stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity
Files
f57b18b6e530a79f0c11a359b31787a9564f3e64
git.stella-ops.org/docs/modules/concelier/operations/connectors/msrc.md
master 607ce619fe feat(concelier): multi-sprint batch (mirror domain + advisory sources + durable runtime + credentials) 
Bundled commit covering pre-session work from multiple Concelier sprints
already archived or in-flight:
- SPRINT_20260419_006: mirror domain / source key validation
- SPRINT_20260419_029 / 030: durable jobs orchestrator runtime + endpoint verification
- SPRINT_20260421_001: advisory source projection truthful counts
- SPRINT_20260421_002: FE advisory source consistency (connector-side bits)
- SPRINT_20260421_003: advisory connector runtime alignment
- SPRINT_20260422_003: source credential entry paths (in-flight)

Includes connector internals (ACSC / Adobe / CERT-BUND / Chromium / Cisco /
CVE-KEV / GHSA / JVN / KISA / MSRC / Oracle / Ubuntu), source management
endpoints, mirror domain management, federation endpoints, topology setup,
job registration, and associated dossier updates under
docs/modules/concelier/.

This commit groups ~229 file changes that accumulated across the above
sprints; individual changes are preserved at file granularity so blame
remains useful.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-22 16:05:53 +03:00

2.6 KiB
Raw Blame History

Concelier MSRC Connector - Microsoft Entra Onboarding Brief

Last updated: 2026-04-22

1. App registration requirements

Sign in at https://entra.microsoft.com and open App registrations.

Create or select a confidential client application that will use client credentials. Capture:

  • tenantId = Directory (tenant) ID
  • clientId = Application (client) ID
  • clientSecret = client secret value from Certificates & secrets

Primary operator path:

  • Web UI: Security Posture -> Configure Sources or Ops -> Operations -> Feeds & Airgap -> Configure Sources
  • CLI: 
    stella db connectors configure microsoft \
  --server https://concelier.example.internal \
  --set tenantId=... \
  --set clientId=... \
  --set clientSecret=...

Notes:

  • Microsoft recommends certificates over client secrets for production applications. The current StellaOps MSRC operator entry path is client-secret based.
  • MSRC is not documented here as a separate paid product, but you do need a Microsoft Entra tenant plus permission to register the app and grant the required consent.

2. Secret and credential policy

  • Maintain two client secrets rotating every 90 days.
  • Prefer storing the active secret through the StellaOps source configuration UI or CLI.
  • Offline Kit deployments that still mirror secrets out of band must mirror the secret payloads in their encrypted store.
  • Legacy host configuration remains a compatibility fallback only.

3. Compatibility fallback (concelier.yaml)

concelier:
  sources:
    microsoft:
      tenantId: "<azure-tenant-guid>"
      clientId: "<app-registration-client-id>"
      clientSecret: "<pull from secret store>"
      apiVersion: "2024-08-01"
      locale: "en-US"
      requestDelay: "00:00:00.250"
      failureBackoff: "00:05:00"
      cursorOverlapMinutes: 10
      downloadCvrf: false

The runtime source ID is microsoft, and the connector still binds the legacy vndr:msrc section for compatibility.

4. CVRF artefacts

  • The MSRC REST payload exposes cvrfUrl per advisory.
  • Current connector behavior records the link as advisory metadata and reference; it does not download the ZIP by default.
  • Mirror CVRF ZIPs when preparing Offline Kits if air-gapped deployments need them.

5. Outstanding items

  • Ops must confirm the tenant and app used for production MSRC access.
  • Connector owners should validate token cache health once credentials are supplied.
  • If certificate-based auth is later required, StellaOps needs a dedicated certificate entry path before switching the runbook away from client secrets.