get-azurekeyvaultkey does not return "public key" - azure-keyvault

I am just testing out Azure Key Vault with key/pairs and am attempting to retrieve the public key.
I first created a Key Vault (name = "VaultTest") using Azure portal.
I then created a Key (Name = "TestKey1") again using Azure portal.
I see the key in the portal and when I click on it I see the following information:
Properties:
Key Type: RSA
RSA Key Size 2048
Created: "date time"
Updated: "date time"
Key Identifier: //vault path/keys/TestKey1/Key identifier
Settings:
Set activation date: "unchecked"
Set expiration date: "unchecked"
Enabled: True
Tags "none"
Permitted operations:
Encrypt: true
Decrypt: true
Sign: true
Verify: true
Wrap key: true
Unwrap key: true
Notice that there is no public key information displayed so I switched over to Azure Cloud Shell and executed the following command:
Get-AzureKeyVaultKey -vaultname 'VaultTest' -name 'TestKey1'
It returns VaultName, Name, Version, Id, Enabled, Expires, Not Before, Created, Updated, Purge Disabled and Tags, but no Key.
All the examples I read online (albeit somewhat old) show fields Attributes and Key being returned but those are not returning for me.
I read somewhere that if you call the URI it will return the public key info, so I copy/pasted the URI into a browser but this returns to me:
{"error":{"code":"Unauthorized","message":"Request is missing a Bearer or PoP token."}}
Am I doing something brain dead or has the function get-azurekeyvaultkey changed? If it has changed how does one get the public key information for a specific key stored in Key Vault?

I can reproduce your issue with Get-AzureKeyVaultKey -vaultname 'VaultTest' -name 'TestKey1'.
But actually it returns the Attributes and Key that you want, just pass the | ConvertTo-Json like below.
Get-AzureKeyVaultKey -vaultname 'VaultTest' -name 'TestKey1' | ConvertTo-Json

Related

AWS CDK DocDB::DBCluster fails with 'not a valid password'

I am trying to use AWS CKD (JAVA) to create a DocumentDB instance.
This works with a "simple" plaintext password, but fails when I try to use a DatabaseSecret and a password stored in Secrets Manager.
The error I get is this:
1:44:42 PM | CREATE_FAILED | AWS::DocDB::DBCluster | ApiDocDb15EB2C21
The parameter MasterUserPassword is not a valid password. Only printable ASCII characters besides '/', '#', '"', ' ' may
be used. (Service: AmazonRDS; Status Code: 400; Error Code: InvalidParameterValue; Request ID: c786d247-8ff2-4f30-9a8a-5
065fc89d3d1; Proxy: null)
which is clear enough, but it continues to happen, even if I set the password to something such as simplepassword - so I am now somewhat confused as to what am I supposed to fix now.
Here is the code, mostly adapted from the DocDB documentation:
String id = String.format(DOCDB_PASSWORD_ID);
return DatabaseSecret.Builder.create(scope, id)
.secretName(store.getSsmSecretName())
.encryptionKey(passwordKey)
.username(store.getAdminUser())
.build();
where the ssmSecretName is the name of the secret in SecretManager:
└─( aws secretsmanager get-secret-value --secret-id api-db-admin-pwd
ARN: arn:aws:secretsmanager:us-west-2:<ACCT>:secret:api-db-admin-pwd-HHxpFf
Name: api-db-admin-pwd
SecretString: '{"api-db-admin-pwd":"simplepassword"}'
This is the code used to build the DbCluster:
DatabaseCluster dbCluster = DatabaseCluster.Builder.create(scope, id)
.dbClusterName(properties.getDbName())
.masterUser(Login.builder()
.username(properties.getAdminUser())
.kmsKey(passwordKey)
.password(masterPassword.getSecretValue())
.build())
.vpc(vpc)
.vpcSubnets(ISOLATED_SUBNETS)
.securityGroup(dbSecurityGroup)
.instanceType(InstanceType.of(InstanceClass.MEMORY5, InstanceSize.LARGE))
.instances(properties.getReplicas())
.storageEncrypted(true)
.build();
The question I have is: should I use a DatabaseSecret? or just retrieve the password from SM and be done with it?
A sub-question then: what is one supposed to use the DatabaseSecret for then?
(NOTE -- this is the same class, almost, as in the rds package; but here I am using the docdb package)
Thanks for any suggestion!
Turns out that the DatabaseSecret creates a key/value pair as the secret:
{
"username": <value of username()>,
"password": <generated>
}
However, the call to Login.password() completely ingnores this, and treats the whole JSON body as the password (so the " double quotes trip it).
The trick is to use DatabaseSecret.secretValueFromJson("password") in the call to Login.password() and it works just fine.
This is (incidentally) inconsistent with the behavior of rds.DatabaseCluster and the rds.Credentials class behavior (who take a JSON SecretValue and parse it correctly for the "password" field).
Leaving it here in case others stumble on this, as there really is NO information out there.

