Azure
Azure connections to the CipherTrust Manager can be configured using the following:
Note
If you wish to use external certificate authentication for an Azure Cloud connection, you must first create a valid external certificate.
Managing Azure Connections using GUI
To manage Azure connections using GUI, perform the following steps:
-
Log on to CipherTrust Manager UI as an administrator.
-
Navigate to Access Management > Connections.
-
Click Add Connection.
-
On the Add Connection screen, select category as Cloud.
-
Select Select Cloud Type as Azure and click Next.
-
Specify connection Name and Description and click Next.
-
Configure the below parameters.
-
Client ID - this is an Application ID of the Azure application. It can be used either with Client Secret or Certificate to authenticate the application.
-
Tenant ID - this is the Office365 tenant ID. It is a globally unique identifier (GUID). For more details, refer to the Azure documentation.
-
Cloud Name - the name of the Azure cloud to connect to. Currently, only the following options are available:
-
Azure Cloud - For Azure Cloud configuration, refer to Creating an Azure Cloud Connection.
-
Azure China Cloud
-
Azure US Government
-
Azure Stack - For Azure Stack configuration, refer to Configure Azure Stack.
-
-
Authentication - you can use either Client Secret or Certificate for authentication purpose.
-
Client Secret – this authentication method uses the application password of the Client ID to enable communication between Azure and CipherTrust Manager.
-
Certificate - this authentication method is used to enable password-less communication between Azure and CipherTrust Manager.
Note
Azure Stack does not support Certificate authentication.
-
Select the Certificate radio button
-
Select Application or External as the Certificate Type.
The Application certificate type is generated by CipherTrust Manager and self-signed.
The External certificate type is a pre-existing certificate generated on CipherTrust Manager and then signed by a CA local or external to the CipherTrust Manager. To use this option, you first need to create a valid external certificate.
-
Click the Generate and Download button.
-
Upload the downloaded certificate on Salesforce for the provided Client ID.
-
Once the upload is done, verify the Thumbprint on the CipherTrust Manager and Azure. Both the thumbprints must match.
-
Specify Certificate Duration in Days, if desired. The default certificate duration is 730 days (2 years).
Ensure that you have fulfilled the prerequisites to create a valid external certificate.
Do one of the following:
-
Select File Upload and click the Upload Certificate to upload the external certificate as a file.
-
Select Text and paste the certificate contents in the text box.
Note
The CipherTrust Manager allows you to modify the external certificate in the existing connection. Any unused certificate will be automatically deleted after 24 hours.
-
-
-
-
-
Click the Test Credentials button to check whether the connection is configured correctly. If the test is successful, the status is
OKelse the status isFail. -
Click Next to move to the Add Products screen of the Add Connection wizard.
-
Note
-
This configuration is applicable to Azure Stack only.
-
Configuring an Azure Stack connection requires various URLs, described below. To get these URLs, run the command
Get AzureRmEnvironmentin your Azure AD VM. Refer to Connect with Azure AD for details.
-
Azure Stack Connection Type - Azure stack supports two types backed by Active Directory as an identity provider:
-
AAD - Azure Active Directory
-
ADFS - Active Directory Federation Services
-
-
Active Directory Endpoint - this is a URL at which the identity providers can be reached. For example, https://login.microsoftonline.com/
-
Key Vault DNS Suffix - this is a DNS suffix for the key vault in the Azure Stack. For example, vault.local.azurestack.external.
-
Management URL - this is the URL with a unique identifier for Azure Resource Manager registered with your identity provider.
-
Resource Manager URL - this URL is the location of the Azure Resource Manager service. For example, https://management.azure.com or https://management.local.azurestack.external
-
Vault Resource URL - this is the URL to access vault resources. For example, https://vault.local.azurestack.external
-
Azure Server Certificate - this is the Server certificate used by HTTPS protocol for a secure connection.
