Configure Azure credentials for communication with the KMES Series 3

before the kmes series 3 can push keys into an azure key vault, you must create credentials in azure and configure them on the kmes in azure, these credentials are app registrations on the kmes, the credentials are cloud credentials create an app registration log in to the azure portal and navigate to https //portal azure com/#blade/microsoft aad registeredapps/applicationslistblade create a new app registration then, select certificates & secrets in the sidebar scroll down to client secrets, add a new secret, and copy the client secret value to a secure location after the client secret value generates, there is a time limit to view the client secret value, so you must save it immediately in a plain text file with no additional characters included go to the main page for the app registration by selecting overview in overview , copy the tenant id and client id to a secure location you need the tenant id , client id , and client secret values when creating a cloud credential on the kmes as described in a later section create an azure key vault you can use an existing key vault instead of creating a new one, but it must be in the premium service tier to include support for hsm backed keys to create a new vault, perform the following steps navigate to https //portal azure com/#blade/hubsextension/browseresource/resourcetype/microsoft keyvault%2fvaults select create to start the key vault creation wizard set the pricing tier to premium set the other fields under the basics tab according to your specific use case on the access policy tab, configure either a vault access policy or azure role based access control regardless of which you choose, you must grant the app registration you created in the previous section the following key permissions permission description get for general operations list for general operations create for creating the ephemeral rsa kek used in byok import for importing keys delete for deleting the ephemeral rsa kek and for deleting your own key material purge only required if the key vault supports soft delete the kmes auto detects this and does not call purge if it is unnecessary the permissions given to the app registration are the permissions that the cloud credential has on the kmes on the networking tab, you must set the connectivity method to either public endpoint (all networks) or public endpoint (selected networks) if you set the connectivity method to public endpoint (selected networks) , you must whitelist in azure the subnet that the kmes series 3 connects from select review + create at the bottom of the page to finish creating the key vault