Service Account Configurations
Vendors use the Configuration Broker to generate configuration data for use by the Tenant Security Proxy (TSP). These configurations contain a cryptographic key that has the authority to decrypt a tenant’s KMS configurations as well as a number of other vendor-specific settings necessary for successful startup of the TSP.
Multiple environment configurations can be created to support a distributed network of TSP Docker containers. The recommendation is that every distinct cluster with a running pool of TSP containers has its own environment configuration. With this approach, vendor administrators can revoke the keys used by an individual cluster from the Configuration Broker if that cluster’s configuration is compromised, without affecting other cluster.
The Configuration Broker can also generate configuration settings for use by the Vendor Bridge. These configurations contain a cryptographic key that has the authority to manage tenants and their KMS configurations on behalf of the vendor.
The configurations produced by the Configuration Broker are all generated within the user’s browser and encrypted there so that neither IronCore nor other admins will ever see any of the configurations generated within this app. They are made available to the admin via the browser to be added to the infrastructure where the vendor’s TSPs or vendor bridges will be running.
Creating a TSP Config
➡️ Step One: The Service Accounts page
Log in to the Config Broker and click on “Service Accounts” in the left nav.
➡️ Step Two: Add a Config
Click on the plus icon in the “Add Service Account” card. Ensure that “Tenant Security Proxy” is selected for the Account Type. Enter a name for the config, and optionally change the API Key and assigned Tags.
➡️ Step Three: Download the Config
You’ll be presented with a configuration and a set of keys that were generated in the browser. They are presented as a set of environment variable settings, which is how they will be accessed by the TSP. These values are encrypted before being sent to IronCore, and IronCore can’t decrypt them. These keys can decrypt configurations made by vendors or tenants. Download these keys as they will be needed to configure and start TSPs.
Creating a Vendor Bridge Config
In order to programmatically manage tenants and KMS configurations, you will need to create a Vendor Bridge config. The steps to create a Vendor Bridge config are the same as creating a TSP config, but the Account Type in Step Two must be set to “Vendor API”. This will create a set of environment variables that must be provided when starting up the Vendor Bridge.
Was this page helpful?