Third-Party Key Management

There are several third-party key management solutions that provide a secure way to store secrets such as passwords, API keys, and tokens.

 

MFT Server supports three third-party key management solutions.

 

  • Amazon AWS Key Management Service (AWS KMS)

     

  • Microsoft Azure Key Vault (Access Key or Azure Managed Identity)

     

  • CyberArk Identity Security Platform

 

Accessing information from key managers is supported when defining Network Storage, Trading Partner, and Trigger Action definitions that include one or more fields that store sensitive data.

 

The sensitive information can be retrieved from a supported key management solution rather than embedding the information in the fields. This is accomplished by following the steps below.

 

  1. Create a Trading Partner by navigating to Domain > AUTOMATION > Trading Partner > Trading Partner.

     

  2. Click Add. The Add Trading Partner dialog displays.

     

  3. Select the desired Protocol from the dropdown list. Supported Protocols include Amazon AWS, Microsoft Azure/OneDrive/SharePoint, and CyberArk .Click OK. The Add <Trading Partner Name> Trading Partner dialog displays.

     

  4. Configure the Trading Partner accordingly, then click OK, or click Test Server to ensure the connection is working. For information about each supported protocol, select the desired link. Amazon AWS trading partner, Microsoft OneDrive/SharePoint trading partner, or CyberArk trading partner

     

  5. Add or edit the ACCOUNTS > Network Storage, AUTOMATION > Trading Partner, or AUTOMATION > Trigger definition with which you want to populate field values using the key manager configured in the Trading Partner described in Step 1. Use the GetSecret function in the one or more fields where the sensitive data belongs. The GetSecret function is described below.

GetSecret function

The GetSecret function syntax is GetSecret(String tradingPartner, String secretName, String keyName). Each of the parameters are described below.

 

  • tradingPartner Identifies the key management solution as configured in the Trading Partner created in Step 1.

     

  • secretName Identifies the secret vault name.

     

    • When using AWS, this parameter is called the Secret name.

    • When using Azure, this parameter is called the Key vaults.

 

  • keyName Identifies the secret key name.

     

    • When using AWS, this parameter is called the Secret key.

    • When using Azure, this parameter is called the Secrets name.

 

Assume you would like to retrieve sensitive information from a Microsoft Azure Key Vault. To accomplish this, you would need to create a Microsoft Azure/OneDrive/SharePoint Trading Partner that has access to the key vault, as depicted in the image below.

 

 

Next, edit or create the Trigger Action, Network Storage, or Trading Partner that you wish to use the key management solution to populate one or more fields in the selected definition. Use the GetSecret function in the fields where you wish to retrieve the information from the key vault.

 

Assume you would like to create a Dropbox Trading Partner. You would like to retrieve the Access Token field from a Microsoft Azure Key Vault, where the token is securely stored. The image below depicts how this would work. Instead of hard-coding the Access Token field with the value, use the GetSecret function.

The first parameter of the function is the previously created MS_Azure_Vault Trading Partner, depicted in the image above. When using the Azure Key Vault, the second parameter is the key vault name, and the third parameter is the secrets name.

 

 

When the Dropbox Trading Partner is used in a Trading Partner Trigger Action, the Access Token field will be populated based on the retrieval of the Secrets name from the Azure Key Vault.