Not able to use Secure Vault in wso2 - security

I'm not able to use the secure vault to encrypt username and password in WSO# API Manager 2.6.0
I did the below config :
ran the ./ciphertool.sh -Dconfigure to start the ciphertool
gave the password to be encrypted
added it in carbon console at /_system/config/repository/
components/secure-vault location.
called in mediation as
<Password>{wso2:vault-lookup('AdminUser.Password')}</Password>
I got this error :
INFO - DefaultCryptoProviderComponent 'CryptoService.Secret' property has not been set. 'org.wso2.carbon.crypto.provider.SymmetricKeyInternalCryptoProvider' won't be registered as an internal crypto provider. Please set the secret if the provider needs to be registered.

Related

Apache Camel / Azure Vault URI setup

We are having an issue trying to read outlook emails.
Currently we are using the following Apache camel endpoint to login to Outlook 365 emails:
imaps://Outlook.office365.com:993?password=XXXX&username=YYYY
We upgraded to apache Camel 3.17 to have access to azure vault. We began our testing with tenantId and clientId.
We get the following error.
Caused by: java.lang.IllegalArgumentException: Azure Secret Client or client Id, client secret and tenant Id must be specified at org.apache.camel.component.azure.key.vault.KeyVaultComponent.createEndpoint(KeyVaultComponent.java:66) at org.apache.camel.support.DefaultComponent.createEndpoint(DefaultComponent.java:171) at org.apache.camel.impl.engine.AbstractCamelContext.doGetEndpoint(AbstractCamelContext.java:951) ... 97 more
If anyone has set this up successfully, please help with an example of URI parameters
Thank you

Domino App Service Pack Installation , failed to startup IAM services as tutorial

I had Configure the Domino Credential Store.
I had modified the Domino Proton Server settings that enable client authentication.
I created the Vault ID.
I created the IAM-store.nsf from template with error message.
Error executing agent 'DeleteExpiredDocs' in 'iam-store.nsf'. Agent signer 'Domino Template Development/Domino': You are not authorized to perform that operation
I gave the IAM's functional ID access to the database.
I installed the IAM services for domino with the following message.
result screen of install domino-iam-service-2.2.0.tgz
Since I would like to config the iam-services for my testing server.
I select to setup the pilot mode.
According to the tutorial, https://doc.cwpcollaboration.com/appdevpack/docs/en/iam_landing_page.html
I could access the demo database, with anonymous setting of proton server.
C:\src\domino-db\package>npm run ptest -- read serv.org.com:3003/App\node-demo.nsf -q "Form = 'Contact' and LastName = 'Moody'"
read the content of demo database
Config the pilot mode successfully.
What is doing wrong?
Error, when try to startup pilot mode of IAM Service
I have put all the certificates to the folder config/certs,
in which the certificates are created by create_certs.cmd from the tutorial.
And I have convert the ca.crt into ca.pem.
Besides, I also put the keys created by ProtonCA into the config/certs.
Keys created by ProtonMicroCA
According to the tutorial, I modified the make_certs.cmd as the following:
make_certs.cmd
the certificates are posted to the config/certs directory
I'm not sure about your complete setup, a support ticket would help us diagnose this better. There should be a ca folder in the config/certs directory that contains any root certs you're using (like the ca.pem you have)

