Azure Key Vault Integration

Introduction

This section refers to the Azure Key Vault (AKV) integration with Horizon, used to enroll certificates held in AKV.

This integration involves at least three infrastructure components:

  • Azure Key Vault

  • Azure Active Directory

  • EverTrust Horizon

Azure AD is used to authenticate Horizon, which should be a registered application.

Azure AKV Connector

Here is the section to manage the Azure AKV Connector.

Required By

AKV Trigger

Prerequisites

On Horizon side, you might need to set up a Proxy used to reach Azure, if necessary.

On Azure AD side, it is required to set up an application by following Microsoft’s guide.

Horizon supports only client secret authentication

After performing these steps, you will get the following information, required later:

  • the Tenant ID

  • the Application ID

  • the Application Authentication Key

Finally, you should give all Certificate Permissions to the Application you created for Horizon inside the target Azure Key Vault "Access policies" menu entry, using the "Add Access Policy" link.

How to configure AKV Connector

1. Log in to Horizon Administration Interface.

2. Access AKV Connectors from the drawer or card: Third Parties > AKV > Connectors.

3. Click on Add Connector.

4. Fill the mandatory fields.

Connection

  • Name* (string input):
    Enter a meaningful Connector Name.

  • Azure Tenant* (string input):
    Enter the Tenant, which is the domain name after the @ sign in your account.

  • App ID* (string input):
    Enter the app ID.

  • App Key* (string input):
    Enter the app Key.

  • Proxy (select):
    The HTTP/HTTPS proxy used to reach Azure AD and AKV, if necessary.

  • Timeout (finite duration):
    Set on the connections used to reach Azure AD and AKV. Configured by default at 10 seconds. Must be in valid finite duration.

  • Vault fully qualified domain name* (string input):
    Fully qualified domain name used to reach the Azure Key Vault to be managed by Horizon.

Assets identification and management

  • Prefix (string input): Used to filter the certificates managed by Horizon in the specified Azure Key Vault. Defaults to "HRZ-"

Actors and renewal management

These configuration elements mainly define the number of authorized interactions with the remote service on a defined period. For example, one needs to ensure that the remote service will not be contacted more than 5 times per 3 seconds. Throttle parallelism defines the number of times and Throttle duration the period of time. Therefore, on the above example, throttle parallelism would be set to 5 and throttle duration would be set to 3 seconds.

  • Throttle duration* (finite duration):
    Set by default at 3 seconds. Must be in valid finite duration.

  • Throttle parallelism* (int):
    Set by default at 3.

  • Renewal period (finite duration):
    Must be a valid finite duration.

5. Click on the save button.

You can update Edit Connector or delete Delete Connector the AKV Connector.

You will not be able to delete an AKV Connector if it is referenced in any other configuration element.

AKV Trigger

This section details how to configure the Triggers that will be used by WebRA Profiles to push or delete certificates to/from AKV.

Prerequisites

AKV Connector

How to configure AKV Trigger

1. Log in to Horizon Administration Interface.

2. Access AKV Triggers from the drawer or card: Third Parties > AKV > Triggers.

3. Click on Add Trigger.

4. Fill the mandatory fields.

  • Name* (string input):
    Enter a meaningful trigger name. It must be unique for each trigger. Horizon uses the name to identify the trigger.

  • Azure Key Vault Connector* (select):
    Select an AKV connector previously created.

  • Retries in case of error (int):
    Number of times to retry to push the change on the AKV repository in case of error. Must be an integer between 1 and 15.

5. Click on the save button.

You can update Edit Connector or delete Delete Connector the AKV Trigger.

Integration of the third party to the WebRA

When having configured the connector, it is possible to automate its elements' lifecycle using the WebRA.

Automation using triggers

Triggers are a functionality of WebRA that allows to push lifecycle events into a third party whenever they occur on a WebRA profile.

1. Refer to the trigger documentation to create a trigger.

2. Create or modify the WebRA profile you wish to use the triggers on.

3. Go to the Triggers tab, then on Certificate lifecycle triggers

4. Chose which lifecycle events you wish to use triggers upon (enrollment, revocation, expiration)

5. Select one or more existing triggers from the menu (if several are selected, they will all be called whenever the selected event occurs)

6. Click on the Save button.

From now on, whenever a selected lifecycle event will occur on the configured WebRA profile, the trigger will be called and the and the certificate will be pushed into or removed from the third party container.

Automation using scheduled tasks

Scheduled tasks are a functionality of WebRA that allows to synchronize automatic renewal or revocation events with a third party periodically with what occurs on a WebRA profile. To be more specific, it will periodically check whether the certificate has entered the "renewal period" that was defined in the connector’s configuration, and renew it automatically if necessary.

1. Refer to the third party connector documentation to create a third party connector.

2. Ensure you have an existing WebRA profile : renewal will be automated on the selected profile.

3. Follow the documentation of the WebRA scheduled tasks section to properly configure a scheduled task.