenant ID of the Azure application.
cloudname	Optional	Name of the Azure cloud to connect to.
connection-type	Optional	Azure stack connection type (AAD or ADFS).
active-dir-endpoint	Optional	Azure stack active directory authority URL.
management-url	Optional	Azure stack management URL.
res-manager-url	Optional	Azure stack resource manager URL.
key-vault-dns-suffix	Optional	Azure stack key vault dns suffix.
vault-res-url	Optional	Azure stack vault service resource URL.
server-cert-file	Optional	Server certificate file path.

Note

Examples in this section are for ADFS connection type. Similarly, you can manage connections for AAD by changing the connection-type to AAD.

Creating an Azure Stack Connection

To create an Azure Stack connection, run:

Syntax


ksctl connectionmgmt azure create --name <Connection-Name> --products <Product-Names> --clientid <Azure-Key-ID> --meta <Key-Values> --tenantid <Tenant-ID> --cloudname <Cloud-Name> --connection-type <Connection-Type> --active-dir-endpoint <Active-Directory-Endpoint> --management-url <Management-URL> --res-manager-url <Resource-Manager-URL> --key-vault-dns-suffix <Keyvault-DNS-Suffix> --vault-res-url <Vault-Resource-URL> --server-cert-file <Server-Certificate-File>

Example Request


ksctl connectionmgmt azure create --name test-azs-adfs --products cckm --clientid client123 --secret secret123  --tenantid 123 --cloudname AzureStack --connection-type ADFS --active-dir-endpoint "https://adfs.local.azurestack.external/adfs" --management-url "https://management.adfs.azurestack.local/2aeeb93d-50a7-415e-8b217-01b5c5e2fasd" --res-manager-url "https://management.local.azurestack.external/" --key-vault-dns-suffix "vault.local.azurestack.external" --vault-res-url "https://vault.local.azurestack.external" --server-cert-file ~/server.pem

Example Response


    {
     "id": "2cc2d7db-155c-472f-b248-4ca4072d1bb3",
        "uri": "kylo:kylo:connectionmgmt:connections:test-azs-adfs-2cc2d7db-155c-472f-b248-4ca4072d1bb3",
        "account": "kylo:kylo:admin:accounts:kylo",
        "createdAt": "2020-12-24T11:06:31.917450971Z",
        "updatedAt": "2020-12-24T11:06:31.916445598Z",
        "service": "azure",
        "category": "cloud",
        "last_connection_ok": null,
        "last_connection_at": "0001-01-01T00:00:00Z",
        "name": "test-azs-adfs",
        "products": [
                "cckm"
        ],
        "tenant_id": "123",
        "client_id": "client123",
        "cloud_name": "AzureStack",
        "active_directory_endpoint": "https://adfs.local.azurestack.external/adfs",
        "vault_resource_url": "https://vault.local.azurestack.external",
        "resource_manager_url": "https://management.local.azurestack.external/",
        "key_vault_dns_suffix": "vault.local.azurestack.external",
        "management_url": "https://management.adfs.azurestack.local/2aeeb93d-50a7-415e-8b217-01b5c5e2fasd",
        "azure_stack_server_cert": "-----BEGIN CERTIFICATE-----\nMIIEPDCCAiSgAwIBAgIRALJpeHdhAFCGctcAVJ1fpwMwDQYJKoZIhvcNAQELBQAw\nWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk1EMRAwDgYDVQQHEwdCZWxjYW1wMRAw\nDgYDVQQKEwdHZW1hbHRvMRowGAYDVQQDExFLZXlTZWN1cmUgUm9vdCBDQTAeFw0y\nMDEyMDIwOTIzMTRaFw0yMjEyMDIwOTIzMTRaMCIxDjAMBgNVBAMTBWFkbWluMRAw\nDgYKCZImiZPyLGQBARMAMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA\n2j0VAgq5PlqfFX2A8yoLYayv3NZcwWwC0ErhY3z2tIcnxuJ84OoVTD1O2NXF1SMq\nBK2dS1WrDim4QZpp+ueuLAYpQDHxZAo353tXjQ9W6alvfCTaX621/2clxQ/fn3Zt\nL0zP8aUCO/sv80B6C+nr20g8ooxdUIOrbsYWwVMpis+J39fQNItLJzcib0lWYrYe\n7f1d+yXc+zMMU1tEOh7q504zy142YsFNlk1D3HOzvPB+NHA2D7M8Buj7Z3VH57cr\ny69bDFlBlePO3JDUfo8TKmz+ST0x9TjVBHTtjCDqtENWBqNppAd3SdRIeHKFF8CH\nbHg/oL6z3kQYXwEqbHu5kQIDAQABozUwMzAOBgNVHQ8BAf8EBAMCA4gwEwYDVR0l\nBAwwCgYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQsFAAOCAgEA\nlu2HMN3FnPPYxKt89aBJA1NeZgTTSGPLnE3T5T2VPjy6/RO6rWnvcn3YdaOOHRa2\nWP+mm/Au003pheu8orX0YrRxEVLCYUff3Xq+wKol8zP8EGR3PMB4zOGfdkxGQJZB\n/aVDasU80mLdLi7iwVD5p788fCIKdQWNA1Ln1nmEwF48jBns6p2kx2TCruQU0v9H\npbPKOVq84zs0rrgtioYgF4nlTGXjNP6KvO+F0PdUKby6ZtQptGADz92FD4wnpQr1\nBtGFhkS+c4nD+JzjeWMhu6qyK+NTJ5f5CUF6okxfOIHAzmLja9knwVLsJQ3R4oKo\nLyzp/wBSurdS+ClT9pJ0unPzq7UM0QFkvk2Op0gFswZ5XfewaAaEZifcVnux/ira\ndlZrVM9kBN1Fz2DzWau7itqhXiT8fdDH68qYQwNQwwDe5km3+i44Jz7KWEQi88XO\nKbwO8tMMvd+exLXshLzIbJ/1IVsQklR4N1M7GHrXTbgomCAxBhTkuGyu4hENYHsN\nobEToCx8UNXoZlYUX2f8hE9ad/tGrpwqXUHkSWjnET2+R5OmtS0p2wsRofbmY9in\noE4di6Pk83BMh2RpCDxDPb0UqTGlRlbPuew0mNfI2ePQLoFhyoTmwN1xEgUpex1u\nQb9IovyN2/Bm1QNpt4wRwoDF4sGAgcEM6AAtMVe2uVQ=\n-----END CERTIFICATE-----\n",
        "azure_stack_connection_type": "ADFS"
    }