-
-
Managing Azure Connections using ksctl
The following operations can be performed:
-
Create/Get/Update/Delete an Azure Stack connection
-
List all Azure Stack connections
-
Test an existing Azure Stack connection
-
Test parameters for a Azure Stack connection
-
Create an Azure Cloud Connection
Parameter Details
| Parameter | Mandatory/Optional | Description |
|---|---|---|
| name | Mandatory | Unique name of the connection. |
| description | Optional | Connection description. |
| products | Optional | List of products. |
| clientid | Mandatory | Unique Identifier (client ID) for the Azure application. |
| meta | Optional | meta information in json format. This information is provided in --meta "{\"color\":\"blue\",\"foo\":\"bar\"}". |
| tenantid | Mandatory | Tenant ID of the Azure application. |
| cloudname | Optional | Name of the Azure cloud to connect to. |
| connection-type | Optional | Azure stack connection type (AAD or ADFS). |
| active-dir-endpoint | Optional | Azure stack active directory authority URL. |
| management-url | Optional | Azure stack management URL. |
| res-manager-url | Optional | Azure stack resource manager URL. |
| key-vault-dns-suffix | Optional | Azure stack key vault dns suffix. |
| vault-res-url | Optional | Azure stack vault service resource URL. |
| server-cert-file | Optional | Server certificate file path. |
Note
Examples in this section are for ADFS connection type. Similarly, you can manage connections for AAD by changing the connection-type to AAD.
Creating an Azure Stack Connection
To create an Azure Stack connection, run:
Syntax
ksctl connectionmgmt azure create --name <Connection-Name> --products <Product-Names> --clientid <Azure-Key-ID> --meta <Key-Values> --tenantid <Tenant-ID> --cloudname <Cloud-Name> --connection-type <Connection-Type> --active-dir-endpoint <Active-Directory-Endpoint> --management-url <Management-URL> --res-manager-url <Resource-Manager-URL> --key-vault-dns-suffix <Keyvault-DNS-Suffix> --vault-res-url <Vault-Resource-URL> --server-cert-file <Server-Certificate-File>
Example Request
ksctl connectionmgmt azure create --name test-azs-adfs --products cckm --clientid client123 --secret secret123 --tenantid 123 --cloudname AzureStack --connection-type ADFS --active-dir-endpoint "https://adfs.local.azurestack.external/adfs" --management-url "https://management.adfs.azurestack.local/2aeeb93d-50a7-415e-8b217-01b5c5e2fasd" --res-manager-url "https://management.local.azurestack.external/" --key-vault-dns-suffix "vault.local.azurestack.external" --vault-res-url "https://vault.local.azurestack.external" --server-cert-file ~/server.pem
Example Response
{
"id": "2cc2d7db-155c-472f-b248-4ca4072d1bb3",
"uri": "kylo:kylo:connectionmgmt:connections:test-azs-adfs-2cc2d7db-155c-472f-b248-4ca4072d1bb3",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2020-12-24T11:06:31.917450971Z",
"updatedAt": "2020-12-24T11:06:31.916445598Z",
"service": "azure",
"category": "cloud",
"last_connection_ok": null,
"last_connection_at": "0001-01-01T00:00:00Z",
"name": "test-azs-adfs",
"products": [
"cckm"
],
"tenant_id": "123",
"client_id": "client123",
"cloud_name": "AzureStack",
"active_directory_endpoint": "https://adfs.local.azurestack.external/adfs",
