|
1 | | -## Setup and Configuration |
| 1 | +## Overview |
2 | 2 |
|
3 | | -The high level steps required to configure the Azure Keyvault Orchestrator extension are: |
| 3 | +This integration allows the orchestrator to act as a client with access to an instance of the Azure Key Vault; allowing you to manage your certificates stored in the Azure Keyvault via Keyfactor. |
4 | 4 |
|
5 | | -1) [Migrating from the Windows Orchestrator for Azure KeyVault](#migrating-from-the-windows-orchestrator-for-azure-keyvault) |
6 | 5 |
|
7 | | -1) [Configure the Azure Keyvault for client access](#configure-the-azure-keyvault-for-client-access) |
8 | | - |
9 | | -1) [Create the Store Type in Keyfactor](#create-the-store-type-in-keyfactor) |
10 | | - |
11 | | -1) [Install the Extension on the Orchestrator](#install-the-extension-on-the-orchestrator) |
12 | | - |
13 | | -1) [Create the Certificate Store](#create-the-certificate-store) |
14 | | - |
15 | | -_Note that the certificate store type used by this Universal Orchestrator support for Azure Keyvault is not compatible with the certificate store type used by with Windows Orchestrator version for Azure Keyvault. |
16 | | -If your Keyfactor instance has used the Windows Orchestrator for Azure Keyvault, a specific migration process is required. |
17 | | -See [Migrating from the Windows Orchestrator for Azure KeyVault](#migrating-from-the-windows-orchestrator-for-azure-keyvault) section below._ |
18 | | - |
19 | | -<details><summary><h4>Migrating from the Windows Orchestrator for Azure KeyVault</h4></summary> |
20 | | -If you were previously using the Azure Keyvault extension for the **Windows** Orchestrator, it is necessary to remove the Store Type definition as well as any Certificate stores that use the previous store type. |
21 | | -This is because the store type parameters have changed in order to facilitate the Discovery and Create functionality. |
22 | | - |
23 | | -If you have an existing AKV store type that was created for use with the Windows Orchestrator, you will need to follow the steps in one of the below sections in order to transfer the capability to the Universal Orchestrator. |
24 | | - |
25 | | -> :warning: |
26 | | -> Before removing the certificate stores, view their configuration details and copy the values. |
27 | | -> Copying the values in the store parameters will save time when re-creating the stores. |
28 | | -
|
29 | | -Follow the below steps to remove the AKV capability from **each** active Windows Orchestrator that supports it: |
30 | | - |
31 | | -#### If the Windows Orchestrator should still manage other cert store types |
32 | | - |
33 | | -_If the Windows Orchestrator will still be used to manage some store types, we will remove only the Azure Keyvault functionality._ |
34 | | - |
35 | | -1) On the Windows Orchestrator host machine, run the Keyfactor Agent Configuration Wizard |
36 | | -1) Proceed through the steps to "Select Features" |
37 | | -1) Expand "Cert Stores" and un-check "Azure Keyvault" |
38 | | -1) Click "Apply Configuration" |
39 | | - |
40 | | -1) Open the Keyfactor Platform and navigate to **Orchestrators > Management** |
41 | | -1) Confirm that "AKV" no longer appears under "Capabilities" |
42 | | -1) Navigate to **Orchestrators > Management**, select the orchestrator and click "DISAPPROVE" to disapprove it and cancel pending jobs. |
43 | | -1) Navigate to **Locations > Certificate Stores** |
44 | | -1) Select any stores with the Category "Azure Keyvault" and click "DELETE" to remove them from Keyfactor. |
45 | | -1) Navigate to the Administrative menu (gear icon) and then **> Certificate Store Types** |
46 | | -1) Select Azure Keyvault, click "DELETE" and confirm. |
47 | | -1) Navigate to **Orchestrators > Management**, select the orchestrator and click "APPROVE" to re-approve it for use. |
48 | | - |
49 | | -1) Repeat these steps for any other Windows Orchestrators that support the AKV store type. |
50 | | - |
51 | | -#### If the Windows Orchestrator can be retired completely |
52 | | - |
53 | | -_If the Windows Orchestrator is being completely replaced with the Universal Orchestrator, we can remove all associated stores and jobs._ |
54 | | - |
55 | | -1) Navigate to **Orchestrators > Management** and select the Windows Orchestrator from the list. |
56 | | -1) With the orchestrator selected, click the "RESET" button at the top of the list |
57 | | -1) Make sure the orchestrator is still selected, and click "DISAPPROVE". |
58 | | -1) Click "OK" to confirm that you will remove all jobs and certificate stores associated to this orchestrator. |
59 | | -1) Navigate to the the Administrative (gear icon in the top right) and then **Certificate Store Types** |
60 | | -1) Select "Azure Keyvault", click "DELETE" and confirm. |
61 | | -1) Repeat these steps for any other Windows Orchestrators that support the AKV store type (if they can also be retired). |
62 | | - |
63 | | -Note: Any Azure Keyvault certificate stores removed can be re-added once the Universal Orchestrator is configured with the AKV capability. |
64 | | - |
65 | | -### Migrating from version 1.x or version 2.x of the Azure Keyvault Orchestrator Extension |
