I am using the following link for 2-way ssl in JBoss. It works fine for me.
http://www.mastertheboss.com/jboss-server/jboss-security/complete-tutorial-for-configuring-ssl-https-on-wildfly
I am using the following command to generate key pair, using key password(keypass) as secret.
keytool -genkeypair -alias client -keyalg RSA -keysize 2048 -validity 365 -keystore client.keystore -dname "CN=client" -keypass secret -storepass secret
Like wise, I follow the steps in above link and I am able to enable https.
While doing so, one of the entry that is created in standalone-full.xml is as follows:
<tls>
<key-stores>
<key-store name="demoKeyStore">
<credential-reference clear-text="secret"/>
<implementation type="JKS"/>
<file path="server.keystore" relative-to="jboss.server.config.dir"/>
</key-store>
</key-stores>
<key-managers>
<key-manager name="demoKeyManager" key-store="demoKeyStore">
<credential-reference clear-text="secret"/>
</key-manager>
</key-managers>
<server-ssl-contexts>
<server-ssl-context name="demoSSLContext" protocols="TLSv1.2" key-manager="demoKeyManager"/>
</server-ssl-contexts>
</tls>
Here the clear-text value is secret, which was used while doing key generation. Since it is visible to anyone having access to standalone-full.xml file, I want to protect it.
Question: How do I encrypt the clear-text attribute with value "secret" in the xml file.
Few possible way I could think of is storing it in vault (I have not tried it yet) or encrypt the password using some other techniques
https://docs.rapidminer.com/9.0/server/administration/security/securing-passwords-in-jboss.html
JBoss AS 7.1 - datasource how to encrypt password
What is the best way to solve above problem. Please advise.
After more investigation and researching, I have narrowed down to using credential store. Please refer to following link Credential Store V/s Password Vault
Password Vault is Primarily used in legacy configurations, whereas Credential Store introduced with the elytron subsystem, credential stores allow for secure storage and usage of credentials.
Execute the following commands in CLI
Create a Credential Store
/subsystem=elytron/credential-store=my_store:add(location="cred_stores/my_store.jceks", relative-to=jboss.server.data.dir, credential-reference={clear-text=supersecretstorepassword},create=true)
Add a Credential to the Credential Store
/subsystem=elytron/credential-store=my_store:add-alias(alias=database-pw, secret-value="speci#l_db_pa$$_01")
List the Credentials in the Credential Store
/subsystem=elytron/credential-store=STORE_NAME:read-aliases()
Once the above steps are executed using CLI, need to make changes in <credential-reference/> tag.
You can also fine working example here: http://www.mastertheboss.com/jboss-server/jboss-security/using-credential-stores-to-store-your-passwords-in-wildfly-11
Above is an example for datasource, but it works similarly for encrypting clear-text for certificates.
Related
I use the below script to import a certificate in a pipeline build process,
Powershell script:
param($PfxFilePath, $Password)
$absolutePfxFilePath = Resolve-Path -Path $PfxFilePath
Write-Output "Importing store certificate '$absolutePfxFilePath'..."
Add-Type -AssemblyName System.Security
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$cert.Import($absolutePfxFilePath, $Password, [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]"PersistKeySet")
$store = new-object system.security.cryptography.X509Certificates.X509Store -argumentlist "MY", CurrentUser
$store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::"ReadWrite")
$store.Add($cert)
$store.Close()
Get below error:
. 'C:\JobAppAgent_work\1\s\JobApp\DevOps\Build\Import-PfxCertificate.ps1' -PfxFilePath $env:DOWNLOADSECUREFILE1_SECUREFILEPATH -Password ****
Importing store certificate 'C:\JobAppAgent_work_temp\DD.Job.Desktop_TemporaryKey.pfx'...
##[error]Exception calling "Import" with "3" argument(s): "The specified network password is not correct.
This script was running fine when build was running on Azrure PipeLines. Now I create a private Agent pool that runs on a Window 10 VM.
Make sure that the certificate is valid and has not expired. You can check the expiration date of the certificate by double-clicking on it and viewing the details.
Check that the certificate is properly installed on the machine where the build is being performed. If the certificate is not installed, it will not be available for use in the build process.
Make sure that the certificate is correctly referenced in the build pipeline. This may involve specifying the path to the certificate file or the thumbprint of the certificate.
If you are using a self-signed certificate, make sure that it is trusted by the machine where the build is being performed. To do this, you will need to install the certificate in the trusted root certification authorities store on the machine.
If you are using a certificate from a certificate authority (CA), make sure that the CA is trusted by the machine where the build is being performed. This may involve installing the root certificate of the CA on the machine.
This is a PowerShell script that imports a certificate from a file with a given password into the "MY" store in the current user's certificate store. The certificate is imported using the Import method of the X509Certificate2 class, which takes as input the path to the certificate file, the password, and a set of key storage flags. The script then creates an X509Store object representing the "MY" store in the current user's certificate store, opens the store in read-write mode, adds the imported certificate to the store, and closes the store.
This script assumes that the certificate file is in the Personal Information Exchange (PFX) format, which is a common format for storing certificates and their private keys. PFX files are often used to export or import certificates, and they can be password-protected for added security.
Verify that the password you are using to import the certificate is correct. It's possible that the password has been changed or entered incorrectly.
