How-to: enable your service application to work with cloud based RMS

This topic outlines steps for setting up your service application to use Azure Rights Management. For more information, see Getting started with Azure Rights Management.

[!Important]

In order to use your Rights Management Services SDK 2.1 service application with Azure RMS, you'll need to create your own tenants. For more information, see Azure RMS requirements: Cloud subscriptions that support Azure RMS

 

Prerequisites

Connecting to the Azure Rights Management Service

Call IpcInitialize.

Set IpcSetGlobalProperty.

int mode = IPC_API_MODE_SERVER;
IpcSetGlobalProperty(IPC_EI_API_MODE, &(mode));

Note

For more information, see Setting the API security mode

 

The following steps are the setup for creating an instance of an IPC_PROMPT_CTX structure with the pcCredential (IPC_CREDENTIAL) member populated with connection information from the Azure Rights Management Service.

Use the information from your symmetric key service identity creation (see the prerequisites listed earlier in this topic) to set the wszServicePrincipal, wszBposTenantId, and cbKey parameters when you create an instance of an IPC_CREDENTIAL_SYMMETRIC_KEY structure.

Note

Due to an existing condition with our discovery service, if you are not in North America, symmetric key credentials are not accepted from other regions therefore, you must specify your tenant URLs directly. This is done through the IPC_CONNECTION_INFO parameter of IpcGetTemplateList or IpcGetTemplateIssuerList.

Generate a symmetric key and collect the needed information

Instructions to generate a symmetric key

  • Install Microsoft Online Sign-in Assistant

  • Install Azure AD PowerShell Module. Note  You must be a tenant administrator to use the PowerShell cmdlets.

     

  • Start PowerShell and run the following commands to generate a key

    Import-Module MSOnline
    Connect-MsolService (type-in your admin credentials)
    New-MsolServicePrincipal (type-in a display name)

  • After it generates a symmetric key, it will output information about key including the key itself and AppPrincipalId.

    The following symmetric key was created as one was not supplied 
    ZYbF/lTtwE28qplQofCpi2syWd11D83+A3DRlb2Jnv8=
    
    DisplayName : RMSTestApp
    ServicePrincipalNames : {7d9c1f38-600c-4b4d-8249-22427f016963}
    ObjectId : 0ee53770-ec86-409e-8939-6d8239880518
    AppPrincipalId : 7d9c1f38-600c-4b4d-8249-22427f016963
    

Instructions to find out TenantBposId and Urls

  • Install Azure RMS PowerShell module.

  • Start PowerShell and run the following commands to get the RMS configuration of the tenant.

    Import-Module aadrm
    Connect-AadrmService (type-in your admin credentials)
    Get-AadrmConfiguration

    The command will generate output, something like this:

    BPOSId                                    : 23976bc6-dcd4-4173-9d96-dad1f48efd42
    RightsManagementServiceId                 : 1a302373-f233-4406-9090-4cdf305e2e76
    LicensingIntranetDistributionPointUrl     : https://1a302373-f233-4406-9090-4cdf305e2e76.rms.na.aadrm.com/_wmcs/licensing
    LicensingExtranetDistributionPointUrl     : https://1a302373-f233-4406-9090-4cdf305e2e76.rms.na.aadrm.com/_wmcs/licensing
    CertificationIntranetDistributionPointUrl : https://1a302373-f233-4406-9090-4cdf305e2e76.rms.na.aadrm.com/_wmcs/certification
    CertificationExtranetDistributionPointUrl : https://1a302373-f233-4406-9090-4cdf305e2e76.rms.na.aadrm.com/_wmcs/certification
    

 

C++
// Create a key structure.
IPC_CREDENTIAL_SYMMETRIC_KEY symKey = {0};

// Set each member with information from service creation. symKey.wszBase64Key = "your service principal key"; symKey.wszAppPrincipalId = "your app principal identifier"; symKey.wszBposTenantId = "your tenent identifier";

For more information see, IPC_CREDENTIAL_SYMMETRIC_KEY.

