Is Fabric CA an implementation of MSP?
Is an MSP useless by itself?
What are the functions of the MSP and Fabric CA? And differences in those functions?
MSP is a Membership Service Provider - pluggable interface to support variety of credentials architectures, basically offering abstraction layer for membership orchestration architecture. MSP abstraction provides:
Concrete identity format
User credential validation
User credential revocation
Signature generation and verification
While Fabric-CA used to generate certificates and keys to actually initialize MSP facilities. Fabric-CA is a default implementation of MSP interface to cover identity management.
MSPs are in charged for members certificates and authentication. MSP is pluggable, so the default Fabric MSP implementation uses PKI methods and X.509 certificates. You can use commercial CAs or Fabric CA to generate the keys and certificates needed to configure an MSP.
For more information read the Fabric CA documentation and https://hyperledger-fabric.readthedocs.io/en/latest/msp.html
Fabric CA provides features such as:
Registration of identities with roles like peer, user or application, or connects to an existing LDAP as the user registry to fetch identities of the mentioned roles.
MSP is a membership service provider defines which certificate authorities(CA's) is allowed to issue certificates.
Related
I am working on strimzi kafka.I want to deploy kafka with self signed certs issued by certmanager instead of strimzi operator/kafka provided selfsigned certs.
I have gone through the strizmi documentation but I didn't find solution to integrate cert manger with strimzi kafka/operator.
When we deploy kafka we can see many secrets(with certs) are being created in the namespace.If I want all those secrets/certs issued by certs manager to work with kafka how I can do it.
Thank you !!
You can use Cert Manager to provide a listener certificate s described in this blog post. But there is currently no easy way to use it for the internal CAs. You can follow this proposal which might make it possible in the future.
We have the following setup:
A Keycloak Server on a VM installed as a docker container.
Server certificate via Lets Encrypt.
Two realms a and b.
Realm b is integrated into Realm a as an identity provider.
To achieve that it works, we had to import the certificate of the Keycloak server into the java trusted store. Now the login works and we can choose in realm a if we want to login with realm b. Unfortunately the process of importing the certificate comes with lots of manual effort (copy the certificate into the container, divide the chain into several files with only one certificate, call a function) and the certificates are just valid for 90 days. Of course we can automate this but the question is, is there an "official way" of doing this? Like mounting the Lets Encrypt certificate folder into the container and "done"? We are using the official jboss/keycloak container image.
The docker container should support this by setting the X509_CA_BUNDLE variable accordingly. See the docs here.
This creates the truststore for you and configures it in Wildfly. Details can be found in this and that script.
As I am a programmer with solely experience with production environments in the cloud that run with a cloud-based secret manager, I was wondering: How are secrets managed in an on-premise instance? I bet they are not just written in the application settings or the OS environment variables?
• There is no equivalent of azure key vault in on premises environment though you can use ADCS (Active directory certificate services) for certificate shared secret management in on premises infrastructure for authorizing and authenticating resources, service principal names and other identity attributes.
• Though for the handling of the cryptographic keys used by the cloud apps and services hosted on premises, we can setup app key vaults for business central on-premises server as well. Please refer the below official documentation for your reference: -
https://learn.microsoft.com/en-us/dynamics365/business-central/dev-itpro/administration/setup-app-key-vault-onprem
This document articulates the steps and processes to undertake for integrating the functionality of Azure key vault in your on-premises environment.
• Though, if you want to directly use the Azure key vault’s functionality in your on-premises infrastructure environment, you can provide internet access to your on-premises resources and use client certificate authentication and IP restrictions with key vault through a VPN tunnel for additional security.
Please refer the below links for more information: -
secret management in on premise application
We are running the Azure IoT Edge runtime on commodity servers inside a corporate intranet. I understand the Microsoft documentation recommends installing certificates for production IoT edge deployment.
We are using basic edge modules only, no gateway configurations, passthroughs, etc...
For our intranet scenario are self-signed certs suitable for production? If so can a single certificate be used for all devices?
Thanks
Yes, you can use self signed CA certificates. Check here.
Every IoT Edge device in production needs a device certificate authority (CA) certificate installed on it. That CA certificate is then declared to the IoT Edge runtime in the config.yaml file. For development and testing scenarios, the IoT Edge runtime creates temporary certificates if no certificates are declared in the config.yaml file. However, these temporary certificates expire after three months and aren't secure for production scenarios. For production scenarios, you should provide your own device CA certificate, either from a self-signed certificate authority or purchased from a commercial certificate authority.
Regarding using the same CA cert on various Edge devices,logically you should be able to use it as the identity cert is the one that differs for edge devices based on CN name.But I think you can easily check this out by doing the POC.
Here is the link to generate CA cert.
I am trying to renew the O-Auth Certificate from one of the Front-end Server and I am facing some issues with it.
When using Lync Server 2013 deployment wizard to request O-Auth Certificate from Internal CA, the process goes well but at the end, the current certificate is not updated.
I can see the same certificate is replicated to other FEs (which is default behavior), it fails to apply to other FEs as well. I can see the following event logs in every FE's.
The replication of certificates from the central management store to the local machine failed due to a problem with certificate processing or installation on the local machine Microsoft Lync Server 2013, Replica Replicator Agent will continuously attempt
to retry the replication. While this condition persists, the certificates on the local machine will not be updated.
Exception: System.Security.Cryptography.CryptographicException: Access is denied.
at System.Security.Cryptography.X509Certificates.X509Store.RemoveCertificateFromStore(SafeCertStoreHandle safeCertStoreHandle, SafeCertContextHandle safeCertContext)
at Microsoft.Rtc.Management.Common.Certificates.CertUtils.AddCertificateToStore(X509Certificate2 cert, StoreName storeName, IManagementReporter reporter)
at Microsoft.Rtc.Management.Deployment.Core.Certificate.ImportFromPinnedArray(PinnedByteArray pfx, Boolean allowSelfSigned)
at Microsoft.Rtc.Management.Deployment.Core.Certificate.ReplicateCMSCertificates(IScopeAnchor scope)
at Microsoft.Rtc.Internal.Tools.Bootstrapper.Bootstrapper.ReplicateCMSCertificates().
Cause: The certificate provisioned in the central management store is invalid or cannot be handled on the local machine.
Resolution:
Ensure that certificates provisioned in the central management store are valid, have all needed issuer certificates included or installed on the local machine, and can be used with cryptographic providers available on the local machine.
I have checked the replication status and Replication is true.
Has anyone came across with similar situation.
I have read from another thread that this is due to the Root CA with private key. I have checked the server and I can see the Root CA with Private key. How can I remove private key from the Root CA only on the Lync Servers.
https://social.technet.microsoft.com/Forums/ie/en-US/47014b21-33d4-4a59-ba52-5cf537d14104/event-id-3039-lync-2013-internal-oauth-certificate?forum=lyncdeploy
Any help will be greatly appreciated.
I had a similar issue. Turned out the CA certificate on multiple front end servers certificate stores had a private key! Wrong on so many levels. Deleted all copies of CA cert with private key and copied again without, and then it all worked.