Getting Details of an Azure Stack Connection

To get details of an Azure Stack connection, run:

Syntax


ksctl connectionmgmt azure get --id <Connection-Name/ID>

Example Request


ksctl connectionmgmt azure get --id 2cc2d7db-155c-472f-b248-4ca4072d1bb3

Example Response


{
    "id": "2cc2d7db-155c-472f-b248-4ca4072d1bb3",
    "uri": "kylo:kylo:connectionmgmt:connections:test-azs-adfs-2cc2d7db-155c-472f-b248-4ca4072d1bb3",
    "account": "kylo:kylo:admin:accounts:kylo",
    "createdAt": "2020-12-24T11:06:31.917451Z",
    "updatedAt": "2020-12-24T11:06:31.916446Z",
    "service": "azure",
    "category": "cloud",
    "last_connection_ok": null,
    "last_connection_at": "0001-01-01T00:00:00Z",
    "name": "test-azs-adfs",
    "products": [
            "cckm"
    ],
    "tenant_id": "123",
    "client_id": "client123",
    "cloud_name": "AzureStack",
    "active_directory_endpoint": "https://adfs.local.azurestack.external/adfs",
    "vault_resource_url": "https://vault.local.azurestack.external",
    "resource_manager_url": "https://management.local.azurestack.external/",
    "key_vault_dns_suffix": "vault.local.azurestack.external",
    "management_url": "https://management.adfs.azurestack.local/2aeeb93d-50a7-415e-8b217-01b5c5e2fasd",
    "azure_stack_server_cert": "-----BEGIN CERTIFICATE-----\nMIIEPDCCAiSgAwIBAgIRALJpeHdhAFCGctcAVJ1fpwMwDQYJKoZIhvcNAQELBQAw\nWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk1EMRAwDgYDVQQHEwdCZWxjYW1wMRAw\nDgYDVQQKEwdHZW1hbHRvMRowGAYDVQQDExFLZXlTZWN1cmUgUm9vdCBDQTAeFw0y\nMDEyMDIwOTIzMTRaFw0yMjEyMDIwOTIzMTRaMCIxDjAMBgNVBAMTBWFkbWluMRAw\nDgYKCZImiZPyLGQBARMAMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA\n2j0VAgq5PlqfFX2A8yoLYayv3NZcwWwC0ErhY3z2tIcnxuJ84OoVTD1O2NXF1SMq\nBK2dS1WrDim4QZpp+ueuLAYpQDHxZAo353tXjQ9W6alvfCTaX621/2clxQ/fn3Zt\nL0zP8aUCO/sv80B6C+nr20g8ooxdUIOrbsYWwVMpis+J39fQNItLJzcib0lWYrYe\n7f1d+yXc+zMMU1tEOh7q504zy142YsFNlk1D3HOzvPB+NHA2D7M8Buj7Z3VH57cr\ny69bDFlBlePO3JDUfo8TKmz+ST0x9TjVBHTtjCDqtENWBqNppAd3SdRIeHKFF8CH\nbHg/oL6z3kQYXwEqbHu5kQIDAQABozUwMzAOBgNVHQ8BAf8EBAMCA4gwEwYDVR0l\nBAwwCgYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQsFAAOCAgEA\nlu2HMN3FnPPYxKt89aBJA1NeZgTTSGPLnE3T5T2VPjy6/RO6rWnvcn3YdaOOHRa2\nWP+mm/Au003pheu8orX0YrRxEVLCYUff3Xq+wKol8zP8EGR3PMB4zOGfdkxGQJZB\n/aVDasU80mLdLi7iwVD5p788fCIKdQWNA1Ln1nmEwF48jBns6p2kx2TCruQU0v9H\npbPKOVq84zs0rrgtioYgF4nlTGXjNP6KvO+F0PdUKby6ZtQptGADz92FD4wnpQr1\nBtGFhkS+c4nD+JzjeWMhu6qyK+NTJ5f5CUF6okxfOIHAzmLja9knwVLsJQ3R4oKo\nLyzp/wBSurdS+ClT9pJ0unPzq7UM0QFkvk2Op0gFswZ5XfewaAaEZifcVnux/ira\ndlZrVM9kBN1Fz2DzWau7itqhXiT8fdDH68qYQwNQwwDe5km3+i44Jz7KWEQi88XO\nKbwO8tMMvd+exLXshLzIbJ/1IVsQklR4N1M7GHrXTbgomCAxBhTkuGyu4hENYHsN\nobEToCx8UNXoZlYUX2f8hE9ad/tGrpwqXUHkSWjnET2+R5OmtS0p2wsRofbmY9in\noE4di6Pk83BMh2RpCDxDPb0UqTGlRlbPuew0mNfI2ePQLoFhyoTmwN1xEgUpex1u\nQb9IovyN2/Bm1QNpt4wRwoDF4sGAgcEM6AAtMVe2uVQ=\n-----END CERTIFICATE-----\n",
    "azure_stack_connection_type": "ADFS"
}

