Configure Custom Settings for Azure Secret and Top Secret Regions
This section explains how to configure GigaVUE Cloud Suite for Azure in Secret and Top Secret regions. These settings apply to users running Azure services in isolated environments where endpoints and regions are not publicly exposed.
GigaVUE‑FM requires configuration options for service endpoint URLs, region settings, and CA certificates to connect to these isolated Azure environments.
Note: This feature has been tested and validated only in IPv4-only environments.
Refer to the following sections for more details.
Configure Service Endpoints
This section provides steps to configure custom service endpoint URLs in GigaVUE‑FM to enable connectivity with Azure Secret and Top Secret regions. These regions use isolated service endpoints that differ from those in Azure Commercial or Azure Government clouds.
To configure Service Endpoints:
| 1. | Go to Inventory > VIRTUAL > Azure. |
| 2. | Select Settings > Custom Configuration. The Custom Configurations page appears. |
| 3. | Select the Custom Environment tab and click Create. |
| 4. | On the Configure Custom Environment page, enter an Environment Name and the required service endpoint URLs: |
| a. | resourceManagerEndpointUrl - Base HTTPS endpoint that GigaVUE‑FM can use to reach the Azure management/control plane APIs for your environment. |
| b. | activeDirectoryEndpointUrl - Base HTTPS endpoint for Azure Resource Manager (ARM) in your IL6 environment. All ARM API calls from GigaVUE‑FM use this base URL. |
| c. | managementEndpointUrl - Base HTTPS endpoint for Azure Active Directory in your IL6 environment. GigaVUE‑FM will use this to obtain access tokens. |
Notes:
GigaVUE‑FM does not provide or auto‑discover the required endpoint URLs. You must obtain the correct URLs from official Microsoft documentation or your Azure administrator.
Ensure that the URLs are valid HTTPS URLs.
| 5. | Click Save to apply the custom environment configuration. |
When creating or editing an Azure Credential in GigaVUE‑FM, you can now select a custom environment that you have configured. Previously, only “Azure” and “Azure US Government” options were available. By choosing your custom environment, GigaVUE‑FM will use the endpoints you specify, ensuring all connections align with your configuration. Refer to Create Azure Credentials for details.
Configure Custom Regions
This section explains how to define region entries that are not included in the SDK’s predefined list. Secret and Top Secret regions require manual addition so GigaVUE‑FM can recognize and interact with them during Monitoring Domain setup.
To configure Custom Regions:
| 1. | Go to Inventory > VIRTUAL > Azure. |
| 2. | Select Settings > Custom Configuration. The Custom Configurations page appears. |
| 3. | Select the Custom Region tab and click Create. |
| 4. | On the Configure Custom Region page, enter the Region Alias and the exact Region Name. The Region Name can be user-defined (for example, East US or West US). |
| 5. | Click Save. The configured custom region will now be available for selection in the Monitoring Domain creation page. Refer to Create Monitoring Domain for details. |
Import CA Certificate for Service Endpoints
Service endpoints in the secure regions may use TLS certificates signed by a Root CA that differs from the default trusted CAs in GigaVUE‑FM. To establish secure HTTPS connections and validate server certificates, GigaVUE‑FM must have the Root CA in its trust store. Importing the Root CA certificate ensures GigaVUE‑FM can securely connect to the endpoints without certificate errors.
To Import Root CA into GigaVUE‑FM Java Trust Store:
| 1. | Obtain the required Root CA certificate file that signed the TLS certificate for your Azure Secret/Top Secret service endpoints. |
| 2. | Enter "sudo keytool -keystore /usr/lib/jvm/java-17-openjdk-17.0.17.0.10-1.el8.x86_64/lib/security/cacerts -list" in GigaVUE‑FM. If prompted for a password, press Enter. The command lists the trusted Root CAs in the JDK trust store. Note the number of entries. The output includes a line such as: Your key store contains 146 entries. Here, the trust store contains 146 entries. |
| 3. | To import the Root CA into GigaVUE‑FM, follow the steps listed below: |
| a. | Copy the Root CA into GigaVUE‑FM, for example, to “/home/admin” or “/home/azureuser”. |
Copy[admin@GigaVUE-FM-6800 ~]$ ll
total 580
-rw------- 1 azureuser azureuser 4201 Nov 13 03:58 ca-chain.crt
| b. | Import the certificate into JDK trust store: |
Run: "sudo keytool -import -alias <RootCAalias> -keystore /usr/lib/jvm/java-17-openjdk-17.0.16.0.8-2.el8.x86_64/lib/security/cacerts -file <RootCA.crt file>".
When prompted for a password, enter the default trust store password: "changeit".
The command displays certificate details (fingerprints, extensions) and prompts: Trust this certificate? [no]: Type yes and press Enter.
After successful import, it will display "Certificate was added to keystore".
Repeat Step I to verify the Root CA is in the trust store. The entry count increases by one, and the Root CA appears in the list with the alias you specified, for example:
.....
Your keystore contains 147 entries
.....
userca, Nov 13, 2025, trustedCertEntry
Certificate fingerprint (SHA-256): B0:0C:D7:F1:0B:A2:12:4D:BB:AB:70:90:61:4C:6C:5A:9A:69:D8:49:94:E2:2B:E5:CE:62:72:E1:8B:49:D1:62
.....
| 4. | Restart the CMS process to apply the certificate import: |
sudo systemctl restart tomcat@cms.service
Note: You must repeat the import steps when upgrading GigaVUE‑FM.
