Connect with a Client ID and Client Secret
To configure a connection to the Azure Key Vault with ID and Secret:
Generate the Client ID
-
Login to the Azure portal.
-
Search for Azure Key Vault.
-
Click +Add to create a new key vault as shown below:
-
After vault is created, from the left navigation, select the Overview section and note the Vault URI AZURE_KEYVAULT_URL.
-
To connect to the vault, we need to create an application registration through the app registration.
-
Register the application (e.g. rangerkmsdemo) as shown in the following example:
-
Click on the registered application and in the left menu, navigate to the Overview section.
-
Note the Application (client) ID which is the AZURE_CLIENT_ID for connecting.
Generate Client Secret
-
In the application screen, click on Certificates & Secrets in the left menu.
-
Create a new client secret as shown in the example below:
-
The Client Secret as shown - the secret value is the AZURE_CLIENT_SECRET.
-
Next, go the key vault that was created in Step 3.
-
Select Access Policies> +Add Access Policy.
Add Access Policy
-
In the Add access policy screen, we need to set permissions to access the vault with the application that was created.
-
Select the Key permissions (mandatory), Secret permissions (optional), and Certificate permissions (optional).
-
For Select principal , select the application you created.
Go to Privacera/docker/ranger/kms/install.properties and change the following values:
AZURE_KEYVAULT_ENABLED=true AZURE_KEYVAULT_SSL_ENABLED=false AZURE_CLIENT_ID=(from step 3.3) AZURE_CLIENT_SECRET=(from step 3.6) #AZURE_AUTH_KEYVAULT_CERTIFICATE_PATH (mandatory field. Value can be None/dummy) AZURE_AUTH_KEYVAULT_CERTIFICATE_PATH=/home/machine/Desktop/azureAuthCertificate/keyvault-MyCert.pfx # Initialize below prop if your certificate file has any password # AZURE_AUTH_KEYVAULT_CERTIFICATE_PASSWORD (mandatory field. Value can be None/dummy) AZURE_AUTH_KEYVAULT_CERTIFICATE_PASSWORD=certPass AZURE_MASTERKEY_NAME=RangerMasterKey # E.G. RSA, RSA_HSM, EC, EC_HSM, OCT AZURE_MASTER_KEY_TYPE=RSA # E.G. RSA_OAEP, RSA_OAEP_256, RSA1_5, RSA_OAEP ZONE_KEY_ENCRYPTION_ALGO=RSA_OAEP AZURE_KEYVAULT_URL=(from step 4 )
Note
The fields that say 'Value can be none/dummy' must have some value - cannot be blank.
-
Restart Ranger KMS as follows:
cd ~/privacera/docker ./privacera_services restart ranger-kms
-
The master key is created when Ranger KMS is restarted. Verify that master key (name that is set in the properties) is created in the vault under Keys:
When the Client ID and Client certificate are added and the Ranger KMS is restarted, an error occurs in the KMS logs: ~/privacera/docker/logs/ranger/kms/.
-
Exit the container and restart Ranger KMS.