To configure Analyze to use Azure Key Vault for credential storage, do the following:
- Create or obtain access to an Azure Key Vault instance.
- Create two secrets to the Azure Key Vault; one for the Secure Store password and one for the application database password.
Suggested names for the secrets would be:
- Secure Store password: 'Data360-Analyze-<analyzeHost>-<analyzePort>-Secure-Store-Password'
- Application database password: 'Data360-Analyze-<analyzeHost>-<analyzePort>-Database-Password'
- Set the value of the respective secrets to the current values of the Secure Store password and the application database password.
As a reminder, the default Secure Store password was the password provided at installation time. The default application database password is 'dataverse',
- Create an Azure application and service principal for the Data360 Analyze instance being configured.
- Grant read and list access on the Azure Key Vault where the secrets were created in step 2 to the newly created Azure application.
- Stop the Data360 Analyze application.
- Edit the file
<site-dir>/conf/cust.prop
and add/modify the following properties:ls.lae.keyManagerId
="azureKeyVault"ls.lae.keyCollectionId
="<azure-key-vault-id>"ls.lae.keyCollectionType
="secret"ls.lae.secureStore.passwordRetrieval.keyId
="<secure-store-secret-name>"ls.lae.webapp.dbCredentialConfig.keyId
="<application-database-secret-name>"Where:
<azure-key-vault-id> - The ID of the Azure Key Vault.
<secret-store-secret-name> - The name of the secure store password secret created in step 2.
<application-database-secret-name> - The name of the application database password secret created in step 2.
If using a user-assigned Managed Identity, then you must also set ls.lae.keyCollectionPrincipal property to the Managed Identity Client Id.
If configuring different credential management for each of the credentials then the ls.lae.keyManagerId properties should be re-named as follows:
ls.lae.secureStore.passwordRetrieval.keyManagerId
for the secure store passwordls.lae.webapp.dbCredentialConfig.keyManagerId
for the database password
e.g.
ls.lae.secureStore.passwordRetrieval.keyManagerId
="analyzeProperties"ls.lae.webapp.dbCredentialConfig.keyManagerId
= "azureKeyVault"ls.lae.keyCollectionId
= "<azure-key-vault-id>"ls.lae.keyCollectionType
= "secret"ls.lae.webapp.dbCredentialConfig.keyId
= "<application-database-secret-name>"specifies that the secure store password will be managed as an encrypted property in cust.prop while the database password will be managed as an Azure Key Vault Secret.
- Start the Data360 Analyze application.