Check that the certificate file has not been damaged or modified in any way. If the file has been altered, it may be causing the import to fail.
Make sure that the certificate file is accessible to the machine where the script is being run. If the file is on a network share or another machine, check that the machine has the necessary permissions to read the file.
If the certificate file is password-protected, make sure that the password has not expired or been revoked.
Try running the script with different key storage flags to see if that has any effect on the error. For example, you could try using "Exportable" instead of "PersistKeySet" as the key storage flag.
We have an Azure Function (.NET 4.7.2) running for a year that sends messages to a webservice using a client certificate. This certificate has to be renewed but now we have done that we are getting this exception when sending a message;
System.Security.Cryptography.CryptographicException: Invalid provider type specified.
Azure has problems reading the private key and the problem seems to be exporting it from my local machine. Could this problem originate from the original CSR? The previous certificate still works fine, as long as it's valid. Note that I can send messages using the new certificate from my local machine.
Things I have tried;
Using all combinations of MMC settings to export the .pfx file
Using the answer in https://stackoverflow.com/a/34103154/6033193 to convert the cert key to the RSA format and upload the new resulting .pfx
Using CertUtil.exe -store -user my to compare the new and the old certificate. They both have Provider Microsoft Enhanced Cryptographic Provider v1.0 and, apart from the hashes and names, look the same.
Removing Azure Key Vault from the setup and uploading the pfx directly to the app service
Reading the .pfx from a local folder and using it like this: new X509Certificate2(certByes, "password", X509KeyStorageFlags.PersistKeySet);. This works so something seems to be going wrong when uploading the .pfx file to the Azure portal.
Any more things I can try?
The provider that worked for the previous certificate no longer works for the new certificate. I have a hunch something is wrong with the encryption because the Bag Attributes contained no LocalKeyID information, but I cannot say for sure.
Anyway, changing the provider to "Microsoft Platform Crypto Provider" made the private key accessible in Azure. Using OpenSSL:
First export the .key and the public .pem part from the .pfx file;
openssl pkcs12 -in cert.pfx -out cert_publicpart.pem -nokeys
openssl pkcs12 -in cert.pfx -out cert_privatekey.key -nocerts
If it's encrypted it will ask for your password after each command.
Then, convert it back to a .pfx specifying the provider;
openssl pkcs12 -export -in cert_publicpart.pem -inkey cert_privatekey.key -out cert_newCSP.pfx -CSP "Microsoft Platform Crypto Provider"
Again, specify a password and the new .pfx should be good to go!
Optional, if you'd want to verify the CSP:
openssl pkcs12 -in "cert_newCSP.pfx" -out "cert_newCSP.pem"
Open the .pem file, find -----BEGIN ENCRYPTED PRIVATE KEY----- and look for Microsoft CSP Name: Microsoft Platform Crypto Provider right above that.
I want to aquire a token from an Azure app registration with a certificate.
I followed the instructions here and generated a self signed certificate with Powershell. I also imported the public key into the portal.
But if I want to access the app via .NET, I need to provide the following MSAL configuration:
The CertificateFileContents is just the public key I exported from the certgmgr. But what should I put as the CertificatePass? Is this a hash? Or a private key? I could not find anything in the docs and also the link above does not give me any advice...
Also I do not really understand why the private key is not imported to the portal?
In my experience, CertificatePass should be required when you export a private key.
This document has such content before:
Export the private key, specify a password for the cert file, and
export to a file.
But now it only tells you to export a public key. You can see details from this issue.
So based on the SharePoint document, if you are reading a PFX file from your local machine, I think you should use private key with a password.
Okay, the CertificatePass was the password for the certificate itself.
The Azure Portal itself only holds the public key.
The client application needs to provide the whole certificate with private and public key.
If you export a private/public key from certificate manager in Windows 10, you will not be able to directly export this as base64, but you can create a pfx file.
Those files can later be encoded to Base64 with a tool of your choice. For example this.
The password for your certificate has to be the CertificatePass, the FileContents are the Base64 public and private key, but decrypted with the password.
This is of course only an approach for testing purpose. In a production environment you would rather use key vault or something similar to not have any secrets in your appsettings.json.
I am getting this error when I am trying to import a certificate from my machine provided by another CA (Honeywell CA).
CSR was created using the private key created by command - openssl ecparam -genkey -name prime256v1 | openssl ec -out webtls.key -aes128
For import, I tried azure UI, Azure powershell, and azureCLI nothing worked got the same error.
Any idea about this?
The ECC certificate needs to be created in a very specific manner. I spoke with the Key Vault product team about this specific issue and ended up with an ECC FAQ. It's a detailed operation that requires a special configuration file when the cert is being generated. I'm not going to go into the complete detail as I have it documented on my blog post:
https://azidentity.azurewebsites.net/post/2019/05/24/ecc-certificates-in-the-key-vault
I have created a service account in the Google API Console, downloaded the .p12 file, and now I am trying to use https://github.com/hokaccha/node-jwt-simple to sign the request for a token.
Where/How should I get the 'secret' for signing it with HS256?
It turned out to be a problem with the openssl command I was using. In case anybody runs into the same issue make sure to use "-nodes" parameter like so:
openssl pkcs12 -in file.p12 -out file.pem -nodes
Then just pass the content of the .pem file as the key for signing the token.
Good luck!