Updating an Azure Stack Connection

To update an Azure Stack connection, run:

Syntax


ksctl connectionmgmt azure modify --id <Connection-Name/ID> --products <Product-Names> --secret <Azure-Client-Secret> --meta <Key-Values>

Example Request


ksctl connectionmgmt azure modify --id 2cc2d7db-155c-472f-b248-4ca4072d1bb3 --tenantid 456

Example Response


{
        "id": "2cc2d7db-155c-472f-b248-4ca4072d1bb3",
        "uri": "kylo:kylo:connectionmgmt:connections:test-azs-adfs-2cc2d7db-155c-472f-b248-4ca4072d1bb3",
        "account": "kylo:kylo:admin:accounts:kylo",
        "createdAt": "2020-12-24T11:06:31.917451Z",
        "updatedAt": "2020-12-24T11:14:12.702605505Z",
        "service": "azure",
        "category": "cloud",
        "last_connection_ok": false,
        "last_connection_error": "Post \"https://adfs.local.azurestack.external/adfs/oauth2/token\": dial tcp: lookup adfs.local.azurestack.external on 127.0.0.11:53: no such host",
        "last_connection_at": "2020-12-24T11:12:48.403146Z",
        "name": "test-azs-adfs",
        "products": [
                "cckm"
        ],
        "meta": "",
        "tenant_id": "456",
        "client_id": "client123",
        "cloud_name": "AzureStack",
        "active_directory_endpoint": "https://adfs.local.azurestack.external/adfs",
        "vault_resource_url": "https://vault.local.azurestack.external",
        "resource_manager_url": "https://management.local.azurestack.external/",
        "key_vault_dns_suffix": "vault.local.azurestack.external",
        "management_url": "https://management.adfs.azurestack.local/2aeeb93d-50a7-415e-8b217-01b5c5e2fasd",
        "azure_stack_server_cert": "-----BEGIN CERTIFICATE-----\nMIIEPDCCAiSgAwIBAgIRALJpeHdhAFCGctcAVJ1fpwMwDQYJKoZIhvcNAQELBQAw\nWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk1EMRAwDgYDVQQHEwdCZWxjYW1wMRAw\nDgYDVQQKEwdHZW1hbHRvMRowGAYDVQQDExFLZXlTZWN1cmUgUm9vdCBDQTAeFw0y\nMDEyMDIwOTIzMTRaFw0yMjEyMDIwOTIzMTRaMCIxDjAMBgNVBAMTBWFkbWluMRAw\nDgYKCZImiZPyLGQBARMAMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA\n2j0VAgq5PlqfFX2A8yoLYayv3NZcwWwC0ErhY3z2tIcnxuJ84OoVTD1O2NXF1SMq\nBK2dS1WrDim4QZpp+ueuLAYpQDHxZAo353tXjQ9W6alvfCTaX621/2clxQ/fn3Zt\nL0zP8aUCO/sv80B6C+nr20g8ooxdUIOrbsYWwVMpis+J39fQNItLJzcib0lWYrYe\n7f1d+yXc+zMMU1tEOh7q504zy142YsFNlk1D3HOzvPB+NHA2D7M8Buj7Z3VH57cr\ny69bDFlBlePO3JDUfo8TKmz+ST0x9TjVBHTtjCDqtENWBqNppAd3SdRIeHKFF8CH\nbHg/oL6z3kQYXwEqbHu5kQIDAQABozUwMzAOBgNVHQ8BAf8EBAMCA4gwEwYDVR0l\nBAwwCgYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQsFAAOCAgEA\nlu2HMN3FnPPYxKt89aBJA1NeZgTTSGPLnE3T5T2VPjy6/RO6rWnvcn3YdaOOHRa2\nWP+mm/Au003pheu8orX0YrRxEVLCYUff3Xq+wKol8zP8EGR3PMB4zOGfdkxGQJZB\n/aVDasU80mLdLi7iwVD5p788fCIKdQWNA1Ln1nmEwF48jBns6p2kx2TCruQU0v9H\npbPKOVq84zs0rrgtioYgF4nlTGXjNP6KvO+F0PdUKby6ZtQptGADz92FD4wnpQr1\nBtGFhkS+c4nD+JzjeWMhu6qyK+NTJ5f5CUF6okxfOIHAzmLja9knwVLsJQ3R4oKo\nLyzp/wBSurdS+ClT9pJ0unPzq7UM0QFkvk2Op0gFswZ5XfewaAaEZifcVnux/ira\ndlZrVM9kBN1Fz2DzWau7itqhXiT8fdDH68qYQwNQwwDe5km3+i44Jz7KWEQi88XO\nKbwO8tMMvd+exLXshLzIbJ/1IVsQklR4N1M7GHrXTbgomCAxBhTkuGyu4hENYHsN\nobEToCx8UNXoZlYUX2f8hE9ad/tGrpwqXUHkSWjnET2+R5OmtS0p2wsRofbmY9in\noE4di6Pk83BMh2RpCDxDPb0UqTGlRlbPuew0mNfI2ePQLoFhyoTmwN1xEgUpex1u\nQb9IovyN2/Bm1QNpt4wRwoDF4sGAgcEM6AAtMVe2uVQ=\n-----END CERTIFICATE-----\n",
        "azure_stack_connection_type": "ADFS"
}

