Azure AKV Connector

Here is the section to manage the Azure AKV Connector.

Required By

Azure AKV Trigger

Prerequisites

On Horizon side, you might need to set up a Proxy used to reach Azure, if necessary.

On Azure AD side, it is required to set up an application by following Microsoft’s guide.

Horizon supports only client secret authentication

After performing these steps, you will get the following information, required later:

  • the Tenant ID

  • the Application ID

  • the Application Authentication Key

Finally, you should give all Certificate Permissions to the Application you created for Horizon inside the target Azure Key Vault "Access policies" menu entry, using the "Add Access Policy" link.

How to configure AKV Connector

1. Log in to Horizon Administration Interface.

2. Access AKV Connectors from the drawer or card: Third Parties  AKV  Connectors.

3. Click on Add Connector.

4. Fill the mandatory fields.

Connection

  • Name* (string input):
    Enter a meaningful Connector Name.

  • Azure Tenant* (string input):
    Enter the Tenant, which is the domain name after the @ sign in your account.

  • App Registration Credentials* (select):
    Select Login credentials containing your app registration ID and secret key.

  • Proxy (string select):
    The HTTP/HTTPS proxy used to reach Azure AD and AKV, if necessary.

  • Timeout (finite duration):
    Set on the connections used to reach Azure AD and AKV. Configured by default at 10 seconds. Must be a valid finite duration.

  • Vault fully qualified domain name* (string input):
    Fully qualified domain name used to reach the Azure Key Vault to be managed by Horizon.

Assets identification and management

  • Prefix (string input): Used to filter the certificates managed by Horizon in the specified Azure Key Vault. Defaults to "HRZ-"

Actors and renewal management

These configuration elements mainly define the number of authorized interactions with the remote service on a defined period. For example, one needs to ensure that the remote service will not be contacted more than 5 times per 3 seconds. Throttle parallelism defines the number of times and Throttle duration the period of time. Therefore, on the above example, throttle parallelism would be set to 5 and throttle duration would be set to 3 seconds.

  • Throttle duration* (finite duration):
    Set by default at 3 seconds. Must be a valid finite duration.

  • Throttle parallelism* (int):
    Set by default at 3.

  • Renewal period (finite duration):
    Must be a valid finite duration.

5. Click on the save button.

You can update Edit Connector or delete Delete Connector the AKV Connector.

You will not be able to delete an AKV Connector if it is referenced in any other configuration element.

Synchronize your third party

Your third-party certificates can be synchronized with Horizon using scheduled tasks.

Scheduled tasks are a functionality of WebRA that allows to synchronize automatic renewal or revocation events with a third party periodically with what occurs on a WebRA profile. To be more specific, it will periodically check whether the certificate has entered the "renewal period" that was defined in the connector’s configuration, and renew it automatically if necessary.

1. Refer to the third party connector documentation to create a third party connector.

2. Ensure you have an existing WebRA Profile: renewal will be automated on the selected profile.

3. Follow the documentation of the WebRA Scheduled Tasks section to properly configure a scheduled task.