Configuring the DKE
The DKE module is configured in the dke section of the config.json file. You can configure it independently for each tenant.
The template for the DKE configuration block is as follows:
"dke": {
"enable": true,
"directory_tenant_id": "_DIRECTORY_TENANT_ID_",
"authentication": [
{
"discovery_uri": "_DKE_DISCOVERY_URI_",
"client_id": "_DKE_CLIENT_ID_"
}
],
"policy_enforcement": {
"enable": true,
"type": "_POLICY_ENFORCEMENT_TYPE_",
"opa_server": {
"url": "_URL_",
"authentication": {
"type": "basic",
"user_id": "_USER_ID_",
"password": "_PASSWORD_"
}
}
},
"cache": {
"enable": false,
"duration_in_seconds": "_DKE_CACHE_DURATION_IN_SECONDS_"
}
}|
|
Description |
Type |
Optional/ mandatory |
|---|---|---|---|
| enable | Enables or disables the DKE module for the tenant. | Boolean | Mandatory to use the DKE module |
| directory_tenant_id | ID of tenant in Azure Purview. | String in uuid format | Mandatory to use the DKE module |
Authentication parameter
JSON object containing the configuration that allows authenticating to the DKE module.
Identity provisioning is managed by Azure Purview services.
|
Parameter |
Description |
Type |
Optional/ mandatory |
|---|---|---|---|
| discovery_uri |
URL to the OpenID JSON configuration file for OpenID authentication. The token is issued by Microsoft Azure. The discovery_uri must match the issuer of the JWT sent: https://sts.windows.net/<YOUR_DIRECTORY_TENANT_ID>/.well-known/openid-configuration . |
String | Mandatory |
| client_id |
Recipient of the JWT authentication token (see RFC 7519). An entry must be added for each identity provider. The client_id must match the audience of the JWT sent: <BASE_URL> The BASE_URL must match the kacls_url configuration and the Application ID URI of your Azure application used for DKE. |
String | Mandatory |
policy_enforcement parameter
JSON object containing the configuration of the optional OPA enforcement feature for the DKE module. For more information, see Implementing the authorization rules with Open Policy Agent.
|
Parameter |
|||
|---|---|---|---|
| enable | Enable the use of OPA rules for the module. | Boolean | Mandatory for each module enabled except the PKI. |
| type |
Kind of OPA policy to use. The possible values are:
|
String | Mandatory if policy_enforcement.enable is set to true |
| opa_server: JSON object describing the parameters required to access the OPA policy server. Stormshield guarantees compatibility with OPA version 1.2.0. |
|||
| url |
URL of data API exposed endpoints. For more information, see OPA documentation. Example: If your rego package is stormshield.kmaas and you have the allow variable in this package, your url will be: https://opa-server/v1/data/stormshield/kmaas/allow The authorized protocols are http and https. Stormshield strongly recommends https in production. |
String | Mandatory if policy_enforcement.type is set to opa_server |
| authentication |
JSON object describing the parameters required to authenticate to the OPA policy server. It includes the following fields:
|
Object | Mandatory if type is set to opa_server |
EXAMPLE
The content below is provided as an example and must not be used as such in the Stormshield KMaaS DKE configuration of one of your tenants.
cache parameter
JSON object containing the configuration that controls the cache for the getKey route of the DKE module.
|
Parameter |
Description |
Type |
Optional/ mandatory |
|---|---|---|---|
| enable | Enable or disable the cache in getKey response. | Boolean | Mandatory |
| duration_in_seconds |
Specify how long a public key remains valid after a getKey request. Its expiration date is indicated by the cache.exp parameter in the response. For example, if duration_in_seconds is 3600 (one hour), then cache.exp will be the date corresponding to one hour after the request is made. |
Number (positive integer) | Mandatory if enable is set to true |