66 | | - |
67 | | -It is not necessary to re-create all of the certificate stores when migrating from a previous version of this extension, though it is important to note that Azure KeyVaults found during a Discovery job |
68 | | -will return with latest store path format: `{subscription id}:{resource group name}:{new vault name}`. |
69 | | - |
70 | | -</details> |
71 | | - |
72 | | ---- |
| 6 | +## Requirements |
73 | 7 |
|
74 | 8 | ### Configure the Azure Keyvault for client access |
75 | 9 |
|
@@ -389,90 +323,8 @@ Once the User Assigned managed identity has been created, you will need only to |
389 | 323 | In order to use a _System_ assigned managed identity, there is no need to enter the server credentials. If no server credentials are provided, the extension assumes authentication is via system assigned managed identity. |
390 | 324 | </details> |
391 | 325 |
|
392 | | -### Create the Store Type in Keyfactor |
393 | | - |
394 | | -Now we can navigate to the Keyfactor platform and create the store type for Azure Key Vault. |
395 | | - |
396 | | -1) Navigate to your instance of Keyfactor and log in with a user that has Administrator privileges. |
397 | | - |
398 | | -1) Click on the gear icon in the top left and navigate to "Certificate Store Types". |
399 | | - |
400 | | -  |
401 | | - |
402 | | -1) Click "Add" to open the Add Certificate Store dialog. |
403 | | - |
404 | | -1) Name the new store type "Azure Keyvault" and give it the short name of "AKV". |
405 | | - |
406 | | -1) The Azure Keyvault integration supports the following job types: _Inventory, Add, Remove, Create and Discovery_. Select from these the capabilities you would like to utilize. |
407 | | - |
408 | | -> :warning: The store type definition needs to include the necessary fields to support Create functionality (SkuType and VaultRegion). Be sure to read through the _Custom Fields_ instructions below and set them up with the required fields if Creating new Azure Keyvaults from Keyfactor Command is desired. |
409 | | -
|
410 | | -1) **If you are using a Service Principal or User assigned Managed Identity only** Make sure that "Needs Server" is checked. |
411 | | - |
412 | | -  |
413 | | - |
414 | | -> :warning: |
415 | | -> if you are using a system assigned managed identity for authentication, you should leave this unchecked. |
416 | | -
|
417 | | -1) Navigate to the _Advanced_ tab and set the following values: |
418 | | - - Store Path Type: **Freeform** |
419 | | - - Supports Custom Alias: **Optional** |
420 | | - - Private Key Handling: **Optional** |
421 | | - - PFX Password Style: **Default** |
422 | | - |
423 | | -  |
424 | | - |
425 | | -1) Navigate to the _Custom Fields_ tab and add the custom fields for the store type. |
426 | 326 |
|
427 | | -> :warning: If you are using the Global Public cloud (*.vault.azure.net) and creating new Azure |
428 | | -> Keyvaults from Keyfactor Command functionality is not necessary for your workflow, this section can |
429 | | -> be skipped entirely. |
430 | | -
|
431 | | -- The below two fields are necessary if working with Keyvaults in Azure Cloud instances that are not the standard global public one (*.vault.azure.net) If your vault instance(s) have the base url of `.vault.azure.net` then the next two fields can be omitted from the store type definition and the default global public cloud will be assumed. |
432 | | -- - The "Azure Cloud" field refers to |
433 | | - |
434 | | -| Name | Display Name | Type | Required | |
435 | | -| ---- | ------------ | ---- | -------- | |
436 | | -| AzureCloud[^azurecloud] | Azure Cloud | MultipleChoice | false | |
437 | | -| PrivateEndpoint[^privateEndpoint] | Private Endpoint | String | false | |
438 | | - |
439 | | -[^azurecloud]: The Azure Cloud field, if necessary, should contain one of the following values: "china, germany, government". This is the Azure Cloud instance your organization uses. If using the standard "public" cloud, this field can be left blank or omitted entirely from the store type definition. |
440 | | - |
441 | | -[^privateEndpoint]: The Private Endpoint field should be used if you if have a custom url assigned to your keyvault resources and they are not accessible via the standard endpoint associated with the Azure Cloud instance (*.vault.azure.net, *.vault.azure.cn, etc.). This field should contain the base url for your vault instance(s), excluding the vault name. |
442 | | - |
443 | | -- The following fields are _only_ necessary in order to support creating new Azure Keyvaults from the Keyfactor Command platform. If this functionality is not needed, there is no need to set up these fields. |
444 | | - |
445 | | -| Name | Display Name | Type | Required | |
446 | | -| ---- | ------------ | ---- | -------- | |
447 | | -| TenantId | Tenant Id | String | false | |
448 | | -| SkuType[^sku] | SKU Type | MultipleChoice | false | |
449 | | -| VaultRegion[^vaultregion] | Vault Region | MultipleChoice | false | |
450 | | - |
451 | | -[^sku]: The SkuType determines the service tier when creating a new instance of Azure KeyVault via the platform. Valid values include "premium" and "standard". |