Deleting an Azure Stack Connection

To delete an Azure Stack connection, run:

Syntax


ksctl connectionmgmt azure delete --id <Connection-Name/ID>

Example Request


ksctl connectionmgmt azure delete --id 2cc2d7db-155c-472f-b248-4ca4072d1bb3

There will be no response if Azure Stack connection is deleted successfully.

Getting List of Azure Stack Connections

To list all the Azure Stack connections, run:

Syntax


ksctl connectionmgmt azure list

Example Request


ksctl connectionmgmt azure list

Example Response


{
    "skip": 0,
    "limit": 10,
    "total": 1,
    "resources": [
            {
                    "id": "2cc2d7db-155c-472f-b248-4ca4072d1bb3",
                    "uri": "kylo:kylo:connectionmgmt:connections:test-azs-adfs-2cc2d7db-155c-472f-b248-4ca4072d1bb3",
                    "account": "kylo:kylo:admin:accounts:kylo",
                    "createdAt": "2020-12-24T11:06:31.917451Z",
                    "updatedAt": "2020-12-24T11:06:31.916446Z",
                    "service": "azure",
                    "category": "cloud",
                    "last_connection_ok": null,
                    "last_connection_at": "0001-01-01T00:00:00Z",
                    "name": "test-azs-adfs",
                    "products": [
                            "cckm"
                    ],
                    "tenant_id": "123",
                    "client_id": "client123",
                    "cloud_name": "AzureStack",
                    "active_directory_endpoint": "https://adfs.local.azurestack.external/adfs",
                    "vault_resource_url": "https://vault.local.azurestack.external",
                    "resource_manager_url": "https://management.local.azurestack.external/",
                    "key_vault_dns_suffix": "vault.local.azurestack.external",
                    "management_url": "https://management.adfs.azurestack.local/2aeeb93d-50a7-415e-8b217-01b5c5e2fasd",
                    "azure_stack_server_cert": "-----BEGIN CERTIFICATE-----\nMIIEPDCCAiSgAwIBAgIRALJpeHdhAFCGctcAVJ1fpwMwDQYJKoZIhvcNAQELBQAw\nWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk1EMRAwDgYDVQQHEwdCZWxjYW1wMRAw\nDgYDVQQKEwdHZW1hbHRvMRowGAYDVQQDExFLZXlTZWN1cmUgUm9vdCBDQTAeFw0y\nMDEyMDIwOTIzMTRaFw0yMjEyMDIwOTIzMTRaMCIxDjAMBgNVBAMTBWFkbWluMRAw\nDgYKCZImiZPyLGQBARMAMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA\n2j0VAgq5PlqfFX2A8yoLYayv3NZcwWwC0ErhY3z2tIcnxuJ84OoVTD1O2NXF1SMq\nBK2dS1WrDim4QZpp+ueuLAYpQDHxZAo353tXjQ9W6alvfCTaX621/2clxQ/fn3Zt\nL0zP8aUCO/sv80B6C+nr20g8ooxdUIOrbsYWwVMpis+J39fQNItLJzcib0lWYrYe\n7f1d+yXc+zMMU1tEOh7q504zy142YsFNlk1D3HOzvPB+NHA2D7M8Buj7Z3VH57cr\ny69bDFlBlePO3JDUfo8TKmz+ST0x9TjVBHTtjCDqtENWBqNppAd3SdRIeHKFF8CH\nbHg/oL6z3kQYXwEqbHu5kQIDAQABozUwMzAOBgNVHQ8BAf8EBAMCA4gwEwYDVR0l\nBAwwCgYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQsFAAOCAgEA\nlu2HMN3FnPPYxKt89aBJA1NeZgTTSGPLnE3T5T2VPjy6/RO6rWnvcn3YdaOOHRa2\nWP+mm/Au003pheu8orX0YrRxEVLCYUff3Xq+wKol8zP8EGR3PMB4zOGfdkxGQJZB\n/aVDasU80mLdLi7iwVD5p788fCIKdQWNA1Ln1nmEwF48jBns6p2kx2TCruQU0v9H\npbPKOVq84zs0rrgtioYgF4nlTGXjNP6KvO+F0PdUKby6ZtQptGADz92FD4wnpQr1\nBtGFhkS+c4nD+JzjeWMhu6qyK+NTJ5f5CUF6okxfOIHAzmLja9knwVLsJQ3R4oKo\nLyzp/wBSurdS+ClT9pJ0unPzq7UM0QFkvk2Op0gFswZ5XfewaAaEZifcVnux/ira\ndlZrVM9kBN1Fz2DzWau7itqhXiT8fdDH68qYQwNQwwDe5km3+i44Jz7KWEQi88XO\nKbwO8tMMvd+exLXshLzIbJ/1IVsQklR4N1M7GHrXTbgomCAxBhTkuGyu4hENYHsN\nobEToCx8UNXoZlYUX2f8hE9ad/tGrpwqXUHkSWjnET2+R5OmtS0p2wsRofbmY9in\noE4di6Pk83BMh2RpCDxDPb0UqTGlRlbPuew0mNfI2ePQLoFhyoTmwN1xEgUpex1u\nQb9IovyN2/Bm1QNpt4wRwoDF4sGAgcEM6AAtMVe2uVQ=\n-----END CERTIFICATE-----\n",
                    "azure_stack_connection_type": "ADFS"
            },
    ]
}