Websphere 8.5.5.16, OIDC IDToken - user problem

I'm trying to configure Oauth authorization on websphere 8.5.5.16. I added interceptor with issuerIdentifier parameter = https://company.com/abc I next step I added trust external realm: https://company.com/abc And when I try to start service in my app (IBM BPM) I getting an error: NullPointer Exception. Please look at the logs on how the user is created:
Principal: https://company.com/abc/login_user
Public Credential: com.ibm.ws.security.auth.WSCredentialImpl#ebc4e0d2
Private Credential: {setLtpaCookie=false, com.ibm.wsspi.security.cred.securityName=login_user, com.ibm.wsspi.security.cred.uniqueId=user:https://company.com/abc/login_user, token_type=, access_token=xxx, id_token=, com.ibm.wsspi.security.cred.realm=https://company.com/abc, com.ibm.wsspi.security.cred.groups=[], refresh_token=, JsonWebToken=JsonWebToken:{"aud":"0000","iss":"https://company.com/abc","iat":122,"nbf":123,"exp":232,"auth_time":222,"nonce":"aaa","sub":"ddddd/fffff","upn":"login_user","unique_name":"domain\\login_user","pwd_url":"https://company.com/abc/portal/updatepassword/","pwd_exp":"4545","sid":"S-1-5-21-66-117609710","authorities":["Group_1, Group_2"],"given_name":"Name","family_name":"Surname","apptype":"Public","appid":"0000","authmethod":"http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/windows","ver":"1.0","scp":"openid"}}
Private Credential: com.ibm.ws.security.token.SingleSignonTokenImpl#347c9d2b
Private Credential: com.ibm.ws.security.token.AuthenticationTokenImpl#718ea698
Private Credential: com.ibm.ws.security.token.AuthorizationTokenImpl#27e8a5bb
00000187 UserOrgModule 1 com.lombardisoftware.userorg.UserOrgModule getIdFromPrincipalName getIdFromPrincipalName() user=/company.com/abc/login_user, id=null
user = /company.com/abc/login_user not: login_user Why? Please help.
From message "00000187 UserOrgModule", I can tell your BPM application can not help realm name that contains '/' character. You can resolve the problem with following steps:
In your TAI properties, add useRealm property, and give an unique and meaningful value as realm, for example,
provider_.useRealm=abc123
Add "abc123" as trusted realm. This value matches value you define in step 1.
If you assign roles to users unique id, you need reassign roles again with unique id build from this new realm.
Thanks. I did exactly as you wrote.
I added in my interceptor config: provider_1.useRealm=myrealm
I added trusted realm in Global security > Federated repositories > Trusted authentication realms - inbound (Name = myrealm, Trusted).
I restarted server.
Nothing has changed. I still see: user=/company.com/abc/login_user, id=null because in JWT token, in iss field I have value: 'https://company.com/abc' and unfortunately I cannot change this

How to create a Parameter Store entry without a value in AWS CDK?