"vault_resource_url": "https://vault.local.azurestack.external",
"resource_manager_url": "https://management.local.azurestack.external/",
"key_vault_dns_suffix": "vault.local.azurestack.external",
"management_url": "https://management.adfs.azurestack.local/2aeeb93d-50a7-415e-8b217-01b5c5e2fasd",
"azure_stack_server_cert": "-----BEGIN CERTIFICATE-----\nMIIEPDCCAiSgAwIBAgIRALJpeHdhAFCGctcAVJ1fpwMwDQYJKoZIhvcNAQELBQAw\nWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk1EMRAwDgYDVQQHEwdCZWxjYW1wMRAw\nDgYDVQQKEwdHZW1hbHRvMyzp/w...+R5OmtS0p2wsRofbmY9in\noE4di6Pk83BMh2RpCDxDPb0UqTGlRlbPuew0mNfI2ePQLoFhyoTmwN1xEgUpex1u\nQb9IovyN2/Bm1QNpt4wRwoDF4sGAgcEM6AAtMVe2uVQ=\n-----END CERTIFICATE-----\n",
"azure_stack_connection_type": "ADFS"
}
Getting Details of an Azure Stack Connection
To get details of an Azure Stack connection, run:
Syntax
ksctl connectionmgmt azure get --id <Connection-Name/ID>
Example Request
ksctl connectionmgmt azure get --id 2cc2d7db-155c-472f-b248-4ca4072d1bb3
Example Response
{
"id": "2cc2d7db-155c-472f-b248-4ca4072d1bb3",
"uri": "kylo:kylo:connectionmgmt:connections:test-azs-adfs-2cc2d7db-155c-472f-b248-4ca4072d1bb3",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2020-12-24T11:06:31.917451Z",
"updatedAt": "2020-12-24T11:06:31.916446Z",
"service": "azure",
"category": "cloud",
"last_connection_ok": null,
"last_connection_at": "0001-01-01T00:00:00Z",
"name": "test-azs-adfs",
"products": [
"cckm"
],
"tenant_id": "123",
"client_id": "client123",
"cloud_name": "AzureStack",
"active_directory_endpoint": "https://adfs.local.azurestack.external/adfs",
"vault_resource_url": "https://vault.local.azurestack.external",
"resource_manager_url": "https://management.local.azurestack.external/",
"key_vault_dns_suffix": "vault.local.azurestack.external",
"management_url": "https://management.adfs.azurestack.local/2aeeb93d-50a7-415e-8b217-01b5c5e2fasd",
"azure_stack_server_cert": "-----BEGIN CERTIFICATE-----\nMIIEPDCCAiSgAwIBAgIRALJpeHdhAFCGctcAVJ1fpwMwDQYJKoZIhvcNAQELBQAw\nWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk1EMRAwDgYDVQQHEwdCZWxjYW1wMRAw\nDgYDVQQKEwdHZW1hbHRvMRowGAYDVQQDExFLZXlTZWN1cmUgUm9vdCBDQTAeFw0y\nMDEyMDIwOTIzMTRaFw0yMjEyMDIwOTIzMTRaMCIxDjAMBgNVBAMTBWFkbWluMRAw...YHsN\nobEToCx8UNXoZlYUX2f8hE9ad/tGrpwqXUHkSWjnET2+R5OmtS0p2wsRofbmY9in\noE4di6Pk83BMh2RpCDxDPb0UqTGlRlbPuew0mNfI2ePQLoFhyoTmwN1xEgUpex1u\nQb9IovyN2/Bm1QNpt4wRwoDF4sGAgcEM6AAtMVe2uVQ=\n-----END CERTIFICATE-----\n",
"azure_stack_connection_type": "ADFS"
}
Updating an Azure Stack Connection
To update an Azure Stack connection, run:
Syntax
ksctl connectionmgmt azure modify --id <Connection-Name/ID> --products <Product-Names> --secret <Azure-Client-Secret> --meta <Key-Values>
Example Request
ksctl connectionmgmt azure modify --id 2cc2d7db-155c-472f-b248-4ca4072d1bb3 --tenantid 456
Example Response
{
"id": "2cc2d7db-155c-472f-b248-4ca4072d1bb3",
"uri": "kylo:kylo:connectionmgmt:connections:test-azs-adfs-2cc2d7db-155c-472f-b248-4ca4072d1bb3",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2020-12-24T11:06:31.917451Z",
"updatedAt": "2020-12-24T11:14:12.702605505Z",
"service": "azure",
"category": "cloud",
"last_connection_ok": false,
