|
2 | 2 | title: Using with Certify Certificate Manager |
3 | 3 | --- |
4 | 4 |
|
5 | | -# Summary |
6 | | -To use Certify Management Hub with existing installations of *Certify Certificate Manager* (CCM) you need to configure each instance to *join* the hub. |
| 5 | +## Summary |
7 | 6 |
|
8 | | -- Setup a Joining API key in the hub |
9 | | -- Configure CCM to join the hub (via UI or command line) |
10 | | -- Verify that the joining has completed in the hub UI. |
| 7 | +Joining your existing *Certify Certificate Manager* (CCM) instance to a Management Hub allows you to control the instance settings as if you were working in the conventional desktop app, without having to remote into the desktop of each instance. |
11 | 8 |
|
12 | | -## Before joining the hub |
| 9 | +To use Certify Management Hub with existing installations: |
13 | 10 |
|
14 | | -### Consider Security |
15 | | -The management hub will have complete control over the Certify Certificate Manager instance settings, including the ability to specify deployment tasks which may include locally executed code (PowerShell etc). |
| 11 | +1. Set up a Joining API key in the hub |
| 12 | +2. Configure CCM to join the hub (via UI or command line) |
| 13 | +3. Verify that the joining has completed in the hub UI |
16 | 14 |
|
17 | | -**Do not join a hub you don't control or trust.** |
| 15 | +## Before Joining the Hub |
| 16 | + |
| 17 | +### Security Considerations |
| 18 | + |
| 19 | +:::warning Important |
| 20 | + |
| 21 | +The management hub will have complete control over the Certify Certificate Manager instance settings, including the ability to specify deployment tasks which may include locally executed code (PowerShell etc). |
| 22 | + |
| 23 | + **Do not join a hub you don't control or trust.** |
| 24 | + |
| 25 | + ::: |
18 | 26 |
|
19 | 27 | ### Ensure Unique Instance IDs |
20 | 28 |
|
21 | | -When CCM is installed and InstanceID value is generated and stored in `C:\ProgramData\certify\appsettings.json` (on Windows). |
| 29 | +When CCM is installed, an InstanceID value is generated and stored in appsettings.json (on Windows). |
| 30 | + |
| 31 | +**Important:** If you have previously used a VM clone to create a new instance of CCM: |
| 32 | +- You must ensure two instances do not share the same Instance ID |
| 33 | +- Duplicate IDs will cause instances to appear as one, and their communication with the hub will conflict |
| 34 | +- One instance may receive edits intended for the other |
| 35 | + |
| 36 | +Instance IDs must be valid (unique) GUID values. If in doubt: |
| 37 | +1. Delete your `appsettings.json` file (or just the instanceID field) |
| 38 | +2. Restart the Certify background service to let the app create a new one |
| 39 | + |
| 40 | +## Setting Up the Hub for Instance Management |
| 41 | + |
| 42 | +### 1. Add a Security Principle for Managed Instances |
| 43 | + |
| 44 | +This step may be unnecessary in current versions where it's auto-created. |
22 | 45 |
|
23 | | -If you have previously used a VM clone to create a new instance of *Certify Certificate Manager* you need to ensure two instance do not shared the same Instance ID. Otherwise the instances will appear to be the same one and their communication with the hub will conflict, one instance may receive edits intended for the other instance etc. |
| 46 | +1. In the hub, navigate to **Security > Users** |
| 47 | +2. Click **Add New Security Principle** |
| 48 | +3. Configure as follows: |
| 49 | + - **Type**: Application/Service |
| 50 | + - **Title**: "Hub Managed Instance" |
| 51 | + - **Description**: "Principle for Management Hub Instance Joining" |
| 52 | +4. After adding, click the **Roles icon** (People+ icon) next to the new security principle's ID |
| 53 | +5. Select the `Management Hub Managed Instance` role from Available Roles |
| 54 | +6. Click **Save** |
24 | 55 |
|
25 | | - Instance IDs are required to be valid (unique) GUID values, if in doubt, delete your `appsettings.json` (or the instanceID field) and restart the Certify background service to the app create one for you. |
