Using an Azure service principal for database access
The Unblu Collaboration Server can use Azure service principals as a means of authentication when accessing the database.
With Azure service principal authentication in place, Unblu uses the Azure application and client identifiers to connect to Azure and retrieve the token it needs to be able to access the database. The Unblu Server then uses the token as a password when creating JDBC connections to the database.
To make this possible, you must configure both Azure Active Directory and the Unblu Server accordingly.
Authentication for database access using an Azure service principal is currently supported for PostgreSQL and MySQL database. It isn’t supported for Microsoft SQL Server. |
Configuring a service principal object for use by the Unblu Server
To enable service principal authentication for the Unblu Server, you must first create an application in Azure. Configure the application with the necessary access rights for your database.
Next, create a client with a client ID and a secret for the application.
Configuring the Unblu Server to use the Azure service principal
With the Azure side set up, you can turn to configuring the Unblu Server. The following configuration properties take their values from the tenant, application, and client you set up in Azure:
-
com.unblu.storage.database.user must be the name of the application you created.
-
com.unblu.storage.database.azureTenantId is the Azure tenant ID.
-
com.unblu.storage.database.azureClientId must have the value of the client ID you created for Unblu.
-
com.unblu.storage.database.azureClientSecret must contain the secret of the client you created for Unblu.
Here’s an example configuration for using Azure service principal authentication to access a PostgreSQL database:
# General database configuration (1)
com.unblu.storage.database.platform=org.eclipse.persistence.platform.database.PostgreSQLPlatform
com.unblu.storage.database.jdbcProperties=
com.unblu.storage.database.driver=org.postgresql.Driver
com.unblu.storage.database.url=jdbc\:postgresql\://<database-name>.postgres.database.azure.com\:5432/postgres
com.unblu.storage.database.schema=public
com.unblu.storage.database.liquibaseSchema=public
# Azure SPN authentication configuration
com.unblu.storage.database.user=<application-name>
com.unblu.storage.database.azureTenantId=9116ee65-64b0-4f9d-bf46-e2582d0c2760
com.unblu.storage.database.azureClientId=fcdd47d-2220-4692-8218-937be5a74cd8
com.unblu.storage.database.azureClientSecret=vqo9R~qepAkq212Lp8q_U.i-ZrzE4DQ8UT5rpes7
# Proxy configuration for Azure Blob Storage(2)
com.unblu.storage.database.azureProxyUrl=<proxy-url>
com.unblu.server.storage.blob.store.azure.storageProxyUrl=<storage-proxy-url>
com.unblu.server.storage.blob.store.azure.quarantine.storageProxyUrl=<quarantine-proxy-url>
1 | For more information on these configuration properties, refer to the page describing how to set up the database you’re using. |
2 | These configuration properties are required if you access Azure Blob Storage via a proxy. |
There are two additional configuration properties related to Azure:
-
com.unblu.storage.database.azureEnvironment specifies which environment should be used for Azure SPN authentication. The possible values are
AZURE
,AZURE_GERMANY
, andAZURE_CHINA
. -
com.unblu.storage.database.azureAuthenticationTokenTTLGracePeriodRatio specifies when the token should be renewed, based on how much of the token’s lease has passed.
You can usually keep the default values for these configuration properties.
See also
-
For more information on Azure service principals, refer to Microsoft’s documentation on the subject.