Prerequisites for Azure Cloud
Before adding an Azure cloud in CCKM:
Register CCKM App on Azure Portal
Before adding an Azure cloud to CCKM, you must register the CCKM app and assign required permissions on the Azure portal. Then, depending on the type of app credential you plan to employ, either create a key (client secret) on the Azure portal or generate a certificate from CCKM, download it, and then upload it to Azure. This entire process generates the connection data needed to configure the Azure cloud.
To register the app:
Create an Azure Active Directory application on the Azure Portal:
On Azure Active Directory > App registrations > New registration, provide the following parameters:
Choose a Name for the app that CCKM will use to access Azure.
Select the account type under Supported account types. Select either of the following:
Accounts in this organizational directory only (<account-name> (Default Directory) only - Single tenant)
Accounts in any organizational directory (Any Azure AD directory - Multitenant)
Click Register. The CCKM app creation starts. The app creation might take some time.
Access the new app under App registrations.
From App registrations > {App Name} > Overview, copy Application (client) ID and Directory (tenant) ID.
Navigate to App registrations > {App Name} > Manage > Certificates & secrets.
Create a new client secret or upload the certificate:
Secret (password)—The user will generate a secret key in Azure when registering the app, and then copy the secret key and provide it to the app.
Certificate (public key)—the user will create a private key and public key pair locally, create a certificate for the public key, and then provide the certificate to Azure when registering the app. For the private key, the app will create a client assertion and send it to Azure when making OAuth authentication calls.
Subscribe CCKM App on Azure Portal
Access Subscriptions > {Subscription name} > Access control (IAM).
Click Add > Add role assignment. The Add role assignment pane is displayed.
Select Reader from the Role drop-down list.
Select User, group, or service principal from the Assign access to drop-down list.
Under Select, enter the name of your CCKM app.
Click Save.
Assign CCKM App Permissions to Required Key Vault on Azure Portal
Azure supports two types of permission models, vault access policy and azure role-based access control. Steps to assign CCKM app permissions to your key vaults on Azure portal vary based on the permission model of the vault, as described below.
Vault Access Policy
Access Key vaults > {Key Vault Name} > Settings > Access policies.
On the right, click + Add Access Policy.
Add the following details:
From the Key permissions list, select Key Management Operations and Privileged Key Operations.
From the Secret permissions list, select Secret Management Operations and Privileged Secret Operations.
From the Certificate permissions list, select Certificate Management Operations and Privileged Certificate Operations.
Next to the Select principal label, click None selected, browse the CCKM app, and select it.
Click Add.
Azure Role-based Access Control
Access Key vaults > {Key Vault Name} > Access control (IAM). The right pane provides options to view your existing level of access, assign a role, and view access to the vault.
Under Grant access to this resource, click Add role assignment.
On the Roles tab of the Add role assignment page, select Key Vault Administrator. Use the search field to search for the role.
Click Next.
On the Members tab, make sure that Assign access to is set to User, group, or service principal.
Click + Select members.
On the right, in the Select members pane, select the desired CCKM app. Use the search field to search for your CCKM app. The Selected members section shows the selected app.
In the right pane, click Select.
(Optional) Provide a basic Description of the member.
Click Next.
Review the details. If the details are incorrect or you want to modify them, click Previous and update the details.
Click Review + assign. The selected role with desired permissions is assigned to the CCKM app.
Add Azure Connection on CipherTrust Manager
Before you can add an Azure vault to the CCKM, an Azure connection must already exist on the CipherTrust Manager. A CipherTrust Manager administrator manages connections to external resources on the Access Management > Connections Management page of the CipherTrust Manager GUI. Refer to Connections Management for details.
Now, Azure vaults and Azure keys can be managed on the CipherTrust Manager.