"last_connection_error": "Post \"https://adfs.local.azurestack.external/adfs/oauth2/token\": dial tcp: lookup adfs.local.azurestack.external on 127.0.0.11:53: no such host",
"last_connection_at": "2020-12-24T11:12:48.403146Z",
"name": "test-azs-adfs",
"products": [
"cckm"
],
"meta": "",
"tenant_id": "456",
"client_id": "client123",
"cloud_name": "AzureStack",
"active_directory_endpoint": "https://adfs.local.azurestack.external/adfs",
"vault_resource_url": "https://vault.local.azurestack.external",
"resource_manager_url": "https://management.local.azurestack.external/",
"key_vault_dns_suffix": "vault.local.azurestack.external",
"management_url": "https://management.adfs.azurestack.local/2aeeb93d-50a7-415e-8b217-01b5c5e2fasd",
"azure_stack_server_cert": "-----BEGIN CERTIFICATE-----\nMIIEPDCCAiSgAwIBAgIRALJpeHdhAFCGctcAVJ1fpwMwDQYJKoZIhvcNAQELBQAw\nWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk1EMRAwDgYDVQQHEwdCZWxjYW1wMRAw\nDgYDVQQKEwdHZW1hbHRvMRowGAYDVQQDExFLZXlTZ...k83BMh2RpCDxDPb0UqTGlRlbPuew0mNfI2ePQLoFhyoTmwN1xEgUpex1u\nQb9IovyN2/Bm1QNpt4wRwoDF4sGAgcEM6AAtMVe2uVQ=\n-----END CERTIFICATE-----\n",
"azure_stack_connection_type": "ADFS"
}
Deleting an Azure Stack Connection
To delete an Azure Stack connection, run:
Syntax
ksctl connectionmgmt azure delete --id <Connection-Name/ID>
Example Request
ksctl connectionmgmt azure delete --id 2cc2d7db-155c-472f-b248-4ca4072d1bb3
There will be no response if Azure Stack connection is deleted successfully.
Getting List of Azure Stack Connections
To list all the Azure Stack connections, run:
Syntax
ksctl connectionmgmt azure list
Example Request
ksctl connectionmgmt azure list
Example Response
{
"skip": 0,
"limit": 10,
"total": 1,
"resources": [
{
"id": "2cc2d7db-155c-472f-b248-4ca4072d1bb3",
"uri": "kylo:kylo:connectionmgmt:connections:test-azs-adfs-2cc2d7db-155c-472f-b248-4ca4072d1bb3",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2020-12-24T11:06:31.917451Z",
"updatedAt": "2020-12-24T11:06:31.916446Z",
"service": "azure",
"category": "cloud",
"last_connection_ok": null,
"last_connection_at": "0001-01-01T00:00:00Z",
"name": "test-azs-adfs",
"products": [
"cckm"
],
"tenant_id": "123",
"client_id": "client123",
"cloud_name": "AzureStack",
"active_directory_endpoint": "https://adfs.local.azurestack.external/adfs",
"vault_resource_url": "https://vault.local.azurestack.external",
"resource_manager_url": "https://management.local.azurestack.external/",
"key_vault_dns_suffix": "vault.local.azurestack.external",
"management_url": "https://management.adfs.azurestack.local/2aeeb93d-50a7-415e-8b217-01b5c5e2fasd",
"azure_stack_server_cert": "-----BEGIN CERTIFICATE-----\nMIIEPDCCAiSgAwIBAgIRALJpeHdhAFCGctcAVJ1fpwMwDQYJKoZIhvcNAQELBQAw\nWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk1EMRAwDgYDVQQHEwdCZWxjYW1wMRAw\nDgYDVQQKEwdHZW1hbHRvMRowGAYDVQQDExFLZXlTZWN1cmUgUm9vdCBDQTAeFw0y\nMDEyMDIwOTIzMTRaFw0yMjEyMDIwOTIzMTRaMCIxDjAMBgNVBAMTBWFkbWluMRAw\nDgYKCZImiZPyLGQBARMAMIIBIjANBgkqhk...b0UqTGlRlbPuew0mNfI2ePQLoFhyoTmwN1xEgUpex1u\nQb9IovyN2/Bm1QNpt4wRwoDF4sGAgcEM6AAtMVe2uVQ=\n-----END CERTIFICATE-----\n",
"azure_stack_connection_type": "ADFS"
},
]
}
Testing an Existing Azure Stack Connection
To test an existing Azure Stack connection, run:
Syntax
