Certificates in a Key Vault

You can use a Key Vault to store and manage passwords (or secrets) and certificates. This reduces any risk associated with storing and sensitive information on a local filesystem. At the moment we only support Azure Key Vault, this means we are unable to support password protected certificates.

Credentials and certificates stored within the Control Hub Credentials are not impacted by this.

When loading certificates from an Azure key vault, they cannot be password protected as the password is removed by the vault. When loading a certificate from the filesystem, it can be password protected.

Vault Setup

Aiimi Insight Engine determines how to retrieve passwords and certificates based on the configurations in your appsettings.json files. If a key vault is configured, that is tried first. If that fails or is not configured it will revert to looking locally for passwords and certificates.

Set up certificates - Within your Key Vault you need to set up your certificates, secrets and passwords.
- We recommend adding a year to the certificate names. This can help with certificate management and switching certificates.
Vault Access - You need to grant access to the vault, this varies depending on the vault plugin.
Update appsettings.json - Add the Key Vault details to the root of each appsetting.json file.
- This can be done manually or via a bulk update.

Manual appsettings.json Update

We recommend starting with the index utils file. This way you can confirm the settings are correct before changing all of the others.

Add the below settings to every appsettings.json file:
- Replace the values between the <> for your chosen key vault.

{
  "keyVault": {
    "type": "<AzureKeyVault>",
    "enableTracing": false,
    "azureKeyVault": {
      "vaultUri": "https://<vaultId>.vault.azure.net/"
    }
  }
}

Bulk appsettings.json Update

You can add the keyVault settings to every file using a JSON file and PowerShell. We recommend running a back up before completing this incase something goes wrong.

Create a JSON file containing the below information:
- Replace the values between the <> for your chosen key vault.

{
  "keyVault": {
    "type": "<AzureKeyVault>",
    "enableTracing": false,
    "azureKeyVault": {
      "vaultUri": "https://<vaultId>.vault.azure.net/"
    }
  }
}

Save this a .json file.
Open PowerShell as an admin.
Run: im-settings add --installation-folder <F:\InsightMaker\> <C:\tmp\akv.json>
- Replace the values between the <> to match your file paths. The first should be where your insight maker files are stored. The second is the path for the json file you just created.

During set up you can set "enableTracing" to true to help debugging.

This could log sensitive information and must be set to false once it is working correctly.

Replace any certificate and password values with the certificate or secret name in the vault.
- Certificate passwords are handled by the vault and should be set to "".

Annotated Example

The certificate used to validate connections to the Elastic server. It is retrieved from the vault by downloading the certificate elastic-stack-ca.
The certificate password is not needed as it's managed by the vault.
The elastic user password is retrieved from the vault by downloading the secret elasticPassword.
The certificate to encrypt HTTPS connections to the API endpoint is retrieved from the vault by downloading the certificate elastic-certificates.
The system secret is retrieved from the vault by downloading the secret systemSecret.
The vault configuration section. This uses the AzureKeyVault plugin to access a vault at https://pandora.vault.azure.net/.

{
  "elastic": {
    "certificate": {
      "path": "elastic-stack-ca", 1️⃣
      "password": "" 2️⃣
    },
    "password": "elasticPassword", 3️⃣
    "prefix": "dev",
    "server": [
      "https://im.aiimi.com:9200"
    ],
    "username": "elastic",
    "enableTracing": false
  },
  "plugins": {
    "locations": [
      "c:\\InsightMaker\\Plugins"
    ]
  },
  "remoteApi": {
    "AllowedOrigins": [
      "*"
    ],
    "BindAddresses": [
      "0.0.0.0"
    ],
    "Port": 2221,
    "RemoteAddress": "https://im.aiimi.com",
    "certificate": {
      "path": "elastic-certificates", 4️⃣
      "password": "" 2️⃣
    }
  },
  "systemSecret": "systemSecret", 5️⃣
  "licenseKey": "",
  "licenseSig": "",
  "keyVault": { 6️⃣
    "type": "AzureKeyVault", 
    "azureKeyVault": {
      "vaultUri": "https://pandora.vault.azure.net/"
    }
  }
}

Azure Key Vault

This plugin allows Aiimi Insight Engine to retrieve certificates and passwords from Azure Key Vault. It accesses it via a URI provided in the config, and supports DefaultAzureCredential. This allows you to control access via secrets or passwords stored in environment variables, managed identities (if running in an Azure environment), Azure CLI/PowerShell or interactive.

