Tenant Provisioning

Administrators for the vendor are responsible for onboarding their tenants using the Configuration Broker. When adding a tenant, the vendor admin must provide the unique ID that identifies the tenant within the vendor’s application. This ID will be associated with all of the tenant’s KMS configurations and will usually be the primary ID that identifies the customer in the vendor’s data stores. This ID will be required by all SDK methods in the Tenant Security Client.

Another step in tenant provisioning is inviting an administrator of the tenant to sign up. From the UI, the vendor admin can enter some basic tenant information, and the Configuration Broker will generate and send the tenant administrator an invitation via email. Alternatively, tenants can be created using the Vendor API.

When the tenant admin receives this email, they can simply click on the included link to be directed to the Configuration Broker, where they enter additional information about the tenant and complete their sign-up. Once they are logged into the Configuration Broker, they can enter their configuration information.

Tenant Logging Configurations

Tenant admins are also able to enter a configuration that allows the TSP to send security events to the tenant’s logging and Security Information and Event Management (SIEM) system. The tenant may already be directing logs from their KMS into their SIEM, but enhanced event details and other events are provided when direct logging is configured. In addition to richer audit trails, configuring a logging destination allows the tenant to continue to receive events after enabling key leasing. The information that is gathered includes everything necessary for the TSP’s logging service (Logdriver) to write logs to the tenant’s SIEM. Like the KMS configuration, the logging configuration is encrypted in the browser before it is saved, protecting it from access by IronCore or the vendor.

Requiring Key Leasing

As explained in What is Key Leasing, a vendor might want to require each of their tenants to enable key leasing in order to reduce latency in their application. The configuration broker allows vendor admins to set a flag on a tenant to indicate that any of the tenant’s KMS configurations that are assigned to the vendor must have key leasing enabled.

If you edit a tenant’s record, you can toggle the setting requiring key leasing - but if the tenant has already assigned a KMS configuration to your vendor and it doesn’t have key leasing enabled, you will be alerted and the change will not be saved.

The new value will be reflected on the tenant card.

By default, new tenants that a vendor invites do not have the require key leasing flag set. But you can change the default for your organization - if a vendor admin clicks the drop down beside their name in the upper right corner of the screen and selects Account, the following screen is displayed.

The Organization Settings include a toggle to require key leasing by default for all new tenants.