Azure Key Vault Integration

Introduction

This section refers to the Azure Key Vault (AKV) integration with Horizon, used to enroll certificates held in AKV.

This integration involves at least three infrastructure components:

  • Azure Key Vault

  • Azure Active Directory

  • EverTrust Horizon

Azure AD is used to authenticate Horizon, which should be a registered application.

Azure AKV Connector

Here is the section to manage the Azure AKV Connector.

Required By

AKV Trigger

Prerequisites

On Horizon side, you might need to set up a Proxy used to reach Azure, if necessary.

On Azure AD side, it is required to set up an application by following Microsoft’s guide.

Horizon supports only client secret authentication

After performing these steps, you will get the following information, required later:

  • the Tenant ID

  • the Application ID

  • the Application Authentication Key

Finally, you should give all Certificate Permissions to the Application you created for Horizon inside the target Azure Key Vault "Access policies" menu entry, using the "Add Access Policy" link.

How to configure AKV Connector

1. Log in to Horizon Administration Interface.

2. Access AKV Connectors from the drawer or card: Third Parties > AKV > Connectors.

3. Click on Add Connector.

4. Fill the mandatory fields.

Connection

  • Name* (string input):
    Enter a meaningful Connector Name.

  • Azure Tenant* (string input):
    Enter the Tenant, which is the domain name after the @ sign in your account.

  • App ID* (string input):
    Enter the app ID.

  • App Key* (string input):
    Enter the app Key.

  • Proxy (select):
    The HTTP/HTTPS proxy used to reach Azure AD and AKV, if necessary.

  • Timeout (finite duration):
    Set on the connections used to reach Azure AD and AKV. Configured by default at 10 seconds. Must be in valid finite duration.

  • Vault fully qualified domain name* (string input):
    Fully qualified domain name used to reach the Azure Key Vault to be managed by Horizon.

Assets identification and management

  • Prefix (string input): Used to filter the certificates managed by Horizon in the specified Azure Key Vault. Defaults to "HRZ-"

Actors and renewal management

These configuration elements mainly define the number of authorized interactions with the remote service on a defined period. For example, one needs to ensure that the remote service will not be contacted more than 5 times per 3 seconds. Throttle parallelism defines the number of times and Throttle duration the period of time. Therefore, on the above example, throttle parallelism would be set to 5 and throttle duration would be set to 3 seconds.

  • Throttle duration* (finite duration):
    Set by default at 3 seconds. Must be in valid finite duration.

  • Throttle parallelism* (int):
    Set by default at 3.

  • Renewal period (finite duration):
    Must be a valid finite duration.

5. Click on the save button.

You can update Edit Connector or delete Delete Connector the AKV Connector.

You will not be able to delete an AKV Connector if it is referenced in any other configuration element.

AKV Trigger

This section details how to configure the Triggers that will be used by WebRA Profiles to push or delete certificates to/from AKV.

Prerequisites

AKV Connector

How to configure AKV Trigger

1. Log in to Horizon Administration Interface.

2. Access AKV Triggers from the drawer or card: Third Parties > AKV > Triggers.

3. Click on Add Trigger.

4. Fill the mandatory fields.

  • Name* (string input):
    Enter a meaningful trigger name. It must be unique for each trigger. Horizon uses the name to identify the trigger.

  • Azure Key Vault Connector* (select):
    Select an AKV connector previously created.

  • Retries in case of error (int):
    Number of times to retry to push the change on the AKV repository in case of error. Must be an integer between 1 and 15.

5. Click on the save button.

You can update Edit Connector or delete Delete Connector the AKV Trigger.