This configuration requires the access to be encompassed by DefaultAzure Credentials. However, You should follow your existing procedures when configuring access to the vault.

There is no authentication section to grant access to the vault, this must be setup via environment variables, managed identities, something compatible with DefaultAzureCredentials.

PreviousInstallation Security NextSAR Configuration

Vault Setup

Set up certificates - Within your Key Vault you need to set up your certificates, secrets and passwords.

We recommend adding a year to the certificate names. This can help with certificate management and switching certificates.

Vault Access - You need to grant access to the vault, this varies depending on the vault plugin.

Update appsettings.json - Add the Key Vault details to the root of each appsetting.json file.

This can be done manually or via a bulk update.

Manual appsettings.json Update

We recommend starting with the index utils file. This way you can confirm the settings are correct before changing all of the others.

Add the below settings to every appsettings.json file:
- Replace the values between the <> for your chosen key vault.

{
  "keyVault": {
    "type": "<AzureKeyVault>",
    "enableTracing": false,
    "azureKeyVault": {
      "vaultUri": "https://<vaultId>.vault.azure.net/"
    }
  }
}

Bulk appsettings.json Update

You can add the keyVault settings to every file using a JSON file and PowerShell. We recommend running a back up before completing this incase something goes wrong.

Create a JSON file containing the below information:
- Replace the values between the <> for your chosen key vault.

{
  "keyVault": {
    "type": "<AzureKeyVault>",
    "enableTracing": false,
    "azureKeyVault": {
      "vaultUri": "https://<vaultId>.vault.azure.net/"
    }
  }
}

Save this a .json file.
Open PowerShell as an admin.
Run: im-settings add --installation-folder <F:\InsightMaker\> <C:\tmp\akv.json>
- Replace the values between the <> to match your file paths. The first should be where your insight maker files are stored. The second is the path for the json file you just created.

During set up you can set "enableTracing" to true to help debugging.

This could log sensitive information and must be set to false once it is working correctly.

Replace any certificate and password values with the certificate or secret name in the vault.

Certificate passwords are handled by the vault and should be set to "".

Annotated Example

The certificate used to validate connections to the Elastic server. It is retrieved from the vault by downloading the certificate elastic-stack-ca.
The certificate password is not needed as it's managed by the vault.
The elastic user password is retrieved from the vault by downloading the secret elasticPassword.
The certificate to encrypt HTTPS connections to the API endpoint is retrieved from the vault by downloading the certificate elastic-certificates.
The system secret is retrieved from the vault by downloading the secret systemSecret.
The vault configuration section. This uses the AzureKeyVault plugin to access a vault at https://pandora.vault.azure.net/.

{
  "elastic": {
    "certificate": {
      "path": "elastic-stack-ca", 1️⃣
      "password": "" 2️⃣
    },
    "password": "elasticPassword", 3️⃣
    "prefix": "dev",
    "server": [
      "https://im.aiimi.com:9200"
    ],
    "username": "elastic",
    "enableTracing": false
  },
  "plugins": {
    "locations": [
      "c:\\InsightMaker\\Plugins"
    ]
  },
  "remoteApi": {
    "AllowedOrigins": [
      "*"
    ],
    "BindAddresses": [
      "0.0.0.0"
    ],
    "Port": 2221,
    "RemoteAddress": "https://im.aiimi.com",
    "certificate": {
      "path": "elastic-certificates", 4️⃣
      "password": "" 2️⃣
    }
  },
  "systemSecret": "systemSecret", 5️⃣
  "licenseKey": "",
  "licenseSig": "",
  "keyVault": { 6️⃣
    "type": "AzureKeyVault", 
    "azureKeyVault": {
      "vaultUri": "https://pandora.vault.azure.net/"
    }
  }
}

Azure Key Vault

This configuration requires the access to be encompassed by DefaultAzure Credentials. However, You should follow your existing procedures when configuring access to the vault.

There is no authentication section to grant access to the vault, this must be setup via environment variables, managed identities, something compatible with DefaultAzureCredentials.