In AWS CDK, you can create a parameter store entry for storing secrets like passwords.
However you cannot leave the value blank, and you shouldn't put the secret in the CDK git repository, so how do you get the entry created?
I am currently doing something like this:
const paramKey = new cdkSSM.StringParameter(this, 'example-key', {
description: 'Example SSH private key parameter',
parameterName: 'example-key',
stringValue: `???`, /// What goes here?
allowedPattern: '^-----BEGIN RSA PRIVATE KEY-----[^-]*-----END RSA PRIVATE KEY-----$',
});
In this case, I can't leave the stringValue blank or I get an error, as Parameter Store does not allow blank values. The only value it will accept is an RSA private key, due to the allowedPattern requirement (which is a safety measure to stop someone from accidentally putting in an invalid value through the AWS CLI). But I don't want to put my private key in as it should not be part of the CDK git repository. I don't want to use a dummy key as then someone might think the correct key has been entered already.
How can I deploy a blank Parameter Store value while having the allowedPattern present?
The only workaround I have come up with is to hack the value to allow another token as well, like this:
const paramKey = new cdkSSM.StringParameter(this, 'example-key', {
description: 'Example SSH private key parameter',
parameterName: 'example-key',
stringValue: `TODO`,
allowedPattern: '^TODO$|^-----BEGIN RSA PRIVATE KEY-----[^-]*-----END RSA PRIVATE KEY-----$',
});
This means the Parameter Store entry will accept either an RSA key or the value TODO. But this seems very hacky so I am wondering whether there is a proper solution for this?

How to generate a Tink key from a user-provided password

I want to store a keyset, and would like the file to be encrypted with key produced from a user-provided "master password". And of course, at a later point I'd like to, given the same master password, be able to load that keyset by decrypting the file.
It seems that I need an Aead, which I can generate from a KeysetHandle with AeadFactory.getPrimitive(keysetHandle). But how can I produce a KeysetHandle from a "master password"?
(And for the context of this question, getting that key from a Key Management Systems, instead of producing it "out of thin air" from a master password, isn't an option.)
An Aead can be created as follows (here done from Scala):
val password: String = "..."
val aead = {
val messageDigest = MessageDigest.getInstance("SHA-256")
messageDigest.update(password.getBytes(CharsetNames.Utf8))
val key256Bit = messageDigest.digest()
val key128Bit = key256Bit.take(16)
new AesGcmJce(key128Bit)
}
A few comments:
I'd prefer the key to be based on a 32-bit digest, but the cipher picked by Tink in this case throws an exception when provided with a 32-bit key, hence the shortening to a 16-bit key.
It seems shortening the key this way is ok from a hash weakness perspective.

how to test jwt sample? and what are userid?

My development Environment : eclipse java
I would like test a requestJWTuserToken sample, but I'm getting an error.
Test code:
OAuth.OAuthToken oAuthToken = apiClient.requestJWTUserToken(IntegratorKey, userId, scopes, privateKeyBytes, 3600);
Assert.assertNotSame(null, oAuthToken);
apiClient.setAccessToken(oAuthToken.getAccessToken(), oAuthToken.getExpiresIn());
UserInfo userInfo = apiClient.getUserInfo(oAuthToken.getAccessToken());
Assert.assertNotSame(null, userInfo);
Assert.assertNotNull(userInfo.getAccounts());
Assert.assertTrue(userInfo.getAccounts().size() > 0);
Error message:
com.docusign.esign.client.ApiException: Error while requesting an access token:
class OAuthToken {
accessToken: null
tokenType: null
refreshToken: null
expiresIn: 0
at com.docusign.esign.client.ApiClient.requestJWTUserToken(ApiClient.java:719)
at smartsuite.app.util.DocuSignUtil.settingAuthentication(DocuSignUtil.java:112)
what are userid?
I found a admin sendbox at user > API username
enter image description here
This error is sometimes encountered when there is a problem with the RSA private key that you are using in your JWT request. Start by verifying how you are passing your key's private data into the request, if you are reading from a environment variable for example make sure the key's value is contained on a single line, otherwise it might be getting truncated.
If your key spans multiple lines as an environment variable try doing a regular expression find/replace where you replace all newline \n characters with the string literal "\n" and then pass that through to see if it resolves your issue.

Resources