Create an instance of an IPC_CREDENTIAL structure containing your IPC_CREDENTIAL_SYMMETRIC_KEY instance.

Note

The conectionInfo members are set with URLs from the previous call to Get-AadrmConfiguration and noted here with those field names.

 

C++
// Create a credential structure.
IPC_CREDENTIAL cred = {0};

IPC_CONNECTION_INFO connectionInfo = {0}; connectionInfo.wszIntranetUrl = LicensingIntranetDistributionPointUrl; connectionInfo.wszExtranetUrl = LicensingExtranetDistributionPointUrl;

// Set each member. cred.dwType = IPC_CREDENTIAL_TYPE_SYMMETRIC_KEY; cred.pcCertContext = (PCCERT_CONTEXT)&symKey;

// Create your prompt control. IPC_PROMPT_CTX promptCtx = {0};

// Set each member. promptCtx.cbSize = sizeof(IPC_PROMPT_CTX); promptCtx.hwndParent = NULL; promptCtx.dwflags = IPC_PROMPT_FLAG_SILENT; promptCtx.hCancelEvent = NULL; promptCtx.pcCredential = &cred;

Identify a template and then encrypt

  • Select a template to use for your encryption.

Call IpcGetTemplateList passing in the same instance of IPC_PROMPT_CTX.

<span codelanguage="ManagedCPlusPlus"></span>
<table>
<colgroup>
<col style="width: 100%" />
</colgroup>
<thead>
<tr class="header">
<th>C++</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><pre><code>PCIPC_TIL pTemplates = NULL; 
IPC_TEMPLATE_ISSUER templateIssuer = (pTemplateIssuerList-&gt;aTi)[0];

hr = IpcGetTemplateList(&amp;(templateIssuer.connectionInfo),
       IPC_GTL_FLAG_FORCE_DOWNLOAD, 
       0, 
       &amp;promptCtx, 
       NULL, 
       &amp;pTemplates);</code></pre></td>
</tr>
</tbody>
</table>
> > > \[!Tip\] > > You could choose to specify a custom license handle by calling [**IpcGetTemplateIssuerList**](ipcgettemplateissuerlist.md) and [**IpcCreateLicenseFromScratch**](ipccreatelicensefromscratch.md) instead of calling [**IpcGetTemplateList**](ipcgettemplatelist.md). > >   > > - With the template from earlier in this topic, call [**IpcfEncrcyptFile**](ipcfencryptfile.md), passing in the same instance of [**IPC\_PROMPT\_CTX**](ipc-prompt-ctx.md). > > Example use of [**IpcfEncrcyptFile**](ipcfencryptfile.md): > > > > > > > > > > > > > > > > >
C++
LPCWSTR wszContentTemplateId = pTemplates->aTi[0].wszID;
>     hr = IpcfEncryptFile(wszInputFilePath, 
>            wszContentTemplateId, 
>            IPCF_EF_TEMPLATE_ID, 
>            IPC_EF_FLAG_KEY_NO_PERSIST, 
>            &promptCtx, 
>            NULL, 
>            &wszOutputFilePath);
> > > > Example use of [**IpcfDecryptFile**](ipcfdecryptfile.md): > > > > > > > > > > > > > > > > >
C++
hr = IpcfDecryptFile(wszInputFilePath, 
>            IPCF_DF_FLAG_DEFAULT, 
>            &promptCtx,
>            NULL,
>            &wszOutputFilePath);
> > > > You have now completed the steps needed to enable your application to use Azure Rights Management. > > ## Related topics > >

Get started

Getting started with Azure Rights Management

Create a service identity via ACS

IpcSetGlobalProperty

IpcInitialize

IPC_PROMPT_CTX

IPC_CREDENTIAL

IPC_CREDENTIAL_SYMMETRIC_KEY

IpcGetTemplateIssuerList

IpcGetTemplateList

IpcfDecryptFile

IpcfEncrcyptFile

IpcCreateLicenseFromScratch

IpcCreateLicenseFromTemplateID

> >   > >   >