ksctl connectionmgmt azure test --id <Connection-Name/ID> --clientid <Azure-Key-ID> --secret <Azure-Client-Secret> --tenantid <Tenant-ID>
Example Request
ksctl connectionmgmt azure test --id 2cc2d7db-155c-472f-b248-4ca4072d1bb3
Example Response
{
"connection_ok": true
}
Testing Parameters for an Azure Stack Connection
To test parameters for an Azure Stack connection, run:
Syntax
ksctl connectionmgmt azure test --clientid <Azure-Key-ID> --meta <Key-Values> --tenantid <Tenant-ID> --cloudname <Cloud-Name> --connection-type <Connection-Type> --active-dir-endpoint <Active-Directory-Endpoint> --management-url <Management-URL> --res-manager-url <Resource-Manager-URL> --key-vault-dns-suffix <Keyvault-DNS-Suffix> --vault-res-url <Vault-Resource-URL> --server-cert-file <Server-Certificate-File>
Example Request
ksctl connectionmgmt azure test --clientid client123 --secret secret123 --tenantid 123 --cloudname AzureStack --connection-type ADFS --active-dir-endpoint "https://adfs.local.azurestack.external/adfs" --management-url "https://management.adfs.azurestack.local/2aeeb93d-50a7-415e-8b217-01b5c5e2fasd" --res-manager-url "https://management.local.azurestack.external/" --key-vault-dns-suffix "vault.local.azurestack.external" --vault-res-url "https://vault.local.azurestack.external" --server-cert-file ~/server.pem
Example Response
{
"connection_ok": true
}
Creating an Azure Cloud Connection
The Azure Cloud connection can be created using:
-
Internal certificate
-
External certificate
Creating an Azure Cloud Connection using internal certificate
To create an Azure Cloud connection using internally generated self-signed certificate, run:
Example
ksctl connectionmgmt azure create --name "azureconnection2" --clientid "a-client-id" --cloudname "AzureCloud" --use-certificate true
Response
{
"id": "525d00e7-e677-4411-9f8c-0af01576d4c5",
"uri": "kylo:kylo:connectionmgmt:connections:azureconnection2-525d00e7-e677-4411-9f8c-0af01576d4c5",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2022-08-23T08:28:00.109946977Z",
"updatedAt": "2022-08-23T08:28:00.108830988Z",
"service": "azure",
"category": "cloud",
"last_connection_ok": null,
"last_connection_at": "0001-01-01T00:00:00Z",
"name": "azureconnection2",
"client_id": "a-client-id",
"cloud_name": "AzureCloud",
"certificate": "-----BEGIN CERTIFICATE-----\nMIIFvjCCA6agAwIBAgIRAIeusgD8lFVBJoLiSXw7EBUwDQYJKoZIhvcNAQELBQAw\nfzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNh\nbiBKb3NlMQ8wDQYDVQQKEwZUaGFsZXMxFDASBgNVBAsTC0NpcGhlclRydXN0MSEw\nHwYDVQQDExhjY2ttLnRoYWxlc2VzZWN1cml0eS5jb20wHhcNMjIwODIzMDgyODAw\nWhcNMjQwODIyMDgyODAwWjB/MQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZv\ncm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxDzANBgNVBAoTBlRoY...MFeV/+CJH53cqBTBJ\nJTv7aYJtV6vzW9tVaCb6nPnLtryc49ucjNeNPFfCxtXrZog7fJeocFsdWimMwlXy\nSqGYAaFdOJJZgAhvlQusl4oJIVZ3Cw9OAk61whTjEMfXAyJHRuwP/0uDZWNo6/z7\n8GmgLrPeEBuc8qyXy26ALoUm2rsDCSjo14qL1u29bVkeFP3ZdPBoapvyzCudmSx2\n2NuDQJO/TaREDGkvx27xyu8thIPRLCb4HuzlDhDi3Xg2tA==\n-----END CERTIFICATE-----\n",
"certificate_thumbprint": "5BB5FC44C0CAFA417773CA4EC80A07232AC02499"
}
Creating an Azure Cloud Connection using external certificate
Note
The external certificate cannot be used with use_certificate and client_secret parameters.
