Skip to content

Config azure key vault

List of Properties to be set for Peg Server (Decryption) and Scheme Server(Encryption) during configuration in vars.peg-master-key-storage.yml file. The values can be obtained as we follow the steps to create Azure Key Vault

Peg Properties in PM Values
PEG_SERVER_AZURE_VAULT_CLIENT_ID xxxx-xxxx-xxx-xxxx-xxxxxxxxxxxxx
PEG_SERVER_AZURE_VAULT_CLIENT_SECRET xxxxxxxx
PEG_SERVER_AZURE_VAULT_AZURE_KEY_VAULT_URL https://xxx.vault.azure.net/
PEG_SERVER_AZURE_VAULT_AZURE_MASTER_KEY peg-key
PEG_SERVER_AZURE_VAULT_AZURE_MASTER_KEY_TYPE RSA
PEG_SERVER_AZURE_VAULT_ZONE_KEY_ENCRYPTION_ALGO RSA_OAEP
PEG_SERVER_AZURE_KEYVAULT_CLIENT_CERT_FILE certificate.pem / certificate.pfx
PEG_SERVER_AZURE_KEYVAULT_CLIENT_CERTIFICATE_PASSWORD xxxxxxxx
Scheme Properties in PM Values
SCHEME_SERVER_AZURE_VAULT_CLIENT_ID xxxx-xxxx-xxx-xxxx-xxxxxxxxxxxxx
SCHEME_SERVER_AZURE_VAULT_CLIENT_SECRET xxxxxxxxx
SCHEME_SERVER_AZURE_VAULT_AZURE_KEY_VAULT_URL https://xxx.vault.azure.net/
SCHEME_SERVER_AZURE_VAULT_AZURE_MASTER_KEY peg-key
SCHEME_SERVER_AZURE_VAULT_AZURE_MASTER_KEY_TYPE RSA
SCHEME_SERVER_AZURE_VAULT_ZONE_KEY_ENCRYPTION_ALGO RSA_OAEP
SCHEME_SERVER_AZURE_KEYVAULT_CLIENT_CERT_FILE certificate.pem / certificate.pfx
SCHEME_SERVER_AZURE_KEYVAULT_CLIENT_CERTIFICATE_PASSWORD xxxxxxxx

