Adding an Azure Key Vault Server
You can use the Azure AD App Registration tool to add a Microsoft Azure Key Vault server from the Azure PowerShell command line. You can run the tool from the CommServe computer where you want to add the key management server or from any other computer that can communicate with the Web Server.
Before You Begin
- The computer from which you will perform the Key Vault server installation must meet the following requirements:
- Azure PowerShell version 6.1 or a more recent version must be installed.
- AzureRM module version 6.0 or a more recent version must be installed.
- Verify that the Commvault Tomcat service is running. For more information, see Controlling Services on Windows.
- Obtain the certificate that establishes trust with the Key Vault. The key length of the certificate should be a minimum of 2048 bits.
- You must have the following information for the Key Vault:
- Key Vault subscription ID
- Resource group name and resource name
- Verify that the Azure user account has the User Access Administrator role on the resource.
- Copy the certificate that establishes trust with the Key Vault to the CommServe computer.
If you will add the Key Vault server from a computer other than the CommServe computer, then copy the certificate to that computer
- Log on to the computer from which you will add the Key Vault server.
- Download the Azure AD App Registration tool from the Commvault Store.
For instructions, see Downloading Items from Commvault Store.
- Log on to the Azure PowerShell command line.
- Go to the location where the CVAzureADAppRegistration.exe tool is available, and then run the following command:
CVAzureADAppRegistration.exe -WebServerUrl web_server_URL -CommCellUserName commcell_user_name -SubscriptionId subscription_ID -ResourceGroupName resource_group_name -ResourceName resource_name -ApplicationName application_name -Certificate certificate -CertificateOnCS certificate_on_commserve_computer -KeyVaultPermissionsToKeys
- web_server_URL is the URL of the CommServe computer
- commcell_user_name is the user name of the CommServe administrator account
- subscription_ID is the subscription ID of the Azure Key Vault account
- resource_group_name is the resource group name of the Key Vault
- resource_name is the resource name of the Key Vault
- application_name is the name of the key management server that will be created on the CommServe computer
- certificate_on_commserve_computer (optional) is the location of the certificate file on the CommServe computer—if you are running the PowerShell from a different computer
In addition, you can use the following optional parameters:
- KeyVaultPermissionsToKeys: Specify permissions to access keys. Default value is @("decrypt","encrypt","unwrapKey","wrapKey","get","list","update","create","delete").
- KMSEncType: Type of keys to create RSA or RSA-HSM. Specify 1001 for RSA and 1002 for RSA-HSM. Default value is 1001 (RSA).
- KMSEncKeyLength: Key length to use. Default value is 2048. Supported values are 2048 and 3072.
Note: The key length of 3072 is in preview. For more information, review Microsoft Azure documentation.
- AzureEnvironment: Azure cloud environment to use. Default value is AzureCloud. Supported values are AzureCloud, AzureUSGovernment, AzureGermanCloud and AzureChinaCloud.
Following is an example command:
CVAzureADAppRegistration.exe -WebServerUrl http://demoma.democert.loc:81/SearchSvc/CVWebService.svc -CommCellUserName admin -SubscriptionId 39852ggg-e752-47d1-b5e7-5f3c277618ee -ResourceGroupName DemoRG -ResourceName DemoResource -ApplicationName AzureKeyVault -Certificate C:\Demo\CertForAzureKV.pfx
A prompt for the password for the CommServe administrator account appears. This is the administrator account used in the preceding registration command.
- Enter the password for the CommServe administrator account.
A prompt for the certificate password appears.
- Enter the certificate password.
A log on window appears.
- Enter the credentials for the Azure user account that has the User Access Administrator role on the resource.
The Key Vault server appears in the Encryption Key Management Servers dialog box. The name of the server is the application name.
Last modified: 3/17/2020 11:50:54 AM