Skip to main content
Skip table of contents

Azure Key Vault

This guide shows you how to configure Azure Key Vault as a credential store in the CData Virtuality Server and how to use these credentials when creating data sources.

Using Azure Key Vault Credentials in Data Sources

At present, Azure Key Vault support (Preview feature) in the CData Virtuality Server is available only for data sources that are relational databases (MySQL, PostgreSQL, etc).

Pre-requisites

  • CData Virtuality Server v4.10 or later;

  • Access to Microsoft Azure Key Vault;

  • Required Azure credentials (client ID, client secret, tenant ID, and Key Vault URL).

Configuring and Integrating Azure Key Vault

If you have not created an Azure Key Vault yet, you can follow this guide.

Connecting CData Virtuality to Azure Key Vault

  1. Add the Azure Key Vault Provider
    In the dvserver-standalone.xml configuration file, locate the Elytron subsystem and the <providers> section. After the <provider-loader name="openssl" .../> entry, add the following snippet:

    XML 
    <provider-loader name="azure-key-vault-provider" 
                 module="com.datavirtuality.dv" 
                 class-names="com.datavirtuality.dv.core.controller.credential.AzureKeyVaultProvider"/>

  2. Add the Azure Key Vault Credential Store
    Within the Elytron subsystem, find the <credential-stores> section and add the Azure Key Vault credential store configuration. For example, after the existing <secret-key-credential-store> entry:

    XML 
    <credential-store name="azure-key-vault-store" 
                  type="AzureKeyVaultCredentialStore" 
                  providers="azure-key-vault-provider">
    <implementation-properties>
        <property name="keyVaultUrl" value="KEY_VAULT_URL"/>
        <property name="clientId" value="CLIENT_ID"/>
        <property name="clientSecret" value="CLIENT_SECRET"/>
        <property name="tenantId" value="TENANT_ID"/>
    </implementation-properties>
    <credential-reference clear-text="dummy-value"/>
</credential-store>

    Note:
    Replace KEY_VAULT_URL, CLIENT_ID, CLIENT_SECRET, and TENANT_ID with your actual Azure Key Vault configuration values.

  3. Verifying the Configuration
    To verify that the Azure Key Vault credential store is successfully configured, run the following stored procedure:

    SQL 
    CALL SYSADMIN.getCredentialStores();

    This will list all the configured credential stores, including the newly created azure-key-vault-store.

Example: Creating an SQL Server Data Source

You can use Azure Key Vault credentials when creating a data source by referencing the credential store and alias in the SYSADMIN.createOrReplaceDatasource procedure.

Important:
In the Web UI and in connectionProperties, you can specify the password (or other secret) using the following syntax instead of plain value:

SQL 
password="{credentialStoreName=azure-key-vault-store,credentialStoreAlias=SECRET_KEY_NAME_IN_AZURE}"

This tells CData Virtuality Server to retrieve the password from the azure-key-vault-store credential store using the secret alias SECRET_KEY_NAME_IN_AZURE (which corresponds to the name of the secret in Azure Key Vault).

For example:

SQL 
CALL "SYSADMIN.createOrReplaceDatasource"(
    "name" => 'test',
    "translator" => 'sqlserver',
    "modelProperties" => 'importer.useFullSchemaName=False,importer.TableTypes="TABLE,VIEW",importer.schemaPattern=dbo,importer.defaultSchema=dbo',
    "connectionTemplateName" => 'mssql',
    "connectionProperties" => 'user-name=USER_NAME,port=SERVER_PORT,host=HOST,db=DATABASE,password="{credentialStoreName=azure-key-vault-store,credentialStoreAlias=SECRET_KEY_NAME}"',
    "enableReplace" => TRUE
);;
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close