Steps to Create Azure Key vault in Azure Portal

  1. Login to Azure Portal
  2. Search for Key Vaults in the search box.
  3. Click on + Create to create New Key vault
  4. Enter the Key Vault Name
  5. Click on Next
  6. Click on + Create to create access policy
  7. Under Access configuration select Vault access policy and create access policy with all permission such as Select all for Key permissions, Secret permissions, Certificate permissions, Cryptographic Operations, Privileged Secret Operations, Privileged Certificate Operations, Privileged Key Operations, and Rotation Policy Operations then click on Next
  8. Search for your name for in Principle and select it, after select it should display at Selected item list and then Click on Next
  9. Application tab is optional , Click on Next
  10. Click on Create
  11. Select the Access Policy created for the user and then Click on Review + Create
  12. Once validation is done by the Azure , Click on Create
  13. Once the Vault is created we get the Vault URL which is used as the value for PEG_SERVER_AZURE_VAULT_AZURE_KEY_VAULT_URL and SCHEME_SERVER_AZURE_VAULT_AZURE_KEY_VAULT_URL in
    vars.peg-master-key-storage.yml file
  14. Now Go to Azure Active Directory
  15. Search for App Registration in the search box.
  16. Now Click on New registration
  17. Now Enter the Name and then Click on Register.
  18. Once the application is registered, Go to the Application , Application (client) ID will be the value for SCHEME_SERVER_AZURE_VAULT_CLIENT_ID in vars.peg-master-key-storage.yml file
  19. Same way (i.e step 14 to 18 ) you can Register another Application which will be used for Decryption (Peg Server ) And once this application is registered, Go to the Application , Application (client) ID will be the value for PEG_SERVER_AZURE_VAULT_CLIENT_ID in vars.peg-master-key-storage.yml file
  20. Create Access Policy for the Registered Applications (Encrypt) in Key Vault Go to the Key Vault Created, Click on Access Policies.
  21. Click on + Create to create access policy
  22. Select Only Get from Key permissions and Select Encrypt from Cryptographic Operations and then click on Next
  23. Click on Select a Principle and search for Registered App from search box (Encrypt)
  24. Click on Select and then you can see the app in selected item and then Click On Next Application tab is optional , Click on Next , Now Click on Create
  25. Create Access Policy for the Registered Applications (Decrypt) in Key Vault Go to the Key Vault Created, Click on Access Policies.
  26. Click on + Create to create access policy
  27. Select Only Get from Key permissions and Select Decrypt from Cryptographic Operations and then click on Next
  28. Click on Select a Principle and search for Registered App from search box (Decrypt)
  29. Click on Select and then you can see the app in selected item and then Click On Next Application tab is optional , Click on Next, Now Click on Create
  30. Access Policies created will be listed in Key Vault
  31. Under Objects section Create Keys To create Keys Click on Keys
  32. Click on Generate/Imports to create new key.
  33. Enter a Valid Key Name , Key Type as RSA, RSA key size as 2048 and Click on Create
  34. Name will be the value for SCHEME_SERVER_AZURE_VAULT_AZURE_MASTER_KEY and PEG_SERVER_AZURE_VAULT_AZURE_MASTER_KEY Key type will be the values for PEG_SERVER_AZURE_VAULT_AZURE_MASTER_KEY_TYPE and SCHEME_SERVER_AZURE_VAULT_AZURE_MASTER_KEY_TYPE in vars.peg-master-key-storage.yml file.
  35. For SCHEME_SERVER_AZURE_VAULT_ZONE_KEY_ENCRYPTION_ALGO put value as RSA_OAEP in vars.peg-master-key-storage.yml file.
  36. Azure key Vault authentication can be using ClienId and Client Secret as follows.
    1. Create Client Secret (Create two Secrets one for encrypt app and another for decrypt app)
    2. Go to the Azure Active Directory , Click on App Registration , Under Owned Applications Click on App Created to Encrypt
    3. Now Click on Certificates & Secrets
    4. Click on New Client Secret
    5. Enter the value for description and keep Expires day 180 days (Which is default) Click on Add
    6. Now we can see the values for Description, Expires, Value and Secret ID
    7. Copy the Value of the Client Secret Created, which will be used as a value for SCHEME_SERVER_AZURE_VAULT_CLIENT_SECRET in vars.peg-master-key-storage.yml file.
    8. Now again go to the Azure Active Directory , Click on App Registration , Under Owned Applications Click on App Created to Decrypt
    9. Now Click on Certificates & Secrets
    10. Click on New Client Secret
    11. Enter the value for description and keep Expires day 180 days (Which is default) Click on Add
    12. Now we can see the values for Description, Expires, Value and Secret ID
    13. Copy the Value of the Client Secret Created, which will be used as a value for PEG_SERVER_AZURE_VAULT_CLIENT_SECRET in vars.peg-master-key-storage.yml file.

  37. ClientId and Certificate : For certificate based authentication, pegv2 is supporting the following format/combination.

    1. PEM format certificate without password
    2. PFX format certificate without password
    3. PEM format certificate with password

    4. PFX format certificate with password

    5. Follow the below steps to generate certificates and link with Azure SPN.

      1. PEM format certificate without password

        • Go to Azure Key vault which was created in the above steps , under objects click on certificates and then click on Generate/import option to create certificate.
        • Select Method of Certificate Creation as Generate
        • Enter Certificate Name
        • Enter Subject eg: CN=mydomain.com
        • Select Content Type as PEM
        • Click on Create
        • It takes some time to enable the certificate
        • Once it’s enabled, Click on the Certificate and Download it in PFX/PEM Format
        • Copy the downloaded certificate into following location in Privacera Manager host
          Bash
          1
           privacera-manager/config/ssl/{{certifcate-file-name}}
        • Update same certificate file name in vars.peg-master-key-storage.yml
          Bash
          1
2
          SCHEME_SERVER_AZURE_KEYVAULT_CLIENT_CERT_FILE={{certifcate-file-name}}
PEG_SERVER_AZURE_KEYVAULT_CLIENT_CERT_FILE={{certifcate-file-name}}
        • Open the download certificate in the any editor
        • Remove the private key section from it and upload it to both the Azure SPN created (i.e Encrypt and Decrypt Azure Application).
          • Go to the Application
          • Click on Certificates and Secrets
          • Click on Upload Certificate
          • Upload the Certificate and Click on Add