| 56 | +**Note for MSPs:** If you manage instances across different organizations, consider creating multiple joining keys to partition by organization. This allows you to revoke hub access for specific groups without affecting unrelated instances. |
26 | 57 |
|
27 | | -## Set up an API key for instances to join the hub |
| 58 | +### 2. Create an API Key for Joining Instances |
28 | 59 |
|
29 | | -### Add a security principle to represent managed instances |
30 | | -If not already present you'll need to start by adding a new security principle to represent managed instances. This is so that an API key can then be created and assigned to that security principle. This is likely to have already have been auto created in current versions of the system. |
| 60 | +1. Navigate to **Settings > Security > API Access** |
| 61 | +2. Click **Add API Token** |
| 62 | +3. Select **Managed Instances Service Principle** |
| 63 | +4. Enter **Instance Joining Key** as the title |
| 64 | +5. Select **Management Hub Managed Instance** as the scoped role |
| 65 | +6. **Important:** Click **Add/Remove Role Scope** to add it to the scope list |
| 66 | +7. Click **Add** to create the new API token |
| 67 | +8. Copy the **Client ID** and **Secret** values - you'll need these for instance configuration |
31 | 68 |
|
32 | | -In the hub, under Security > Users, add a new Security Principle, select Application/Service as the principle type, set the Title to "Hub Managed Instance" |
| 69 | +## Joining the Hub |
33 | 70 |
|
34 | | -Description as "Principle for Management Hub Instance Joining" or similar, so you know what it's for. |
| 71 | +### Method 1: Using the CCM User Interface |
35 | 72 |
|
36 | | -Once added, select the Roles icon (People+ icon) shown next to the ID of the new security principle. Click on the `Management Hub Managed Instance` role from Available Roles to assign it, then Save. |
| 73 | +1. In *Certify Certificate Manager*, go to **Settings > Management Hub** |
| 74 | +2. Enter the following: |
| 75 | + - Management Hub API URL |
| 76 | + - Client ID |
| 77 | + - Client Secret |
| 78 | +3. Click **Join** |
| 79 | +4. The app will attempt to join the management hub |
| 80 | +5. If successful, the instance will appear in the **Instances** list of the Management Hub UI |
37 | 81 |
|
38 | | -If you are managing instances across different organizations (for instance, your are an Managed Service Provider) you may wish to use multiple joining keys to partition by organizations, so that groups of instances can have their hub access removed without affecting other unrelated instances. |
| 82 | +### Method 2: Using the Command Line |
39 | 83 |
|
40 | | -### Add an API key for joining instances |
| 84 | +Run the following command: |
41 | 85 |
|
42 | | -Go to Settings > Security > API Access, select Add API Token, select *Managed Instances Service Principle*, enter *Instance Joining Key* as the title, select *Management Hub Managed Instance* as the scoped role, important: remember to select Add/Remove Role Scope to add it to the scope list. Then select Add and the new API token will be created. Copy the **Client ID** and **Secret** values as they are required for API access. |
| 86 | +``` |
| 87 | +certify hub join <url of mgmt hub API> <client id> <client secret> |
| 88 | +``` |
43 | 89 |
|
44 | | -## Joining the hub |
45 | | -In *Certify Certificate Manager*, under Settings > Management Hub, set the Management Hub API URL, Client ID and Client Secret, then select Join. The app will attempt to join the management hub and if successful the instance will appear on the Instances list of the Management Hub UI. |
| 90 | +## Verification |
46 | 91 |
|
47 | | -To join the hub from the command line: |
48 | | -`certify hub join <url of mgmt hub API> <client id> <client secret>` |
| 92 | +After joining, confirm that your instance appears in the Management Hub UI's **Instances** list. |
0 commit comments