To create an Azure cloud connection using an external certificate generated from the custom CSR signed by any internal/external CA:
-
Generate a new Certificate Signing Request (CSR). The Azure connections do not support RSA 1024-bit keys for creating CSRs. The supported RSA key strengths are 2048 and 4096 bits.
Syntax
ksctl connectionmgmt connections csr --cn <common-name> --csr-outfile <filename>Example
ksctl connectionmgmt connections csr --cn "test" --csr-outfile "Azurecsr.pem"Response
{ "csr": "-----BEGIN CERTIFICATE REQUEST-----\nMIHIMHECAQAwDzENMAsGA1UEAxMEdGVzdDBZMBMGByqGSM49AgEGCCqGSM49AwEH\nA0IABPkDWFDb/khM9xaRPAnRKJ0nq7hfkQiX9UY8v03zL/X9YybSB/L3W4CpI0o6\nhLZQtoOjiv6ziRToKDFpq4K/WdegADAKBggqhkjOPQQDAgNHADBEAiA2kC7YOUqU\n0BtS+SDI/OuCd21JhkQoVX0ZcD/e/g5jtQIgTHE79SCJ/G/UXLNHjfmGZyP9zVmH\nObA8stMQDpSMJhM=\n-----END CERTIFICATE REQUEST-----\n" }This CSR can only be used for one connection in the native domain. Also, this CSR can't be reused in other domains.
-
Sign the CSR with any local or external CA. It will generate an external certificate.
-
Upload the generated certificate to the Azure portal.
-
Create the Azure cloud connection using the external certificate generated above.
Example
ksctl connectionmgmt azure create --name "azureconnecnwithcert" --json-file certazure.jsonResponse
{ "id": "5c440f1f-650c-497e-bd38-b7ebfe7e4e65", "uri": "kylo:kylo:connectionmgmt:connections:azure-connectio2n-5c440f1f-650c-497e-bd38-b7ebfe7e4e65", "account": "kylo:kylo:admin:accounts:kylo", "createdAt": "2022-08-23T08:16:24.236837416Z", "updatedAt": "2022-08-23T08:16:24.23580786Z", "service": "azure", "category": "cloud", "last_connection_ok": null, "last_connection_at": "0001-01-01T00:00:00Z", "name": "azure-connection", "products": [ "cckm" ], "meta": { "color": "blue" }, "tenant_id": "3bf0dbe6-a2c7-431d-9a6f-4843b74c71285nfjdu2", "client_id": "3bf0dbe6-a2c7-431d-9a6f-4843b74c7e12", "cloud_name": "AzureCloud", "certificate": "-----BEGIN CERTIFICATE-----\nMIIFUzCCAzugAwIBAgIRAIzHRMIS7tVGXVzIXlhGwCMwDQYJKoZIhvcNAQELBQAw\nWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAlRYMQ8wDQYDVQQHEwZBdXN0aW4xDzAN\nBgNVBAoTBlRoYWxlczEcMBoGA1UEAxMTQ2lwaGVyVHJ1c3QgUm9vdCBDQTAeFw0y\nMjA4MjIwODE0MzNaFw0yMzA4MjMwODE0MzNaMGQxCzAJBgNVBAYTAlVTMQswCQYD\nVQQIEwJNRDEQMA4GA1UEBxMHQmVsY2FtcDEVMBMGA1UEChMMVGhhbGVzIECA...0tYrQf8Jtk9xW+TqQfli1QZSfpK7vBypys87hFYRD7I82EA6zDLtIz16rjcFPUG\nitTI7OJsCVX8QhaLGqc3vahhEsEfKhEEOczUwEc9oGAFOLsjrJvVM6/wwebvD0G3\nM+tG8aEYPLphmR4dD5Zp9mmlcVdpUkM=\n-----END CERTIFICATE-----\n", "certificate_thumbprint": "9CECEBFE89C12E201461200070376971B9678374" }JSON File
