Configuring Analyze to use Azure Key Vault for credential storage - Data360_Analyze - 3 - 3.12

Data360 Analyze Server Help

Product type
Software
Portfolio
Verify
Product family
Data360
Product
Data360 Analyze
Version
3.12
Language
English
Product name
Data360 Analyze
Title
Data360 Analyze Server Help
Copyright
2023
First publish date
2016

To configure Analyze to use Azure Key Vault for credential storage, do the following:

  1. Create or obtain access to an Azure Key Vault instance.
  2. Create two secrets to the Azure Key Vault; one for the Secure Store password and one for the application database password.

    Suggested names for the secrets would be:

    • Secure Store password: 'Data360-Analyze-<analyzeHost>-<analyzePort>-Secure-Store-Password'
    • Application database password: 'Data360-Analyze-<analyzeHost>-<analyzePort>-Database-Password'
  3. Set the value of the respective secrets to the current values of the Secure Store password and the application database password.

    As a reminder, the default Secure Store password was the password provided at installation time. The default application database password is 'dataverse',

  4. Create an Azure application and service principal for the Data360 Analyze instance being configured.
  5. Grant read and list access on the Azure Key Vault where the secrets were created in step 2 to the newly created Azure application.
  6. Stop the Data360 Analyze application.
  7. Edit the file<site-dir>/conf/cust.prop and add/modify the following properties:

    ls.lae.keyManagerId="azureKeyVault"

    ls.lae.keyCollectionId="<azure-key-vault-id>"

    ls.lae.keyCollectionType="secret"

    ls.lae.secureStore.passwordRetrieval.keyId="<secure-store-secret-name>"

    ls.lae.webapp.dbCredentialConfig.keyId="<application-database-secret-name>"

    Where:

    <azure-key-vault-id> - The ID of the Azure Key Vault.

    <secret-store-secret-name> - The name of the secure store password secret created in step 2.

    <application-database-secret-name> - The name of the application database password secret created in step 2.

    If using a user-assigned Managed Identity, then you must also set ls.lae.keyCollectionPrincipal property to the Managed Identity Client Id.

    If configuring different credential management for each of the credentials then the ls.lae.keyManagerId properties should be re-named as follows:

    • ls.lae.secureStore.passwordRetrieval.keyManagerId for the secure store password
    • ls.lae.webapp.dbCredentialConfig.keyManagerId for the database password

    e.g.

    ls.lae.secureStore.passwordRetrieval.keyManagerId ="analyzeProperties"

    ls.lae.webapp.dbCredentialConfig.keyManagerId = "azureKeyVault"

    ls.lae.keyCollectionId = "<azure-key-vault-id>"

    ls.lae.keyCollectionType = "secret"

    ls.lae.webapp.dbCredentialConfig.keyId = "<application-database-secret-name>"

    specifies that the secure store password will be managed as an encrypted property in cust.prop while the database password will be managed as an Azure Key Vault Secret.

  8. Start the Data360 Analyze application.