Testing an Existing Azure Stack Connection

To test an existing Azure Stack connection, run:

Syntax


ksctl connectionmgmt azure test --id <Connection-Name/ID> --clientid <Azure-Key-ID> --secret <Azure-Client-Secret> --tenantid <Tenant-ID>

Example Request


ksctl connectionmgmt azure test --id 2cc2d7db-155c-472f-b248-4ca4072d1bb3

Example Response


{
    "connection_ok": true
}

Testing Parameters for an Azure Stack Connection

To test parameters for an Azure Stack connection, run:

Syntax


ksctl connectionmgmt azure test --clientid <Azure-Key-ID> --meta <Key-Values> --tenantid <Tenant-ID> --cloudname <Cloud-Name> --connection-type <Connection-Type> --active-dir-endpoint <Active-Directory-Endpoint> --management-url <Management-URL> --res-manager-url <Resource-Manager-URL> --key-vault-dns-suffix <Keyvault-DNS-Suffix> --vault-res-url <Vault-Resource-URL> --server-cert-file <Server-Certificate-File>

Example Request


ksctl connectionmgmt azure test --clientid client123 --secret secret123  --tenantid 123 --cloudname AzureStack --connection-type ADFS --active-dir-endpoint "https://adfs.local.azurestack.external/adfs" --management-url "https://management.adfs.azurestack.local/2aeeb93d-50a7-415e-8b217-01b5c5e2fasd" --res-manager-url "https://management.local.azurestack.external/" --key-vault-dns-suffix "vault.local.azurestack.external" --vault-res-url "https://vault.local.azurestack.external" --server-cert-file ~/server.pem

Example Response


{
    "connection_ok": true
}

Creating an Azure Cloud Connection

The Azure Cloud connection can be created using:

Internal certificate
External certificate

Creating an Azure Cloud Connection using internal certificate

To create an Azure Cloud connection using internally generated self-signed certificate, run:

Example

ksctl connectionmgmt azure create --name "azureconnection2" --clientid "a-client-id" --cloudname "AzureCloud" --use-certificate true

