ONTAP 9.13.1 commands

security key-manager external azure enable

Enable Azure Key Vault

Availability: This command is available to cluster and Vserver administrators at the admin privilege level.

Description

This command enables the Azure Key Vault (AKV) associated with the given Vserver. An Azure application and AKV must be deployed on the Azure portal prior to running this command. This command is not supported for the admin Vserver, or if a key manager for the given data Vserver is already enabled. This command is also not supported in a MetroCluster environment.

Parameters

-vserver <Vserver Name> - Vserver

Use this parameter to specify the Vserver on which the AKV is to be enabled.

-client-id <text> - Application (Client) ID of Deployed Azure Application

Use this parameter to specify the client (application) ID of the deployed Azure application.

-tenant-id <text> - Directory (Tenant) ID of Deployed Azure Application

Use this parameter to specify the tenant (directory) ID of the deployed Azure application.

-name {(ftp|http|https)://(hostname|IPv4 Address|'['IPv6 Address']')…​} - Deployed Azure Key Vault DNS Name

Use this parameter to specify the DNS name of the deployed AKV.

[-authentication-method <AKV Authentication Method>] - Authentication Method for Azure Application

Use this parameter to specify either client_secret authentication or certificate authentication for the deployed AKV.

-key-id {(ftp|http|https)://(hostname|IPv4 Address|'['IPv6 Address']')…​} - Key Identifier of AKV Key Encryption Key

Use this parameter to specify the key identifier of the AKV Key Encryption Key (KEK).

[-oauth-server <text>] - Open Authorization Host Name

Use this parameter to specify the host name of the Open Authorization server.

Examples

The following example enables the AKV for Vserver v1. An Azure application with client-id "4a0f9c98-c5aa-4275-abe3-2780cf2801c3", tenant-id "8e21f23a-10b9-46fb-9d50-720ef604be98", client secret (not echoed to the screen for security purposes), OAuth server at 10.12.34.1 and an AKV with DNS name "https://akv-keyvault.vault.azure.net" is deployed on the Azure portal. An AKV KEK with DNS name "https://akv-keyvault.vault.azure.net/keys/key1/a8e619fd8f234db3b0b95c59540e2a74" is created on the Azure portal for the AKV.

cluster-1::>security key-manager external azure enable -client-id 4a0f9c98-c5aa-4275-abe3-2780cf2801c3 -tenant-id 8e21f23a-10b9-46fb-9d50-720ef604be98 -name https://akv-keyvault.vault.azure.net -key-id https://akv-keyvault.vault.azure.net/keys/key1/a8e619fd8f234db3b0b95c59540e2a74 -authentication-method client_secret -vserver v1 -oauth-server 10.12.34.1

Enter the client secret for Azure Key Vault:

Re-enter the client secret for Azure Key Vault:

The following example enables the AKV for Vserver v1. An Azure application with client-id "4a0f9c98-c5aa-4275-abe3-2780cf2801c3", tenant-id "8e21f23a-10b9-46fb-9d50-720ef604be98", a client certificate (not echoed to the screen for security purposes), OAuth server at 10.12.34.1 and an AKV with DNS name "https://akv-keyvault.vault.azure.net" is deployed on the Azure portal. An AKV KEK with DNS name "https://akv-keyvault.vault.azure.net/keys/key1/a8e619fd8f234db3b0b95c59540e2a74" is created on the Azure portal for the AKV.

cluster-1::>security key-manager external azure enable -client-id 4a0f9c98-c5aa-4275-abe3-2780cf2801c3 -tenant-id 8e21f23a-10b9-46fb-9d50-720ef604be98 -name https://akv-keyvault.vault.azure.net -key-id https://akv-keyvault.vault.azure.net/keys/key1/a8e619fd8f234db3b0b95c59540e2a74 -authentication-method certificate -vserver v1 -oauth-server 10.12.34.1

Enter the client certificate for Azure Key Vault:
Top of Page