How do I determine if Windows Credentials are disabled

I am using the CredRead() and CredWrite() functions from the Windows Credential Manager API to store and retrieve user passwords, as outlined in this StackOverflow answer.
However, I have read that it is possible to disable the Credential Manager by setting a Group Policy, or simply by stopping/disabling the Credential Manager service. In this case, I would like to update my application's UI to reflect that Credential storage is not currently available.
Is there a reliable way to determine programmably whether or not the Credential Manager has been disabled?
in windows exist VaultSvc (friendly name Credentials Service) which support different vault types. exist util VaultCmd.exe with which we can enumerate different credential schemas and loaded vaults. for example:
vaultcmd /listschema
Global Schemas
Credential schema: Windows Secure Note
Schema guid: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
Credential schema: Windows Web Password Credential
Schema guid: 3CCD5499-87A8-4B10-A215-608888DD3B55
Credential schema: Windows Credential Picker Protector
Schema guid: 154E23D0-C644-4E6F-8CE6-5069272F999F
Currently loaded credentials schemas:
Vault: Web Credentials
Vault Guid:4BF4C442-9B8A-41A0-B380-DD4A704DDB28
Credential schema: Windows Web Password Credential
Schema guid: 3CCD5499-87A8-4B10-A215-608888DD3B55
Vault: Windows Credentials
Vault Guid:77BC582B-F0A6-4E15-4E80-61736B6F3B29
Credential schema: Windows Domain Certificate Credential
Schema guid: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
Credential schema: Windows Domain Password Credential
Schema guid: 3E0E35BE-1B77-43E7-B873-AED901B6275B
Credential schema: Windows Extended Credential
Schema guid: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
and
vaultcmd /list
Currently loaded vaults:
Vault: Web Credentials
Vault Guid:4BF4C442-9B8A-41A0-B380-DD4A704DDB28
Location: C:\Users\*\AppData\Local\Microsoft\Vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB28
Vault: Windows Credentials
Vault Guid:77BC582B-F0A6-4E15-4E80-61736B6F3B29
Location: C:\Users\*\AppData\Local\Microsoft\Vault
of course vaultcmd and most vaults, say Web Credentials (store passwords in ie) will be work only in case VaultSvc is running
but Windows Credentials (77BC582B-F0A6-4E15-4E80-61736B6F3B29) is built in credential, which is always running (inside lsass), even if VaultSvc not running (disabled). the CredRead, CredWrite, CredEnumerate, and other Cred* api will be always work. it can not be disabled
exist undocumented api Vault* api implemented in vaultcli.dll. all this api named in form Vault*. when we call it and in case VaultSvc is running - vaultsvc.dll is loaded in lsass and handled remote call :
vaultcli!VaultSomeApi -> rpc - > vaultsvc!VltSomeApi
for example when we call VaultEnumerateItems in client, VltEnumerateItems called in lsass (vaultsvc.dll). what is internally called inside VltEnumerateItems depend from concrete vault, on which it called. for Windows Credentials vault - CredEnumerateW called inside VltEnumerateItems
The name of the Credentials Service is VaultSvc.
You can find how to query the status of any service in this answer and just use the code whilst passing the "ValutSvc" string to the function.

PARTNER_AUTHENTICATION failed for Docusign.esign.dll

I am writing code to use docusign demo machine through Docusign.esign.dll . I have tried using Oauth process for connecting the docusign.
I have used the code similar to the code motioned in here.
https://github.com/docusign/docusign-csharp-client/blob/master/test/SdkTests/JwtAuthUnitTests.cs
But I have used my demo machine Integetor key and private key. But I am getting the below error. So do I need to change any setup in my demo machine? Or how do I get valid Integotor key.
I hope my PEM key is causing the issue. So let me know how to preparte that pEM KEy.
I just copied by Private key and created the PEM file using notepad application.
Please let me know do I miss any thing?
Error calling Login: {\r\n \"errorCode\": \"PARTNER_AUTHENTICATION_FAILED\",\r\n \"message\": \"The specified Integrator Key was not found or is disabled. An Integrator key was not specified.\"\r\n}"}
BY default, the API points to their live/production servers. After creating an instance of the ApiClient, set it to point at the demo server:
apiClient.RestClient.BaseUrl = new Uri("https://demo.docusign.net/restapi");
Edit: That was for legacy authentication. For OAuth, please check to make sure you're pointing to account-d.docusign.com (notice the -d).
I too found this to be the issue, in the response the bearer token is missing
<br/><br/>string host = "https://demo.docusign.net/restapi/v2";
// Note with or without v2 their supplied credentials work<br/>
string oauthBasePath = "account-d.docusign.com";<br/>
ApiClient apiClient = new ApiClient(host);<br/>
apiClient.ConfigureJwtAuthorizationFlow(integratorKey, userId, oauthBasePath, privateKeyFilename, expiresInHours);
When you use the credentials from the JwtAuthUnitTests - TestConfig all works
Steps followed should be:
Created demo machine
Created IK
Created Secret key
Created RSA pair key
Copy the private key in to notepad and save that file in location
Missing steps are:
Granting Consent either using User Consent or Admin Consent, check
Service Integration for details.
Configure Redirect URI in the Integrator Key, only needed for User
Consent via Authorization Code Grant
You can use Admin Consent only if you can claim email domain in DocuSign else you need to use User Consent. With User Consent, normally using Authorization Code Grant, you need to get consent with scopes of Impersonation Signature. Once you have user's consent, then you can get new AccessToken for that user using JWT.
Also you need to point to correct host for Demo and Prod,
account-d.docusign.com is required for Demo
account.docusign.com is required for Prod
Above host is used to get access token from DocuSign Account Server (/oauth/token), and you will use above host also for getting the baseUri from /oauth/userinfo endpoint. Other than these two call, I don't think you will use above host.
In response for /oauth/userinfo endpoint call, you will get base_uri and account_id like below
"account_id": "fe0b61a3-3b9b-cafe-b7be-4592af32aa9b"
"base_uri": "https://demo.docusign.net"
You will use above base_uri and account_id for any other API calls, like for creating envelope etc
<base_uri>/restapi/v2/accounts/<account_Id>/envelopes