Response

{
    "id": "525d00e7-e677-4411-9f8c-0af01576d4c5",
    "uri": "kylo:kylo:connectionmgmt:connections:azureconnection2-525d00e7-e677-4411-9f8c-0af01576d4c5",
    "account": "kylo:kylo:admin:accounts:kylo",
    "createdAt": "2022-08-23T08:28:00.109946977Z",
    "updatedAt": "2022-08-23T08:28:00.108830988Z",
    "service": "azure",
    "category": "cloud",
    "last_connection_ok": null,
    "last_connection_at": "0001-01-01T00:00:00Z",
    "name": "azureconnection2",
    "client_id": "a-client-id",
    "cloud_name": "AzureCloud",
    "certificate": "-----BEGIN CERTIFICATE-----\nMIIFvjCCA6agAwIBAgIRAIeusgD8lFVBJoLiSXw7EBUwDQYJKoZIhvcNAQELBQAw\nfzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNh\nbiBKb3NlMQ8wDQYDVQQKEwZUaGFsZXMxFDASBgNVBAsTC0NpcGhlclRydXN0MSEw\nHwYDVQQDExhjY2ttLnRoYWxlc2VzZWN1cml0eS5jb20wHhcNMjIwODIzMDgyODAw\nWhcNMjQwODIyMDgyODAwWjB/MQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZv\ncm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxDzANBgNVBAoTBlRoYWxlczEUMBIGA1UE\nCxMLQ2lwaGVyVHJ1c3QxITAfBgNVBAMTGGNja20udGhhbGVzZXNlY3VyaXR5LmNv\nbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAM1CwlTeUj4yIKdbzCtX\nKmKFbroVqbOuZWg+N6pRVqz6r4kfA1wZD4e6fgo5GBBaceQNZDoJEj+pt6uumTRy\nvuH087U6nin+5M432+cKyvNPD/C7/LNB3NtCG6AJS6GNPMYMMxCjqtH5hY5OhEVz\njOTRrzTT4E/mGzPAGHY6adI/v5nO1A6kndeW0TyBqfmo9w/bT1wDH6CAMjfbmTKY\nO7iXqxQVo1CYWl9QbgvIsmj3zOEKZF3DbNAlz4hgc+uyS7e76sqUeJgJZQGh/AYc\n+tizeFsulMlXUPfLgmrZuBqO4h4pt7fmj55EsTnZBJK8nefXfu0yVARradP6VqFA\npOjJDhD7OhILYWfUII9ntBvO4AJ5QxbC8IZwhoJuHYtCiOpR2jxKPGxL8zXWnZZf\nln2BzoVAkIap25DBT/lwGN7jcaOFBBqkohQsGiZ68UpKXMEg+80QwMr7ZlsWqHmP\nlEcAEOCzy85pspdkzkpFn6SgaGxZG+njvdkJOcJe/mkEgeJGPq5/uy4wT+mL7lC7\nHK4zi+9SxDalXXpYqQxw0+EnBmrAIPovh9tL8/Go11SETkHCKKWWqieMHguLTR2t\nYslMfShBkWL3OozyOyC0/IFN3M/Wt1NSIZv/85X994Ry19+E2i1Mtm3qgBsVldYy\ntrCj6MPWFtoEg/yOaM7LWeplAgMBAAGjNTAzMA4GA1UdDwEB/wQEAwIDiDATBgNV\nHSUEDDAKBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUAA4IC\nAQAnZ7b4R4Ox1Vjp8cY+20psSE0Un1QbgmYHwpiP4BKDacHZRaPwhke6QicuYdMB\nkxYgtIJCtJu+1/TORe4Tqa+y0fhH5AGpCuSmuFGO2DFB3nsRDRvIgwf4kLpjnFYg\n3Mg7UfZy9f88kHdeortSD/fc2gx0Sc+oJQAp1zubkaPal5+sPWfhE8O5e6zZOaFA\nf1cZxGOgJ12Hs3XK0/gEItaJJwaj5u0Iagt0w98jwhZ5ZP3e+BX8ZC10fhoxuzKw\neMLAM112DmNwqNFKp3gDdfAaD/Rg7VXBFDpWd+MNeCvDyuoUaPK6JI0cKaNOdVHX\nzG1nwopHodTkBJSH+7UHy/s9mMQLlqSvuCnGbDi8IAt5pw6G4ls+vl6mJZ6nDehK\nk7Mmeh2COVNVtu2GhTiqPzOazlXgJTBPSddCOJVZ51F+6vIMFeV/+CJH53cqBTBJ\nJTv7aYJtV6vzW9tVaCb6nPnLtryc49ucjNeNPFfCxtXrZog7fJeocFsdWimMwlXy\nSqGYAaFdOJJZgAhvlQusl4oJIVZ3Cw9OAk61whTjEMfXAyJHRuwP/0uDZWNo6/z7\n8GmgLrPeEBuc8qyXy26ALoUm2rsDCSjo14qL1u29bVkeFP3ZdPBoapvyzCudmSx2\n2NuDQJO/TaREDGkvx27xyu8thIPRLCb4HuzlDhDi3Xg2tA==\n-----END CERTIFICATE-----\n",
    "certificate_thumbprint": "5BB5FC44C0CAFA417773CA4EC80A07232AC02499"
}

Creating an Azure Cloud Connection using external certificate

Note

The external certificate cannot be used with use_certificate and client_secret parameters.

To create an Azure cloud connection using an external certificate generated from the custom CSR signed by any internal/external CA:

Generate a new Certificate Signing Request (CSR). The Azure connections do not support RSA 1024-bit keys for creating CSRs. The supported RSA key strengths are 2048 and 4096 bits.

Syntax

ksctl connectionmgmt connections csr --cn <common-name> --csr-outfile <filename>

Example

ksctl connectionmgmt connections csr --cn "test" --csr-outfile "Azurecsr.pem"

Response

{
    "csr": "-----BEGIN CERTIFICATE REQUEST-----\nMIHIMHECAQAwDzENMAsGA1UEAxMEdGVzdDBZMBMGByqGSM49AgEGCCqGSM49AwEH\nA0IABPkDWFDb/khM9xaRPAnRKJ0nq7hfkQiX9UY8v03zL/X9YybSB/L3W4CpI0o6\nhLZQtoOjiv6ziRToKDFpq4K/WdegADAKBggqhkjOPQQDAgNHADBEAiA2kC7YOUqU\n0BtS+SDI/OuCd21JhkQoVX0ZcD/e/g5jtQIgTHE79SCJ/G/UXLNHjfmGZyP9zVmH\nObA8stMQDpSMJhM=\n-----END CERTIFICATE REQUEST-----\n"
}

This CSR can only be used for one connection in the native domain. Also, this CSR can't be reused in other domains.

Sign the CSR with an external CA. It will generate an external certificate.
Upload the generated certificate to the Azure portal.

Create the Azure cloud connection using the external certificate generated above.

