- Getting started
- Host administration
- Organizations
- Authentication and security
- Setting up the Azure AD integration
- Setting up encryption key per tenant
- Licensing
- Accounts and roles
- External applications
- Notifications
- Logging
- Troubleshooting
Setting up encryption key per tenant
It is possible to use Microsoft Azure Key Vault to encrypt each tenant in your Orchestrator instance with its own unique key. Orchestrator uses the Key Vault to store and manage the keys in a safe manner, ensuring better segregation of your data between tenants.
Orchestrator installed in Automation Suite can take advantage of this feature, but you must connect the Orchestrator app to the internet and Azure Key Vault.
Orchestrator authentication is needed to use Azure Key Vault via App Registrations. App Registrations can grant a series of privileges to applications. In our case, Orchestrator is the application, and Azure Key Vault is the targeted privilege.
orchestrator-customconfig
configmap used in the Automation Suite cluster, and modify the relevant ArgoCD parameters for the Orchestrator app form the
ArgoCD UI. Once these criteria are met, Orchestrator can use Azure Key Vault to encrypt each tenant.
- Your own Microsoft Azure Key Vault
- A clean Orchestrator installation in Automation Suite
-
A valid SSL certificate:
- Private Key Certificate — It needs to be uploaded in App Services > SSL Settings > Private Key Certificates
- Public Key Certificate — It needs to be uploaded in App registrations > Settings > Keys > Public Keys
- (Optional) A self-signed certificate
To convert the .pfx certificate file to base64, run the following command:
-
PowerShell:
[convert]::ToBase64String((Get-Content -path "path_to_certificate" -Encoding byte))
-
Shell:
base64 [_path_to_certificate_]
In Azure Portal's App Registrations pane, follow these steps:
- Create a new app registration.
- Copy the Application (Client) ID for later use.
- Go to Manage > Certificates & Secrets and upload the public SSL certificate key mentioned in the prerequisite.
Make the following configuration changes to Orchestrator: