<style>p { margin: 0; }span.fr-emoticon.fr-emoticon-img { background-repeat: no-repeat !important; font-size: inherit; height: 1em; width: 1em; min-height: 20px; min-width: 20px; display: inline-block; margin: -0.1em 0.1em 0.1em; line-height: 1; vertical-align: middle; } span.fr-emoticon { font-weight: normal; font-family: "Apple Color Emoji", "Segoe UI Emoji", "NotoColorEmoji", "Segoe UI Symbol", "Android Emoji", "EmojiSymbols"; display: inline; line-height: 0; } blockquote { border-left: solid 2px #5e35b1; color: #5e35b1; margin-left:0; padding-left:5px;}blockquote blockquote{ border-color: #00bcd4; color: #00bcd4;}blockquote blockquote blockquote{ border-color: #43a047; color: #43a047;} table.grid{ border-collapse: collapse;} table.grid td, table.grid th { border: 1px solid #ddd;} .fr-fic.fr-dib{ display: block; margin: 5px auto;}.fr-fic.fr-dib.fr-fir{ text-align: right; margin: 5px 0 5px auto;}.fr-fic.fr-dib.fr-fil{ text-align: left; margin: 5px auto 5px 0;}.fr-fic.fr-dii{ float: none; margin: 5px auto;}.fr-fic.fr-dii.fr-fil{ float: left; margin: 5px auto;}.fr-fic.fr-dii.fr-fir{ float: right; margin: 5px auto;}img.fr-dib.fr-fir { margin-right: 0; text-align: right;}img.fr-dib.fr-fil { margin-left: 0; text-align: left;}img.fr-dib { margin: 5px auto; display: block; float: none;}img.fr-bordered { box-sizing: content-box; border: solid 5px #CCC;}img.fr-shadow { box-shadow: 10px 10px 5px 0px #cccccc;}img.fr-rounded { border-radius: 10px; -moz-border-radius: 10px; -webkit-border-radius: 10px; -moz-background-clip: padding; -webkit-background-clip: padding-box; background-clip: padding-box;}</style><style>
p {
margin: 0;
}
span.fr-emoticon.fr-emoticon-img {
background-repeat: no-repeat !important; font-size: inherit; height: 1em; width: 1em; min-height: 20px; min-width: 20px; display: inline-block; margin: -0.1em 0.1em 0.1em; line-height: 1; vertical-align: middle;
}
span.fr-emoticon {
font-weight: normal; font-family: "Apple Color Emoji", "Segoe UI Emoji", "NotoColorEmoji", "Segoe UI Symbol", "Android Emoji", "EmojiSymbols"; display: inline; line-height: 0;
}
blockquote {
border-left: solid 2px #5e35b1; color: #5e35b1; margin-left: 0; padding-left: 5px;
}
blockquote blockquote {
border-color: #00bcd4; color: #00bcd4;
}
blockquote blockquote blockquote {
border-color: #43a047; color: #43a047;
}
table.grid {
border-collapse: collapse;
}
table.grid td,
table.grid th {
border: 1px solid #ddd;
}
.fr-fic.fr-dib {
display: block; margin: 5px auto;
}
.fr-fic.fr-dib.fr-fir {
text-align: right; margin: 5px 0 5px auto;
}
.fr-fic.fr-dib.fr-fil {
text-align: left; margin: 5px auto 5px 0;
}
.fr-fic.fr-dii {
float: none; margin: 5px auto;
}
.fr-fic.fr-dii.fr-fil {
float: left; margin: 5px auto;
}
.fr-fic.fr-dii.fr-fir {
float: right; margin: 5px auto;
}
img.fr-dib.fr-fir {
margin-right: 0; text-align: right;
}
img.fr-dib.fr-fil {
margin-left: 0; text-align: left;
}
img.fr-dib {
margin: 5px auto; display: block; float: none;
}
img.fr-bordered {
box-sizing: content-box; border: solid 5px #CCC;
}
img.fr-shadow {
box-shadow: 10px 10px 5px 0px #cccccc;
}
img.fr-rounded {
border-radius: 10px; -moz-border-radius: 10px; -webkit-border-radius: 10px; -moz-background-clip: padding; -webkit-background-clip: padding-box; background-clip: padding-box;
}
</style><p id="isPasted"><strong>In this guide we will cover:</strong></p><p><strong>- What is the Azure Key Vault Integration?</strong></p><p id="isPasted"><strong>- Create tickets in Halo when keys, secrets, and certificates have new versions, nearing expiry, or have expired</strong></p><p><strong>- Store Passwords using Azure Key Vault</strong></p><p><br></p><p><br></p><p><strong id="isPasted"><span style="font-size: 14pt;">What is the Azure Key Vault Integration?</span></strong></p><p>The Azure Key Vault integration allows you to use Azure Key Vault in combination with Azure Event Grid to create tickets in Halo when keys, secrets, and certificates have new versions created, are nearing expiry, or have expired. To set this up you need to create an event subscription with a webhook endpoint for your key vault.</p><p><br></p><p>You can also use the the integration to store passwords for selected integrations with Halo.</p><p><br></p><p><strong><span style="font-size: 14pt;">Create tickets in Halo when keys, secrets, and certificates have new versions, nearing expiry, or have expired</span></strong></p><p><strong><span style="font-size: 12pt;">Enabling the Runbook</span></strong></p><p>Enable the Azure Key Vault integration in Configuration > Integrations > Azure Key vault, using the '+' icon. This should automatically add a custom integration and runbook.