Example

ksctl connectionmgmt azure create --name "azureconnecnwithcert" --json-file certazure.json

Response

{
    "id": "5c440f1f-650c-497e-bd38-b7ebfe7e4e65",
    "uri": "kylo:kylo:connectionmgmt:connections:azure-connectio2n-5c440f1f-650c-497e-bd38-b7ebfe7e4e65",
    "account": "kylo:kylo:admin:accounts:kylo",
    "createdAt": "2022-08-23T08:16:24.236837416Z",
    "updatedAt": "2022-08-23T08:16:24.23580786Z",
    "service": "azure",
    "category": "cloud",
    "last_connection_ok": null,
    "last_connection_at": "0001-01-01T00:00:00Z",
    "name": "azure-connection",
    "products": [
                    "cckm"
                ],
    "meta":     {
                    "color": "blue"
                },
    "tenant_id": "3bf0dbe6-a2c7-431d-9a6f-4843b74c71285nfjdu2",
    "client_id": "3bf0dbe6-a2c7-431d-9a6f-4843b74c7e12",
    "cloud_name": "AzureCloud",
    "certificate": "-----BEGIN CERTIFICATE-----\nMIIFUzCCAzugAwIBAgIRAIzHRMIS7tVGXVzIXlhGwCMwDQYJKoZIhvcNAQELBQAw\nWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAlRYMQ8wDQYDVQQHEwZBdXN0aW4xDzAN\nBgNVBAoTBlRoYWxlczEcMBoGA1UEAxMTQ2lwaGVyVHJ1c3QgUm9vdCBDQTAeFw0y\nMjA4MjIwODE0MzNaFw0yMzA4MjMwODE0MzNaMGQxCzAJBgNVBAYTAlVTMQswCQYD\nVQQIEwJNRDEQMA4GA1UEBxMHQmVsY2FtcDEVMBMGA1UEChMMVGhhbGVzIEdyb3Vw\nMQwwCgYDVQQLEwNSbkQxETAPBgNVBAMTCGt5bG8uY29tMIIBIjANBgkqhkiG9w0B\nAQEFAAOCAQ8AMIIBCgKCAQEAo0DG/4KcgVsq1mvyQU3ux2hG4Qj2LxjdLc82GlWa\nxGhzsLcdiftvpCBSCTbMhhEBxrG7qv3HZscoskBzTxPi279ewMn6cmsBVimvcF3k\ntS8VnkMPWnz1xf0K0Y97qJqic5seLEwjD4aW3QGvP/FAHDjo+PgwfC+QvulHpy4f\nQn1OltPcHBMlbx7VGfb9wWZxjbngw7vUPM2Lp5e2WAEQgibbJlSOF6FBbCCBdoqQ\n0h/K2B6HDEFt/suKg+GlZZJFDEO4DROLVPIA7t9YkY9+tx5n1oxHr2ss6uAh1Pfu\ngzG0wHxS5Rk93J1tkvJVbrjvufvFQdyS+rN1t4oYZErIYQIDAQABo4IBCDCCAQQw\nDgYDVR0PAQH/BAQDAgOIMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQC\nMAAwHwYDVR0jBBgwFoAUJdaEkkS1PvDamMgSvCe8iXoOUVowTgYDVR0RBEcwRYIR\nKi50aGFsZXNncm91cC5jb22CESoudGhhbGVzZ3JvdXAubmV0gRdjb250YWN0QHRo\nYWxlc2dyb3VwLmNvbYcEAQEBATBeBgNVHR8EVzBVMFOgUaBPhk1odHRwOi8vY2lw\naGVydHJ1c3RtYW5hZ2VyLmxvY2FsL2NybHMvMWNiMTQ5ZDUtNzZhOC00ZDA1LWJj\nZTctZDhiZGZlNTE3NjI4LmNybDANBgkqhkiG9w0BAQsFAAOCAgEATTgmIuNMjV+R\npP4uPnXwSvjPcf9Lluay4Ylk4mhN6ZjHETS8H4PdbDbbXD8IUi2RoYVa2LQp3lY9\np1fBoQkcMm9SNXj3ULqYOMRljw7/H4BJ4hTsZk8i1ggl/7qcCK4izi+chHIr/yET\noJxJAWQ0rrAsuuuPm2x9Jc6f5dVTcRVcj8P96OlqRcwFpzDmohPFteF7BZdO/l9y\nnEyU0KSyLbIkpSGWe64FXCdtlqIfBrXdL90oFhb2YO1b+ql4malQYbrkgK/jwurB\nEflZP+CI9yWyceJO7Hb/yXsIyrPeT7zSsRownD6FQFEY7LCDG9hCC/2WFiVEs8hj\nJjgZWjsr4BKgI1kQAk765k8pgZsSQoG4SU8snawifLCeCLeeDC5MwIBAgXdY9Glg\nJ18SRx9TCMbIg9BkKTo/a7i7u1x+I3ZicVHbzsDXD2Gb3Ce2KGIOkA7i+19fxOi7\n28Q0Cw+3urzJmW/mr689omcHGbUW9DmEYyLiUsvPGh7iL/ZwXKlWB6btKttMC7iG\no0tYrQf8Jtk9xW+TqQfli1QZSfpK7vBypys87hFYRD7I82EA6zDLtIz16rjcFPUG\nitTI7OJsCVX8QhaLGqc3vahhEsEfKhEEOczUwEc9oGAFOLsjrJvVM6/wwebvD0G3\nM+tG8aEYPLphmR4dD5Zp9mmlcVdpUkM=\n-----END CERTIFICATE-----\n",
    "certificate_thumbprint": "9CECEBFE89C12E201461200070376971B9678374"
}

JSON File

{
      "name": "azure-connection",
      "products": [
                    "cckm"
                  ],
      "meta":    {
                    "color": "blue"
                },