How we can use secure vault in wso2esb

I am using wso2esb4.8.0
how would i approach password hiding with secure vault option.
I am unable to find a proper docs.What is the connection between wso2carbon server and wso2esb.
If i wish to use secure vault in wso2esb i need to install wso2carbon server also or we have directly use that
i did the below changes in
/repository/conf/security/secret-config.properties
i have made below changes in this file but no use
#
#keystore.identity.location=/home/youtility2/Desktop/ESB/wso2/wso2esb-4.8.0/repository/resources/security/wso2carbon.jks
#keystore.identity.type=JKS
#keystore.identity.alias=wso2carbon
#keystore.identity.store.password=identity.store.password
#keystore.identity.store.secretProvider=com.sample.password.callback.handler.HardCodedSecretCallbackHandler
#secretRepositories.file.provider=org.wso2.securevault.secret.repository.FileBaseSecretRepositoryProvider
#secretRepositories.file.location=repository/conf/security/cipher-text.properties
#secretRepositories=file
#keystore.identity.key.password=identity.key.password
#carbon.secretProvider=org.wso2.securevault.secret.handler.SecretManagerSecretCallbackHandler
#keystore.identity.key.secretProvider=com.sample.password.callback.handler.HardCodedSecretCallbackHandler
#keystore.identity.alias=wso2carbon
#keystore.identity.key.password=wso2carbon
##keystore.identity.key.secretProvider=<any implementation of org.apache.synapse.commons.security.secret.SecretCallbackHandler>
##keystore.identity.parameters=enableHostnameVerifier=false;keyStoreCertificateFilePath=/home/esb.cer
#
#keystore.trust.location=repository/resources/security/client-truststore.jks
#keystore.trust.type=JKS
#keystore.trust.alias=wso2carbon
#keystore.trust.store.password=wso2carbon
##keystore.trust.store.secretProvider=<any implementation of org.apache.synapse.commons.security.secret.SecretCallbackHandler>
#
and restarted the esb but i am unable to use secure vault
vault key="my.pwd.login"
pwd="****"
repeat="****"
getting errors from console like this
ERROR - CipherInitializer No secret repositories have been configured
[2014-02-05 14:50:50,547] ERROR - CipherInitializer Either Configuration properties can not be loaded or No secret repositories have been configured please check PRODUCT_HOME/repository/conf/security refer links related to configure WSO2 Secure vault
[2014-02-05 14:50:50,547] ERROR - MediationSecurityAdminService Either Configuration properties can not be loaded or No secret repositories have been configured please check PRODUCT_HOME/repository/conf/security refer links related to configure WSO2 Secure vault
[2014-02-05 14:50:50,548] ERROR - MediationSecurityAdminService Failed to load security key store information ,Configure secret-conf.properties properly by referring to http://docs.wso2.org/display/Carbon402/WSO2+Carbon+Secure+Vault
org.apache.axis2.AxisFault: Failed to load security key store information ,Configure secret-conf.properties properly by referring to http://docs.wso2.org/display/Carbon402/WSO2+Carbon+Secure+Vault
at org.wso2.carbon.mediation.security.vault.MediationSecurityAdminService.handleException(MediationSecurityAdminService.java:83)
at org.wso2.carbon.mediation.security.vault.MediationSecurityAdminService.doEncrypt(MediationSecurityAdminService.java:54)
**"
Thanks in Advance,
faisal.
WSO2 products like ESB, API Manager are built on top of the WSO2 Carbon framework. So, we can refer ESB, APIM etc. as carbon-based servers. So, please follow the configuration steps provided in the carbon docs page on secure vault in the ESB. I think the guide is pretty descriptive.
Please note that the lines that begin with the symbol '#' means it's a comment. So, you should remove the '#' symbol from your /repository/conf/security/secret-conf.properties file appropriately.
You can use secure vault to secure pre-defined password of the configuration file that can be found in /repository/conf directory (axis2.xml, master-datasource.xml and user-mgt.xml and so on). 1st i guess you need to identify the what the password that you want to secure. Then please configure your actual password in the cipher-text.properties file with respect to the alias. You can run the ciphertool.sh script to do other configuration in automated manner. Please refer this for more details. Please note, with default implementation, password are encrypted using the wso2carbon.jks file.

Resources