</p><p><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6ImM2YzYyY2EyLTk5MDktNGEwNS1hMDYzLWFkY2I3NGM1NzkzZSJ9.1w8uSHyl_U0GmzCJj-ppLKjBu1AearUL-FD5Q3gVyZg" class="fr-fic fr-fil fr-dib" width="321" height="152"></p><p><strong><span style="font-size: 10pt;">Fig 1. Enable integration module</span></strong></p><p><br></p><p>You need to go to the custom runbook "Azure Key Vault" and set a username and password for the authorisation.</p><p><br></p><p>Make sure you make a note of the username, password, and runbook URL, as these will need to be entered into the Azure configuration.</p><p><br></p><p><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6ImM0NzY1YTk3LWE1MjgtNGE3My1iYWNiLTQyMjg5MmY3MzEwNSJ9.NSUTEfppsKrRRD0GNuahvB9j5iKMBlcldRnSLzY7dg0" class="fr-fic fr-fil fr-dib" width="714" height="430"></p><p><strong><span style="font-size: 10pt;">Fig 2. Runbook configuration</span></strong></p><p><br></p><p><strong><span style="font-size: 12pt;">Configure Event Subscription</span></strong></p><p>With the Halo application now registered, you can go to Azure Key Vault to configure your event subscription.</p><p>In Azure Key Vault, go to Events and add an event subscription.</p><p><br></p><p>Set a name and which event types you want. By default, the 3 types of alert will trigger for all 3 Key Vault objects, but this can be adjusted.</p><p>The endpoint type needs to be set to webhook and you then need to enter the runbook URL you copied form the Halo configuration as the webhook endpoint.</p><p><br></p><p><span style="color: rgb(0, 0, 0); font-family: Poppins, sans-serif, Roboto; font-size: 14px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; white-space: normal; background-color: rgb(255, 255, 255); text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial; display: inline !important; float: none;"><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjBjOWRhMGNhLWExOTItNDE3Ni05ODNhLTU4MDE5MzExNTQyOCJ9.mnWdJ1pLfbCeQ81XO9ymrtU15T7gK-tMovLgaMs-WnE" class="fr-fic fr-fil fr-dib" width="951" style="width: 951px; height: 394.344px;" height="394.344"></span></p><p><strong><span style="font-size: 10pt;">Fig 3. Creating an event subscription.</span></strong></p><p><br></p><p>The filters and additional features are not required, but can optionally be configured to restrict or customise the alerts that get triggered.</p><p><br></p><p><strong><span style="font-size: 12pt;">Delivery Properties</span></strong></p><p>A custom header needs to be set up to authorise the webhooks. </p><p>Add a header with name "Authorization", type "static", and set it as secret.</p><p>The value will need to be Basic followed by the Base64 encoding of your chosen username and password</p><p><br></p><p><strong>For Example:</strong></p><p>If you set them as username and password respectively, you need to Base64 encode the following: username:password</p><p>Copy the result of this encoding, which for the above is dXNlcm5hbWU6cGFzc3dvcmQ=, and into the value field enter Basic followed by the encoding. So for this example, Basic dXNlcm5hbWU6cGFzc3dvcmQ=</p><p><br></p><p><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjM5YWJjOThmLTYxZDItNDExMi1iNDVkLTY1ZmE1ODMyZTE4ZSJ9.wL3UX651idHBptWa_O7aferycNv3b2_TJRI6_8C3CR8" class="fr-fic fr-fil fr-dib" width="799" height="279"></p><p><strong><span style="font-size: 10pt;">Fig 4. Delivery properties.</span></strong></p><p><br></p><p>All of the inputs for this are case-sensitive, so make sure to match them exactly.</p><p><br></p><p>You can then save the webhook. Now you're all set up in Azure.</p><p><br></p><p><strong><span style="font-size: 14pt;">Store Passwords using Azure Key Vault</span></strong></p><p id="isPasted">The Azure Key Vault integration can be used to store passwords for integrations with Halo. Selected On-Prem integrations that Halo requires a password to access can have this password stored in Azure Key Vault, rather than in Halo, for enhanced security. When the Halo integrator requests access to the application it can retrieve the password from Azure Key Vault. </p><p><br></p><p id="isPasted">If an integration is compatible with Azure Key Vault, you will be able to choose the password storage method for the integration when setting up the integration. To check if an integration supports Azure Key Vault for password storage check the relevant integration setup guide.