      "cloud_name": "AzureCloud",
      "client_id": "3bf0dbe6-a2c7-431d-9a6f-4843b74c7e12",
      "tenant_id": "3bf0dbe6-a2c7-431d-9a6f-4843b74c71285nfjdu2",
      "certificate": "-----BEGIN CERTIFICATE-----\nMIIFUzCCAzugAwIBAgIRAIzHRMIS7tVGXVzIXlhGwCMwDQYJKoZIhvcNAQELBQAw\nWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAlRYMQ8wDQYDVQQHEwZBdXN0aW4xDzAN\nBgNVBAoTBlRoYWxlczEcMBoGA1UEAxMTQ2lwaGVyVHJ1c3QgUm9vdCBDQTAeFw0y\nMjA4MjIwODE0MzNaFw0yMzA4MjMwODE0MzNaMGQxCzAJBgNVBAYTAlVTMQswCQYD\nVQQIEwJNRDEQMA4GA1UEBxMHQmVsY2FtcDEVMBMGA1UEChMMVGhhbGVzIEdyb3Vw\nMQwwCgYDVQQLEwNSbkQxETAPBgNVBAMTCGt5bG8uY29tMIIBIjANBgkqhkiG9w0B\nAQEFAAOCAQ8AMIIBCgKCAQEAo0DG/4KcgVsq1mvyQU3ux2hG4Qj2LxjdLc82GlWa\nxGhzsLcdiftvpCBSCTbMhhEBxrG7qv3HZscoskBzTxPi279ewMn6cmsBVimvcF3k\ntS8VnkMPWnz1xf0K0Y97qJqic5seLEwjD4aW3QGvP/FAHDjo+PgwfC+QvulHpy4f\nQn1OltPcHBMlbx7VGfb9wWZxjbngw7vUPM2Lp5e2WAEQgibbJlSOF6FBbCCBdoqQ\n0h/K2B6HDEFt/suKg+GlZZJFDEO4DROLVPIA7t9YkY9+tx5n1oxHr2ss6uAh1Pfu\ngzG0wHxS5Rk93J1tkvJVbrjvufvFQdyS+rN1t4oYZErIYQIDAQABo4IBCDCCAQQw\nDgYDVR0PAQH/BAQDAgOIMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQC\nMAAwHwYDVR0jBBgwFoAUJdaEkkS1PvDamMgSvCe8iXoOUVowTgYDVR0RBEcwRYIR\nKi50aGFsZXNncm91cC5jb22CESoudGhhbGVzZ3JvdXAubmV0gRdjb250YWN0QHRo\nYWxlc2dyb3VwLmNvbYcEAQEBATBeBgNVHR8EVzBVMFOgUaBPhk1odHRwOi8vY2lw\naGVydHJ1c3RtYW5hZ2VyLmxvY2FsL2NybHMvMWNiMTQ5ZDUtNzZhOC00ZDA1LWJj\nZTctZDhiZGZlNTE3NjI4LmNybDANBgkqhkiG9w0BAQsFAAOCAgEATTgmIuNMjV+R\npP4uPnXwSvjPcf9Lluay4Ylk4mhN6ZjHETS8H4PdbDbbXD8IUi2RoYVa2LQp3lY9\np1fBoQkcMm9SNXj3ULqYOMRljw7/H4BJ4hTsZk8i1ggl/7qcCK4izi+chHIr/yET\noJxJAWQ0rrAsuuuPm2x9Jc6f5dVTcRVcj8P96OlqRcwFpzDmohPFteF7BZdO/l9y\nnEyU0KSyLbIkpSGWe64FXCdtlqIfBrXdL90oFhb2YO1b+ql4malQYbrkgK/jwurB\nEflZP+CI9yWyceJO7Hb/yXsIyrPeT7zSsRownD6FQFEY7LCDG9hCC/2WFiVEs8hj\nJjgZWjsr4BKgI1kQAk765k8pgZsSQoG4SU8snawifLCeCLeeDC5MwIBAgXdY9Glg\nJ18SRx9TCMbIg9BkKTo/a7i7u1x+I3ZicVHbzsDXD2Gb3Ce2KGIOkA7i+19fxOi7\n28Q0Cw+3urzJmW/mr689omcHGbUW9DmEYyLiUsvPGh7iL/ZwXKlWB6btKttMC7iG\no0tYrQf8Jtk9xW+TqQfli1QZSfpK7vBypys87hFYRD7I82EA6zDLtIz16rjcFPUG\nitTI7OJsCVX8QhaLGqc3vahhEsEfKhEEOczUwEc9oGAFOLsjrJvVM6/wwebvD0G3\nM+tG8aEYPLphmR4dD5Zp9mmlcVdpUkM=\n-----END CERTIFICATE-----\n"
}

The CipherTrust Manager allows you to modify the external certificate in the existing connection. Any unused certificate will be automatically deleted after 24 hours.

Suggest A Change

Azure

Managing Azure Connections using GUI

Managing Azure Connections using ksctl

Parameter Details

Creating an Azure Stack Connection

Getting Details of an Azure Stack Connection

Updating an Azure Stack Connection

Deleting an Azure Stack Connection

Getting List of Azure Stack Connections

Testing an Existing Azure Stack Connection

Testing Parameters for an Azure Stack Connection

Creating an Azure Cloud Connection

Creating an Azure Cloud Connection using internal certificate

Creating an Azure Cloud Connection using external certificate

On this page