{ "name": "azure-connection", "products": [ "cckm" ], "meta": { "color": "blue" }, "cloud_name": "AzureCloud", "client_id": "3bf0dbe6-a2c7-431d-9a6f-4843b74c7e12", "tenant_id": "3bf0dbe6-a2c7-431d-9a6f-4843b74c71285nfjdu2", "certificate": "-----BEGIN CERTIFICATE-----\nMIIFUzCCAzugAwIBAgIRAIzHRMIS7tVGXVzIXlhGwCMwDQYJKoZIhvcNAQELBQAw\nWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAlRYMQ8wDQYDVQQHEwZBdXN0aW4xDzAN\nBgNVBAoTBlRoYWxlczEcMBoGA1UEAxMTQ2lwaGVyVHJ1c3QgUm9vdCBDQTAeFw0y\nMjA4MjIwODE0MzNaFw0yMzA4MjMwODE0MzNn..Qf8Jtk9xW+TqQfli1QZSfpK7vBypys87hFYRD7I82EA6zDLtIz16rjcFPUG\nitTI7OJsCVX8QhaLGqc3vahhEsEfKhEEOczUwEc9oGAFOLsjrJvVM6/wwebvD0G3\nM+tG8aEYPLphmR4dD5Zp9mmlcVdpUkM=\n-----END CERTIFICATE-----\n" }
The CipherTrust Manager allows you to modify the external certificate in the existing connection. Any unused certificate will be automatically deleted after 24 hours.
Azure connection in multiple domains with same external certificate
The CipherTrust Manager enables you to create an Azure cloud connection using a certificate generated externally. This same external certificate can be reused to set up Azure connections across multiple domains. To accomplish this, you need to provide the following fields:
-
data- Data can be a Certificate-Key pair generated externally in PEM or PKCS12 format, or it can consist of only a Certificate in PEM format. For a Certificate, the user must first generate a new Certificate Signing Request (CSR). The generated CSR can be signed with any internal or external CA. The Certificate must have an RSA key strength of 2048 or 4096. -
format- The format of the uploaded Certificate-Key can be either PEM (default) or PKCS12. Please make sure to specify the format when using PKCS12 data. -
cert-bundle-password- password needed to decrypt PKCS12 or encrypted PEM data.
As an alternative to using the fields mentioned above, you can also use the cert-bundle-jsonfile JSON file in the following format:
{
"data": string,
"format": string,
"password": string
}
You can provide external certificate data in the cert-bundle-jsonfile JSON file as shown below, according to your requirements:
For the Certificate whose CSR was generated through the CSR Creation process and signed by either an internal or external CA
{
"data": <certificate>
}
For PEM format Certificate Key
{
"data": <cert-private-key>,
"format":"pem (default)"
}
For PEM format Certificate Encrypted-Key
{
"data": <cert-encrypted-private-key>,
"password":<password>,
"format":"pem (default)"
}
For bas64 encoded PKCS12 data
{
"data": <pkcs12-material-in-base64-encoding>,
"password":<password>,
"format":"pkcs12"
}
Note
-
The fields defined above cannot be used together with the
certificate,is_certificate_used, andclient_secretfields. -
When providing PKCS12 data, be sure to specify its format.