</p><p><br></p><p>To setup Azure Key Vault for password storage, you first need to connect a vault to Halo, head to the Azure Key Vault integration module in Halo, and select 'Configure Key Vaults' > new. </p><p><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjE5ZGY5MWY1LTIxYjgtNDM1OC04OTE0LTdjZmMzMGNhOGUxYSJ9.0lMwIvS3oLr3pPaPP67txxWO8nag1PB5n-jaHMD4ogk" class="fr-fic fr-fil fr-dib" width="1235" style="width: 1237px; height: 480.404px;" height="480"></p><p><strong><span style="font-size: 10pt;">Fig 5. Configure Azure Key Vaults</span></strong></p><p><br></p><p>From here enter a name for the Vault in Halo, then enter the unique URL of the vault you would like to connect to. </p><p><br></p><p>Now the details of the vault have been entered you will need to connect you Halo integrator to the vault, there are multiple ways that the Halo Integrator can connect to a Key Vault.</p><p><br></p><p><strong><span style="font-size: 12pt;">1. Using a client ID and secret stored in the appsettings.json file</span></strong></p><p>When using this method you will need to register a new application in Microsoft Entra and generate a client secret for the app. Once created, navigate to the Key Vault and create an access policy for your application with the "Get" Secret permission.</p><p><br></p><p>Then, add the following properties to the appsettings.json file for the Halo Integrator application</p><ul><li id="isPasted">"AzureTenantId:" "ENTER TENANT ID HERE",</li><li>"AzureClientId:" "ENTER CLIENT ID HERE",</li><li>"AzureClientSecret:" "ENTER SECRET VALUE HERE"</li></ul><p><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjY2NGU3NWJiLWIxMzItNDJjOC1iODA3LTU3MzVlMDRjN2QyYyJ9.wpZh_MxRRUAoFWGvyjfl9EG6QuG78o4iDDAt8cMawPM" class="fr-fic fr-fil fr-dib" width="1145" style="width: 1147px; height: 231.041px;" height="231"><strong><span style="font-size: 10pt;">Fig 6. Connect using a client ID and secret stored in the appsettings.json file</span></strong></p><p><br></p><p><strong><span style="font-size: 12pt;">2. Using a system-assigned managed identity on an Azure resource</span></strong></p><p>When using this method you will need to enable system-assigned managed identity on the Azure resource that is running the Halo Integrator. Once enabled, navigate to the Key Vault and create an access policy for the resource's managed identity with the "Get" Secret permission</p><p><br></p><p><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjVmOTZlMzY4LWQwNzAtNDg2ZC1hNmI3LTc1OTAwYTRiNjNmNyJ9.KlzArShjTXxms9QgDnai7ugvGVKCEC0F6OYFxMDMmoY" class="fr-fic fr-fil fr-dib" width="1083" style="width: 1085px; height: 119.402px;" height="119"></p><p><strong><span style="font-size: 10pt;">Fig 7. Connect using a system-assigned managed identity on an Azure resource</span></strong></p><p><br></p><p><strong><span style="font-size: 12pt;">3. Using a user-assigned managed identity that has been associated with an Azure resource</span></strong></p><p>When using this method you will need to create a user-assigned managed identity and assign it to the resource running the Halo Integrator. Once enabled, navigate to the Key Vault and create an access policy for the managed identity with the "Get" Secret permission.</p><p><br></p><p>Then, enter the Managed Identity Client ID you created and enter it into the integration setup page in Halo. </p><p><br></p><p><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjdmZjE4NGI1LWE1MjQtNGY5NC05MTI3LTVmMjRkMjg5YWIwZiJ9.cSW5ugCEHLwA5m5OY2lT2qJrRCV_tEL7DGsNKgND2sw" class="fr-fic fr-fil fr-dib" width="1276" style="width: 1278px; height: 199.349px;" height="199"></p><p><strong><span style="font-size: 10pt;">Fig 8. Connect using a user-assigned managed identity that has been associated with an Azure resource</span></strong></p><p><br></p><p>Once you have configured a Key Vault, you can select it on the corresponding integration setup screen and specify the name of the secret to be retrieved. </p><p><br></p><p><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjM3NDkzYjdhLTNlNjctNGJhMC1iMTNkLWY4YmNiYzY5OGJmZiJ9.yDkq7_N5eRkRSCgLtbhz1dUY_mkQEM5qINkiTGRidAg" class="fr-fic fr-fil fr-dib" width="384" style="width: 386px; height: 199.682px;" height="200"></p><p><strong><span style="font-size: 10pt;">Fig 9. Choose password to be stored in Azure Key vault for integration</span></strong></p><p><br></p><p>If configured and deployed correctly, the Halo Integrator will retrieve the password from Azure Key Vault to process the integration.</p><p><br></p>
