Certificates in a Key Vault

You can use a Key Vault to store and manage passwords (or secrets) and certificates. This reduces the risk associated with storing sensitive information on a local filesystem. We only support Azure Key Vault at the moment so we are unable to support password protected certificates.

Credentials and certificates stored within Control Hub Credentials are not impacted by this.

Certificates loaded from an Azure key vault, can't be password protected as the password gets removed. Certificates loaded from a filesystem, can be password protected.

Vault Setup

Aiimi Insight Engine retrieves passwords and certificates based on your appsettings configurations. A key vault will be tried first if it is configured. If that fails or is not configured it will look locally for passwords and certificates.

1

Set up certificates - Set up your certificates, secrets and passwords within your Key Vault.

  • We recommend adding a year to the certificate names. This helps with certificate management and switching certificates when they expire.

2

Vault Access - You need to grant access to the vault. The access needed varies depending on the vault plugin.

3

Update appsettings.json - Add the Key Vault details to the root of each appsetting.json file.

4

Replace any certificate and password values with the name in the vault.

  • Certificate passwords are handled by the vault and should be set to "".

Manual Update

You need to add a configuration to every appsettings.json file. We recommend starting with the index utils file. This allows you to check the settings are correct before changing everything.

1

Add the below settings to every appsettings.json file:

  • Replace the values between the <> with your chosen key vault.

{
  "keyVault": {
    "type": "<AzureKeyVault>",
    "enableTracing": false,
    "azureKeyVault": {
      "vaultUri": "https://<vaultId>.vault.azure.net/"
    }
  }
}

Bulk Update

You can add the keyVault configuration to every file using a JSON file and PowerShell. We recommend creating a back up before doing this incase something goes wrong.

1

Create a JSON file containing the below code:

  • Replace the values between the <> with your chosen key vault information.

{
  "keyVault": {
    "type": "<AzureKeyVault>",
    "enableTracing": false,
    "azureKeyVault": {
      "vaultUri": "https://<vaultId>.vault.azure.net/"
    }
  }
}
2

Save this file as a .json file.

3

Open PowerShell as an admin and run the following script.

im-settings add --installation-folder <C:\InsightMaker\> <C:\tmp\akv.json>

You can set "enableTracing" to true to help debugging.

Please note, this could log sensitive information and must be set to false for production.

Annotated Example
  1. The certificate to validate connections to the Elastic server. It's retrieved from the vault by downloading the certificate elastic-stack-ca.

  2. The certificate password is not needed as it's managed by the vault.

  3. The elastic user password comes from the vault by downloading the secret elasticPassword.

  4. The certificate to encrypt HTTPS connections to the API endpoint comes from the vault by downloading the elastic-certificates.

  5. The system secret comes from the vault by downloading the systemSecret.

  6. The vault configuration uses the AzureKeyVault plugin to access a vault at https://pandora.vault.azure.net/.

{
  "elastic": {
    "certificate": {
      "path": "elastic-stack-ca", 1️⃣
      "password": "" 2️⃣
    },
    "password": "elasticPassword", 3️⃣
    "prefix": "dev",
    "server": [
      "https://im.aiimi.com:9200"
    ],
    "username": "elastic",
    "enableTracing": false
  },
  "plugins": {
    "locations": [
      "c:\\InsightMaker\\Plugins"
    ]
  },
  "remoteApi": {
    "AllowedOrigins": [
      "*"
    ],
    "BindAddresses": [
      "0.0.0.0"
    ],
    "Port": 2221,
    "RemoteAddress": "https://im.aiimi.com",
    "certificate": {
      "path": "elastic-certificates", 4️⃣
      "password": "" 2️⃣
    }
  },
  "systemSecret": "systemSecret", 5️⃣
  "licenseKey": "",
  "licenseSig": "",
  "keyVault": { 6️⃣
    "type": "AzureKeyVault", 
    "azureKeyVault": {
      "vaultUri": "https://pandora.vault.azure.net/"
    }
  }
}

Azure Key Vault

This plugin means certificates and passwords can be retrieved from Azure Key Vault. It accesses them via a URI in the config, and supports DefaultAzureCredential. This allows you to control access in a number of ways. This includes using secrets or passwords in environment variables and Azure CLI/PowerShell.

This requires access to be encompassed by DefaultAzure Credentials. You should follow any existing procedures when configuring access to the vault.

There is no authentication section to grant access to the vault. This must be setup via environment variables, managed identities, something compatible with DefaultAzureCredentials.

Last updated