452 | | - If either option should be available when creating a new KeyVault from the Command platform via creating a new certificate store, then the value to enter for the multiple choice options should be "standard,premium". |
453 | | - If your organization requires that one or the other option should always be used, you can limit the options to a single value ("premium" or "standard"). If not selected, "standard" is used when creating a new KeyVault. |
454 | | - |
455 | | -[^vaultregion]: The Vault Region field is only important when creating a new Azure KeyVault from the Command Platform. This is the region that the newly created vault will be created in. When creating the cert store type, |
456 | | - you can limit the options to those that should be applicable to your organization. Refer to the [Azure Documentation](https://learn.microsoft.com/en-us/dotnet/api/azure.core.azurelocation?view=azure-dotnethttps://learn.microsoft.com/en-us/dotnet/api/azure.core.azurelocation?view=azure-dotnet) for a list of valid region names. |
457 | | - If no value is selected, "eastus" is used by default. |
458 | | - |
459 | | -### Install the Extension on the Orchestrator |
460 | | - |
461 | | -The process for installing an extension for the universal orchestrator differs from the process of installing an extension for the Windows orchestrator. Follow the below steps to register the Azure Keyvault integration with your instance of the universal orchestrator. |
462 | | - |
463 | | -1) Stop the Universal Orchestrator service. |
464 | | - |
465 | | - 1) Note: In Windows, this service is called "Keyfactor Orchestrator Service (Default)" |
466 | | - |
467 | | -1) Create a folder in the "extensions" folder of the Universal Orchestrator installation folder named "AKV" (the name is not important) |
468 | | - |
469 | | - 1) example: `C:\Program Files\Keyfactor\Keyfactor Orchestrator\extensions\_AKV_ |
470 | | - |
471 | | -1) Copy the build output (if you compiled from source) or the contents of the zip file (if you downloaded the pre-compiled binaries) into this folder. |
472 | | - |
473 | | -1) Start the Universal Orchestrator Service |
474 | | - |
475 | | -### Discover Certificate Stores |
| 327 | +## Discovery |
476 | 328 |
|
477 | 329 | Now that we have the extension registered on the Orchestrator, we can navigate back to the Keyfactor platform and finish the setup. If there are existing Azure Key Vaults, complete the below steps to discover and add them. If there are no existing key vaults to integrate and you will be creating a new one via the Keyfactor Platform, you can skip to the next section. |
478 | 330 |
|
@@ -584,48 +436,3 @@ To add one of these results to Keyfactor as a certificate store: |
584 | 436 | 1) Select any value for SKU Type and Vault Region. These values are not used for existing KeyVaults. |
585 | 437 |
|
586 | 438 | 1) Click "SAVE". |
587 | | - |
588 | | -### Add a new or existing Azure Keyvault certificate store |
589 | | - |
590 | | -You can also add a certificate store that corresponds to an Azure Keyvault individually without the need to run the discovery / approval workflow. |
591 | | -The steps to do this are: |
592 | | - |
593 | | -1) Navigate to "Locations > Certificate Stores" |
594 | | - |
595 | | -1) Click "ADD" |
596 | | - |
597 | | -  |
598 | | - |
599 | | -1) Enter the values corresponding to the Azure Keyvault instance. |
600 | | - |
601 | | -- **Category**: Azure Keyvault |
602 | | -- **Container**: _optional_ |
603 | | -- **Client Machine**: If applicable; Tenant Id. |
604 | | - |
605 | | - - Note: These will only have to be entered once, even if adding multiple certificate stores. |
606 | | - - Follow the steps [here](#store-the-server-credentials-in-keyfactor) to enter them. |
607 | | - |
608 | | -- **Store Path**: This is the Subscription ID, Resource Group name, and Vault name in the following format: `{subscription id}:{resource group name}:{new vault name}` |
609 | | - |
610 | | -- **SKU Type**: This field is only used when creating new vaults in Azure. If present, select any value, or leave blank. |
611 | | -- **Vault Region**: This field is also only used when creating new vaults. If present, select any value. |
612 | | - |
613 | | -If the vault already exists in azure the store path can be found by navigating to the existing Keyvault resource in Azure and clicking "Properties" in the left menu. |
614 | | - |
615 | | - |
616 | | - |
617 | | -- Use these values to create the store path |
618 | | - |
619 | | -If the Keyvault does not exist in Azure, and you would like to create it: |
620 | | - |
621 | | -- Enter a value for the store path in the following format: `{subscription id}:{resource group name}:{new vault name}` |
622 | | - |
623 | | -- For a non-existing Keyvault that you would like to create in Azure, make sure you have the "Create Certificate Store" box checked. |
624 | | - |
625 | | -> :warning: The identity you are using for authentication will need to have sufficient Azure permissions to be able to create new Keyvaults. |
626 | | -
|
627 | | ---- |
628 | | - |
629 | | -### License |
630 | | - |
631 | | -[Apache](https://apache.org/licenses/LICENSE-2.0) |
0 commit comments