Skip to main content

Privacera Documentation

Table of Contents

Connect to Azure Key Vault with Client ID and Client Secret on Privacera Platform

To configure a connection to the Azure Key Vault with ID and Secret:

Generate the Client ID

  1. Log in to the Azure portal.

  2. Search for Azure Key Vault.

  3. Click +Add to create a new key vault.

    image76.jpg
    image77.jpg
  4. After the vault is created, select the Overview from the navigation menu and note the Vault URL: AZURE_KEYVAULT_URL.

  5. To connect to the vault, we need to create an application registration through the app registration.

  6. Register the application. For example: rangerkmsdemo.

    image78.jpg
  7. Click the registered application and in the left menu, navigate to the Overview section.

  8. Note the Application (client) ID which is the AZURE_CLIENT_ID for connecting.

Generate the Client Secret

  1. In the application screen, click on Certificates & Secrets in the left menu.

    image79.jpg
  2. Create a new client secret as shown in the example below:

    image80.jpg
  3. The Client Secret as shown - the secret value is the AZURE_CLIENT_SECRET.

    image81.jpg
  4. Next, go the key vault that was created in Step 3.

  5. Select Access Policies> +Add Access Policy.

    image82.jpg

Add the Access Policy

  1. In the Add access policy screen, we need to set permissions to access the vault with the application that was created.

  2. Select the Key permissions (mandatory), Secret permissions (optional), and Certificate permissions (optional).

  3. For Select principal , select the application you created.

    image83.jpg
  4. Go to Privacera/docker/ranger/kms/install.properties and change the following values:

    AZURE_KEYVAULT_ENABLED=true
    AZURE_KEYVAULT_SSL_ENABLED=false
    AZURE_CLIENT_ID=(from step 3.3)
    AZURE_CLIENT_SECRET=(from step 3.6)
    #AZURE_AUTH_KEYVAULT_CERTIFICATE_PATH (mandatory field. Value can be None/dummy)
    AZURE_AUTH_KEYVAULT_CERTIFICATE_PATH=/home/machine/Desktop/azureAuthCertificate/keyvault-MyCert.pfx  # Initialize below prop if your certificate file has any password
    # AZURE_AUTH_KEYVAULT_CERTIFICATE_PASSWORD (mandatory field. Value can be None/dummy)
    AZURE_AUTH_KEYVAULT_CERTIFICATE_PASSWORD=certPass AZURE_MASTERKEY_NAME=RangerMasterKey
    # E.G. RSA, RSA_HSM, EC, EC_HSM, OCT
    AZURE_MASTER_KEY_TYPE=RSA
    # E.G. RSA_OAEP, RSA_OAEP_256, RSA1_5, RSA_OAEP
    ZONE_KEY_ENCRYPTION_ALGO=RSA_OAEP
    AZURE_KEYVAULT_URL=(from step 4 )

    Note

    The fields that say Value can be null/dummy must have some value - cannot be blank.

  5. Restart Ranger KMS.

    cd ~/privacera/docker
    ./privacera_services restart ranger-kms
    
  6. The master key is created when Ranger KMS is restarted. Verify that the master key (name that is set in the properties) is created in the vault under Keys:

    image84.jpg

    When the Client ID and Client certificate are added and the Ranger KMS is restarted, an error occurs in the KMS logs: ~/privacera/docker/logs/ranger/kms/.

  7. Exit the container and restart Ranger KMS.