Certificates in a Key Vault
You can use a Key Vault to store and manage passwords (or secrets) and certificates. This reduces the risk associated with storing sensitive information on a local filesystem. We only support Azure Key Vault at the moment so we are unable to support password protected certificates.
Credentials and certificates stored within Control Hub Credentials are not impacted by this.
Vault Setup
Aiimi Insight Engine retrieves passwords and certificates based on your appsettings configurations. A key vault will be tried first if it is configured. If that fails or is not configured it will look locally for passwords and certificates.
Set up certificates - Set up your certificates, secrets and passwords within your Key Vault.
We recommend adding a year to the certificate names. This helps with certificate management and switching certificates when they expire.
Vault Access - You need to grant access to the vault. The access needed varies depending on the vault plugin.
Update appsettings.json - Add the Key Vault details to the root of each appsetting.json file.
You can do this manually or with a bulk update.
Replace any certificate and password values with the name in the vault.
Certificate passwords are handled by the vault and should be set to "".
Manual Update
You need to add a configuration to every appsettings.json file. We recommend starting with the index utils file. This allows you to check the settings are correct before changing everything.
Add the below settings to every appsettings.json file:
Replace the values between the <> with your chosen key vault.
{
"keyVault": {
"type": "<AzureKeyVault>",
"enableTracing": false,
"azureKeyVault": {
"vaultUri": "https://<vaultId>.vault.azure.net/"
}
}
}
Bulk Update
You can add the keyVault configuration to every file using a JSON file and PowerShell. We recommend creating a back up before doing this incase something goes wrong.
Create a JSON file containing the below code:
Replace the values between the <> with your chosen key vault information.
{
"keyVault": {
"type": "<AzureKeyVault>",
"enableTracing": false,
"azureKeyVault": {
"vaultUri": "https://<vaultId>.vault.azure.net/"
}
}
}
Save this file as a .json file.
Open PowerShell as an admin and run the following script.
Replace the values between the <> to match your file paths. The first should be where your Insight Maker files are stored. The second is the path for the json file you just created.
im-settings add --installation-folder <C:\InsightMaker\> <C:\tmp\akv.json>
Azure Key Vault
This plugin means certificates and passwords can be retrieved from Azure Key Vault. It accesses them via a URI in the config, and supports DefaultAzureCredential. This allows you to control access in a number of ways. This includes using secrets or passwords in environment variables and Azure CLI/PowerShell.
This requires access to be encompassed by DefaultAzure Credentials. You should follow any existing procedures when configuring access to the vault.
Last updated