      2. PFX format certificate without password

        • Go to Azure Key vault which was created in the above steps , click on certificates and then click on Generate/import option to create certificate.
        • Select Method of Certificate Creation as Generate
        • Enter Certificate Name
        • Enter Subject eg: CN=mydomain.com
        • Select Content Type as PKCS
        • Click on Create
        • It takes some time to enable the certificate
        • Once it’s enabled, Click on the Certificate and Download it in PFX/PEM Format
        • Copy the downloaded certificate into following location in Privacera Manager host
          Bash
          1
           privacera-manager/config/ssl/{{certifcate-file-name}}
        • Update same certificate file name in vars.peg-master-key-storage.yml
          Bash
          1
2
           SCHEME_SERVER_AZURE_KEYVAULT_CLIENT_CERT_FILE={{certifcate-file-name}}
 PEG_SERVER_AZURE_KEYVAULT_CLIENT_CERT_FILE={{certifcate-file-name}}
        • Update same certificate file name and extract certificate from pfx file using below command that will generate output file as domain.crt,if it ask Enter Import Password provide the password as blank, just hit enter.
          Bash
          1
            openssl pkcs12 -in ${certifcate-file-name}.pfx -clcerts -nokeys -out domain.crt
        • Upload domain.crt file to both Azure SPN (i.e Encrypt and Decrypt Azure Application).
          • Go to the Application
          • Click on Certificates and Secrets
          • Click on Upload Certificate
          • Upload the Certificate and Click on Add

      3. PFX format certificate with password

        • Coverting PFX to PEM format.
          Bash
          1
             openssl pkcs12 -in ${certifcate-file-name}.pfx -nocerts -out ${certifcate-file-name}.pem -nodes
        • Update same certificate file and run following command in terminal by providing password for private key in prompt to generate pegv2-cert.pfx and domain.crt certificate with openssl.
          Bash
          1
2
3
4
5
            openssl genrsa -des3 -out ${certifcate-file-name}.pem 2048

  openssl req -key ${certifcate-file-name}.pem -new -x509 -days 365 -out domain.crt

  openssl pkcs12 -export -in domain.crt -inkey private-key.pem -out pegv2-cert.pfx
        • Copy the pegv2-cert.pfx certificate into the below location in Privacera Manager host
          Bash
          1
           privacera-manager/config/ssl/{{certifcate-file-name}}
        • Update the same certificate file name and password in vars.peg-master-key-storage.yml
          Bash
          1
2
3
4
           SCHEME_SERVER_AZURE_KEYVAULT_CLIENT_CERT_FILE={{certifcate-file-name}}
 SCHEME_SERVER_AZURE_KEYVAULT_CLIENT_CERTIFICATE_PASSWORD={{password}}
 PEG_SERVER_AZURE_KEYVAULT_CLIENT_CERT_FILE={{certifcate-file-name}}
 PEG_SERVER_AZURE_KEYVAULT_CLIENT_CERTIFICATE_PASSWORD={{password}}
        • Upload domain.crt file to both Azure SPN (i.e Encrypt and Decrypt Azure Application).
          • Go to the Application
          • Click on Certificates and Secrets
          • Click on Upload Certificate
          • Upload the Certificate and Click on Add

      4. PEM format certificate with password

        • Update same certificate file name and run following command in terminal by providing password for private key in prompt to generate certificate domain.pem and combined_cert.pem with openssl

          Bash
          1
2
3
4
5
6
7
           openssl genrsa -out ${certifcate-file-name}.pem 2048

 openssl pkcs8 -topk8 -in ${certifcate-file-name}.pem -out ${certifcate-file-name}.pem

 openssl req -key ${certifcate-file-name}.pem -new -x509 -days 365 -out domain.pem

 cat private_key.pem domain.pem > combined_cert.pem

        • Copy the combined_cert.pem certificate into the below location in Privacera Manager host

          Bash
          1
          privacera-manager/config/ssl/{{certifcate-file-name}}

        • Update the same certificate file name and password in vars.peg-master-key-storage.yml
          Bash
          1
2
3
4
            SCHEME_SERVER_AZURE_KEYVAULT_CLIENT_CERT_FILE={{certifcate-file-name}}
  SCHEME_SERVER_AZURE_KEYVAULT_CLIENT_CERTIFICATE_PASSWORD={{password}}
  PEG_SERVER_AZURE_KEYVAULT_CLIENT_CERT_FILE={{certifcate-file-name}}
  PEG_SERVER_AZURE_KEYVAULT_CLIENT_CERTIFICATE_PASSWORD={{password}}
        • Upload domain.pem file to both Azure SPN (i.e Encrypt and Decrypt Azure Application).
          • Go to the Application
          • Click on Certificates and Secrets
          • Click on Upload Certificate
          • Upload the Certificate and Click on Add

Comments