security key-manager external azure enable

Enable Azure Key Vault

Availability: This command is available to cluster and Vserver administrators at the admin privilege level.

Description

This command enables the Azure Key Vault (AKV) associated with the given Vserver. An Azure application and AKV must be deployed on the Azure portal prior to running this command. This command is not supported for the admin Vserver, or if a key manager for the given data Vserver is already enabled. This command is also not supported in a MetroCluster environment.

Parameters

-vserver <Vserver Name> - Vserver: Use this parameter to specify the Vserver on which the AKV is to be enabled.
-client-id <text> - Application (Client) ID of Deployed Azure Application: Use this parameter to specify the client (application) ID of the deployed Azure application.
-tenant-id <text> - Directory (Tenant) ID of Deployed Azure Application: Use this parameter to specify the tenant (directory) ID of the deployed Azure application.
-name {(ftp|http)://(hostname|IPv4 Address|'['IPv6 Address']')...} - Deployed Azure Key Vault DNS Name: Use this parameter to specify the DNS name of the deployed AKV.
[-authentication-method <AKV Authentication Method>] - Authentication Method for Azure Application: Use this parameter to specify either client_secret authentication or certificate authentication for the deployed AKV.
-key-id {(ftp|http)://(hostname|IPv4 Address|'['IPv6 Address']')...} - Key Identifier of AKV Key Encryption Key: Use this parameter to specify the key identifier of the AKV Key Encryption Key (KEK).

Examples

The following example enables the AKV for Vserver v1. An Azure application with client-id "4a0f9c98-c5aa-4275-abe3-2780cf2801c3", tenant-id "8e21f23a-10b9-46fb-9d50-720ef604be98", client secret (not echoed to the screen for security purposes) and an AKV with DNS name "https://akv-keyvault.vault.azure.net" is deployed on the Azure portal. An AKV KEK with DNS name "https://akv-keyvault.vault.azure.net/keys/key1/a8e619fd8f234db3b0b95c59540e2a74" is created on the Azure portal for the AKV.

cluster-1::>security key-manager external azure enable -client-id 4a0f9c98-c5aa-4275-abe3-2780cf2801c3 -tenant-id 8e21f23a-10b9-46fb-9d50-720ef604be98 -name https://akv-keyvault.vault.azure.net -key-id https://akv-keyvault.vault.azure.net/keys/key1/a8e619fd8f234db3b0b95c59540e2a74 -authentication-method client_secret -vserver v1

Enter the client secret for Azure Key Vault:

Re-enter the client secret for Azure Key Vault:

The following example enables the AKV for Vserver v1. An Azure application with client-id "4a0f9c98-c5aa-4275-abe3-2780cf2801c3", tenant-id "8e21f23a-10b9-46fb-9d50-720ef604be98", a client certificate (not echoed to the screen for security purposes) and an AKV with DNS name "https://akv-keyvault.vault.azure.net" is deployed on the Azure portal. An AKV KEK with DNS name "https://akv-keyvault.vault.azure.net/keys/key1/a8e619fd8f234db3b0b95c59540e2a74" is created on the Azure portal for the AKV.

cluster-1::>security key-manager external azure enable -client-id 4a0f9c98-c5aa-4275-abe3-2780cf2801c3 -tenant-id 8e21f23a-10b9-46fb-9d50-720ef604be98 -name https://akv-keyvault.vault.azure.net -key-id https://akv-keyvault.vault.azure.net/keys/key1/a8e619fd8f234db3b0b95c59540e2a74 -authentication-method certificate -vserver v1

Enter the client certificate for Azure Key Vault: