How we can use secure vault in wso2esb - security

I am using wso2esb4.8.0
how would i approach password hiding with secure vault option.
I am unable to find a proper docs.What is the connection between wso2carbon server and wso2esb.
If i wish to use secure vault in wso2esb i need to install wso2carbon server also or we have directly use that
i did the below changes in
/repository/conf/security/secret-config.properties
i have made below changes in this file but no use
#
#keystore.identity.location=/home/youtility2/Desktop/ESB/wso2/wso2esb-4.8.0/repository/resources/security/wso2carbon.jks
#keystore.identity.type=JKS
#keystore.identity.alias=wso2carbon
#keystore.identity.store.password=identity.store.password
#keystore.identity.store.secretProvider=com.sample.password.callback.handler.HardCodedSecretCallbackHandler
#secretRepositories.file.provider=org.wso2.securevault.secret.repository.FileBaseSecretRepositoryProvider
#secretRepositories.file.location=repository/conf/security/cipher-text.properties
#secretRepositories=file
#keystore.identity.key.password=identity.key.password
#carbon.secretProvider=org.wso2.securevault.secret.handler.SecretManagerSecretCallbackHandler
#keystore.identity.key.secretProvider=com.sample.password.callback.handler.HardCodedSecretCallbackHandler
#keystore.identity.alias=wso2carbon
#keystore.identity.key.password=wso2carbon
##keystore.identity.key.secretProvider=<any implementation of org.apache.synapse.commons.security.secret.SecretCallbackHandler>
##keystore.identity.parameters=enableHostnameVerifier=false;keyStoreCertificateFilePath=/home/esb.cer
#
#keystore.trust.location=repository/resources/security/client-truststore.jks
#keystore.trust.type=JKS
#keystore.trust.alias=wso2carbon
#keystore.trust.store.password=wso2carbon
##keystore.trust.store.secretProvider=<any implementation of org.apache.synapse.commons.security.secret.SecretCallbackHandler>
#
and restarted the esb but i am unable to use secure vault
vault key="my.pwd.login"
pwd="****"
repeat="****"
getting errors from console like this
ERROR - CipherInitializer No secret repositories have been configured
[2014-02-05 14:50:50,547] ERROR - CipherInitializer Either Configuration properties can not be loaded or No secret repositories have been configured please check PRODUCT_HOME/repository/conf/security refer links related to configure WSO2 Secure vault
[2014-02-05 14:50:50,547] ERROR - MediationSecurityAdminService Either Configuration properties can not be loaded or No secret repositories have been configured please check PRODUCT_HOME/repository/conf/security refer links related to configure WSO2 Secure vault
[2014-02-05 14:50:50,548] ERROR - MediationSecurityAdminService Failed to load security key store information ,Configure secret-conf.properties properly by referring to http://docs.wso2.org/display/Carbon402/WSO2+Carbon+Secure+Vault
org.apache.axis2.AxisFault: Failed to load security key store information ,Configure secret-conf.properties properly by referring to http://docs.wso2.org/display/Carbon402/WSO2+Carbon+Secure+Vault
at org.wso2.carbon.mediation.security.vault.MediationSecurityAdminService.handleException(MediationSecurityAdminService.java:83)
at org.wso2.carbon.mediation.security.vault.MediationSecurityAdminService.doEncrypt(MediationSecurityAdminService.java:54)
**"
Thanks in Advance,
faisal.

WSO2 products like ESB, API Manager are built on top of the WSO2 Carbon framework. So, we can refer ESB, APIM etc. as carbon-based servers. So, please follow the configuration steps provided in the carbon docs page on secure vault in the ESB. I think the guide is pretty descriptive.
Please note that the lines that begin with the symbol '#' means it's a comment. So, you should remove the '#' symbol from your /repository/conf/security/secret-conf.properties file appropriately.

You can use secure vault to secure pre-defined password of the configuration file that can be found in /repository/conf directory (axis2.xml, master-datasource.xml and user-mgt.xml and so on). 1st i guess you need to identify the what the password that you want to secure. Then please configure your actual password in the cipher-text.properties file with respect to the alias. You can run the ciphertool.sh script to do other configuration in automated manner. Please refer this for more details. Please note, with default implementation, password are encrypted using the wso2carbon.jks file.