-
PKCS12 data must be base64 encoded and include both the private key and its certificate.
-
Password is required for PKCS12 and encrypted key data.
Create Azure cloud connection
To create a Azure cloud connection:
Example request
ksctl connectionmgmt azure create --name "cert-key-azure-connection-1" --cloudname AzureCloud --clientid <client-id> --tenantid <tenant-id> --data "-----BEGIN CERTIFICATE-----.......-----END CERTIFICATE-----\n\n-----BEGIN ENCRYPTED PRIVATE KEY-----...........-----END ENCRYPTED PRIVATE KEY-----\n" --format <pem-or-pkcs12> --cert-bundle-password <encrypted-key-password-or-pkcs12- password>
Example response
{
"id": "c7384be8-9415-4806-bc44-b7d15a2c8994",
"uri": "kylo:kylo:connectionmgmt:connections:cert-key-azure-connection-1-c7384be8-9415-4806-bc44-b7d15a2c8994",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2025-10-13T07:25:37.092046Z",
"updatedAt": "2025-10-13T07:25:37.081279Z",
"service": "azure",
"category": "cloud",
"last_connection_ok": null,
"last_connection_at": "0001-01-01T00:00:00Z",
"name": "cert-key-azure-connection-1",
"tenant_id": <tenant-id>,
"client_id": <client-id>,
"cloud_name": "AzureCloud",
"certificate": "-----BEGIN CERTIFICATE-----....-----END CERTIFICATE-----\n",
"certificate_thumbprint": <certificate-thumbprint>,
"external_certificate_used": true
}
Update Azure cloud connection
To update a Azure cloud connection:
Example request (for pksc12 data)
ksctl connectionmgmt azure modify --id cert-key-azure-connection-1 --cert-bundle-jsonfile cert-bundle.json
cert-bundle.json file
{
"data": <pkcs12-material-in-base64-encoding>,
"password":<password>,
"format":"pkcs12"
}
Example response
{
"id": "c7384be8-9415-4806-bc44-b7d15a2c8994",
"uri": "kylo:kylo:connectionmgmt:connections:cert-key-azure-connection-1-c7384be8-9415-4806-bc44-b7d15a2c8994",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2025-10-13T07:25:37.092046Z",
"updatedAt": "2025-10-13T07:28:28.34182Z",
"service": "azure",
"category": "cloud",
"last_connection_ok": null,
"last_connection_at": "0001-01-01T00:00:00Z",
"name": "cert-key-azure-connection-1",
"tenant_id": <tenant-id>,
"client_id": <client-id>,
"cloud_name": "AzureCloud",
"certificate": "-----BEGIN CERTIFICATE-----.....-----END CERTIFICATE-----\n",
"certificate_thumbprint": <certificate-thumbprint>,
"external_certificate_used": true
}
Test connection parameters
To test connection parameters:
Example request
ksctl connectionmgmt azure test --clientid <client-id> --tenantid <tenant-id> --data "-----BEGIN CERTIFICATE-----.......-----END CERTIFICATE-----\n\n-----BEGIN ENCRYPTED PRIVATE KEY-----...........-----END ENCRYPTED PRIVATE KEY-----\n" --format <pem-or-pkcs12> --cert-bundle-password <encrypted-key-password-or-pkcs12-password>
Example response
{
"connection_ok": true
}
Test existing Azure cloud connection
To test an existing Azure cloud connection:
Example request
ksctl connectionmgmt azure test --id cert-key-azure-connection-1 --cert-bundle-jsonfile cert-bundle.json
Example response
{
"connection_ok": true
}