Related

Deploying Azure Cloud Service (extended support) via REST API

I'm in the process of migrating from Cloud Service (classic) to Cloud Service (extended support) in Azure. Unfortunately, CS extended support documentation is very scarce and often inaccurate, so the process if very much not straight forward. At this point, I'm working on the deployment pipelines. With CS classic, we used management APIs to deploy/update/etc. The API for extended support is more straight forward, however, again, the documentation is lacking. The best I found was this page: Cloud Service - create or update. While this provides fairly good starting points, I'm struggling to find any info on the following points:
ServiceConfiguration element - what format is this in? Is it pure XML (encoded within JSON, of course) or something else? For classic API, service configuration was passed as a BASE64 encoded XML.
The request body (JSON) contains some of the same elements as in the service configuration - what happens if they don't match?
Package URL - what format is this in? The package is stored in an azure storage account - so how do I reference it? Also, for authentication, I can't grant the CS any permissions to the storage account, as it's not created yet (it doesn't exist!) - but it seemingly needs this permission in order to be created.
RDP extension - what format is "password" in? Is this really just a plain password? For classic, RDP password was encrypted using a certificate, which was separately uploaded into the service.
SSL certificate from the vault - how is authentication going to work? Again, the CS doesn't exist yet, so I can't grant it any permissions in the vault.
On authentication front, I managed to send the auth request and get the oauth2 token, which I would then use for this API - could this be enough? Of course, I can try this, but need to understand the other things first (i.e. format of some elements).
Note separately that deployment pipeline is executed from Jenkins and must stay that way - I don't have any control over that.
UPDATE: I tested this as best I could with service configuration being plain xml, with content matching the rest of json input, plain text password for RDP extension, and hoping for the auth to use bearer token. The response I received was 400, with the following details:
{
"error": {
"code": "InvalidParameter",
"message": "The value of parameter packageUrl is invalid."
}
}
So, back to my point 3 above - what is the format of package url?
UPDATE 2: After some experimenting, it did accept the package URL with the SAS token. Now I'm stuck with this error:
{
"error": {
"code": "StandardPublicIPAddressNotSupportedCloudService",
"message": "Standard public IP not supported for cloud services."
}
}
Web search for that string returns 0 matches. The template I'm using is copy/paste from MS documentation; the process I'm using is exactly per MS documentation. Any further help massively appreciated.
This isn't exactly what you're after, but I used the following article to help with generating a template.json and parameter.json file which then could be used through Powershell.
https://techcommunity.microsoft.com/t5/azure-paas-blog/how-to-use-azure-devops-to-publish-cloud-service-extended/ba-p/3675180
This is what my Powershell script eventually looked like:
New-AzResourceGroupDeployment -ResourceGroupName "cses-rg" -TemplateFile DeployArm.template.json -TemplateParameterFile DeployArm.parameter.json -packageSasUri $cspkg -configurationSasUri $cscfg -cloudServiceName cldcsestest -deploymentLabel myDeploymentLabel -publicIPName 'MyPublicReservedIp' -rdpPassword $rdpPassword
I only used the Powershell script locally for quicker testing, but my goal was to get it working with Azure Dev Ops.

Domino App Service Pack Installation , failed to startup IAM services as tutorial

I had Configure the Domino Credential Store.
I had modified the Domino Proton Server settings that enable client authentication.
I created the Vault ID.
I created the IAM-store.nsf from template with error message.
Error executing agent 'DeleteExpiredDocs' in 'iam-store.nsf'. Agent signer 'Domino Template Development/Domino': You are not authorized to perform that operation
I gave the IAM's functional ID access to the database.
I installed the IAM services for domino with the following message.
result screen of install domino-iam-service-2.2.0.tgz
Since I would like to config the iam-services for my testing server.
I select to setup the pilot mode.
According to the tutorial, https://doc.cwpcollaboration.com/appdevpack/docs/en/iam_landing_page.html
I could access the demo database, with anonymous setting of proton server.
C:\src\domino-db\package>npm run ptest -- read serv.org.com:3003/App\node-demo.nsf -q "Form = 'Contact' and LastName = 'Moody'"
read the content of demo database
Config the pilot mode successfully.
What is doing wrong?
Error, when try to startup pilot mode of IAM Service
I have put all the certificates to the folder config/certs,
in which the certificates are created by create_certs.cmd from the tutorial.
And I have convert the ca.crt into ca.pem.
Besides, I also put the keys created by ProtonCA into the config/certs.
Keys created by ProtonMicroCA
According to the tutorial, I modified the make_certs.cmd as the following:
make_certs.cmd
the certificates are posted to the config/certs directory
I'm not sure about your complete setup, a support ticket would help us diagnose this better. There should be a ca folder in the config/certs directory that contains any root certs you're using (like the ca.pem you have)

Not able to use Secure Vault in wso2

I'm not able to use the secure vault to encrypt username and password in WSO# API Manager 2.6.0
I did the below config :
ran the ./ciphertool.sh -Dconfigure to start the ciphertool
gave the password to be encrypted
added it in carbon console at /_system/config/repository/
components/secure-vault location.
called in mediation as
<Password>{wso2:vault-lookup('AdminUser.Password')}</Password>
I got this error :
INFO - DefaultCryptoProviderComponent 'CryptoService.Secret' property has not been set. 'org.wso2.carbon.crypto.provider.SymmetricKeyInternalCryptoProvider' won't be registered as an internal crypto provider. Please set the secret if the provider needs to be registered.

error while trying to decrypt using azure vault certificate key: "Operation returned an invalid status code 'Forbidden'"

I am trying to decrypt a encrypted string through C# code and azure key vault certificate key, the encryption part works fine but while decrypting, an exception occurs saying : "Operation returned an invalid status code 'Forbidden'", "Operation decrypt is not permitted on this key."
I have allowed all the permissions while registering this to Azure AD "App registrations" option from the AD blade. Is there any other place where I need to add any more permissions. Have followed this article to setup the Certificate and association with AD.
A line of the code I am using for decryption:
var decryptedData = kv.DecryptAsync(key.Key.Kid,JsonWebKeyEncryptionAlgorithm.RSAOAEP, encryptedTextNew).GetAwaiter().GetResult();
If any one has done this, please write back in the comment, will be of great help.
Maybe my situation is difference, but I'm going to drop some detail here just in case someone runs into the same problem.
I created a certificate (note: a certificate, not a key) on Azure Key Vault UI and used it for encrypt/decrypt and got the Operation returned an invalid status code 'Forbidden' error.
I tried to create a new certificate but this time I checked all the Advanced Policy Configuration options (you should only check the options you need though) and the new one worked for me:
Operation returned an invalid status code 'Forbidden'
As I have tested, It seems that you do not configure the Access Policy in Key Vault for your application, to access keys or to process encryption/decryption.
Also, please have a check that if you add the role assignments of app registered to azure keyvault.
For more details, you could refer to this article which I have a test and it works fine.
This error also occurs if you try to use this kind of certificate in a Logic app with AS2Decode.
The error you will get then is:
Integration account operation failed with status code: Forbidden and
error KeyVaultOperationFailed : Communication with key vault
'..........KeyVault' failed. Please authorize logic apps to perform
operations on key vault by granting access for the logic apps service
principal '7cd684f4-8a78-49b0-91ec-6a35d38739ba' for 'list', 'get',
'decrypt' and 'sign' operations.
Thank you for this solution!
I had the same issue. Make sure that during certificate upload or generation, you set the Data encipherment option in Advanced Policy Configuration. This can only be done during initial set-up. Changing it later does not work.
Advanced Policy Configuration

Web service authentication issue - using openam j2ee agent 3

I am new to openAM. I am trying to use openAM (954) to secure my web service using J2EE agent 3.0. I have deployed my webservice (using CXF) on Glass fish 3.1.x.
I have created necessary configuration given in URL http://docs.oracle.com/cd/E19575-01/820-4803/ghuqg/index.html
I want to authenticate using user id and password. I am passing this information (userid/password) using SOAP header. But when I try to access my web service in browser it gives access forbidden message.
Are there any additional configurations required? Please let me know, I am not able to find any other information on this anywhere.
Following is the request we are sending. I am not sure about UsernameToken wsu:Id whether it is correct? How do we get this value from OpenAM dynamically at each time when we send the request.
<wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="HTTPdocs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:UsernameToken wsu:Id="UsernameToken-27777511" xmlns:wsu="HTTPdocs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:Username>amadmin</wsse:Username>
<wsse:Password Type="HTTPdocs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">Amit4001</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
<demo:greetPerson>
<!--Optional:-->
<arg0>Ashish</arg0>
</demo:greetPerson>
Please help me solve this issue.
I want to authenticate using user id and password. I am passing this information (userid/password) using SOAP header. But when I try to access my web service in browser it gives access forbidden message.
I'm currently struggling to learn OpenAM as well and I think your specific problem is that you have not yet set up a policy (not a policy agent) after users have successfully authenticated.
If you haven't try the following steps:
Navigate to Access Control -> YourRealm -> Policies -> New Policy
Name: yourpolicyname
Rules (click new):
Name: URLPolicy
Resource Name: http:// your-webservice-url/*
Check allow get and post
Name: GetUrlPolicy
Resource Name: http:// your-webservice-url /* ? *
Check allow get and post
Subjects (click new)
Type = OpenAM Identity Subject
Name: UserAccess
Add users you want to be able to authenticate
You have to add in the * ? * if you have any GET parameters in your web page.
Hope that helps, I know the documentation around is terrible.
For your agent policy, in the Global tab: General section > Agent Filter Mode, remove ALL and add SSO_ONLY (leave Map Key blank and Map Value as SSO_ONLY). Note that this configuration isn't hot-swappable, so OpenAM has to be restarted to apply.
Here is a procedure for installing the agent on the server you want to protect:
http://openam.forgerock.org/openam-documentation/openam-doc-source/doc/jee-install-guide/index/chap-glassfish.html
Here is a good procedure for configuring the agent policy centrally on the OpenAM server:
http://openam.forgerock.org/openam-documentation/openam-doc-source/doc/admin-guide/index/chap-agents.html#create-agent-profiles
You might want to also control which URIs (webapps) to protect instead of the entire website. To do that, in the agent policy:
Application tab: Not Enforced URI Processing section > add the URI to protect, for example: /application1/*
Application tab: Not Enforced URI Processing section > check the "Invert Not Enforced URIs" checkbox so that it will actually enforce the "Not Enforced URI" values

Resources