Solved

indicium issue with azure key

  • 29 December 2022
  • 15 replies
  • 146 views
R
Rank

I tried to configure a different pool user identity. i made sure to follow the steps here: https://docs.thinkwisesoftware.com/docs/deployment/indicium_encryption
And then I logged in to Universal and Maintenance > IAM configurations to create the pool user. and i still get this error:
This environment has not been configured to allow data encryption. 

when you restart the web app after committing the changes in the appsettings file or adding them to the config page, you get this message:

This page isn’t working right now

serverurl.azurewebsites.net can't currently handle this request.HTTP ERROR 500

It's like adding the settign for encryption key breaks Indicium

icon

Best answer by Dick van den Brink 29 December 2022, 15:03

View original
This topic has been closed for comments

15 replies

D
Rank
Userlevel 4
Badge +2

Hi Rustie,

Did you restart Indicium after changing the appsettings.json?

 

**edit** This post can be ignored as the topic changed.

R
Rank

i tried enabling data encryption by using the appsettings.json file:

"MetaSourceConnection": {
"Server": "",
"Database": ""
},
"Agent": {
"Enabled": true
},
"DataProtectionSettings": {
"AzureKeyVault": {
"KeyVaultSecretUrl": "https://myvault.vault.azure.net/secrets/myvault"
}
}

}

 

 

then I deleted the setting in the json file and used this option:
App Service, select Settings > Configuration from the menu.
Add the following Application settings:
name:

DataProtectionSettings:AzureKeyVault:KeyVaultSecretUrl
value:

https://myvault.vault.azure.net/secrets/myvault

will post the result of the indicium log

R
Rank

2022-12-29T13:15:17.5601005+00:00 [inf] License refresh not required. Current license state: Valid. "License valid until 2023-03-29T11:18:13" (6a3d1cf0)
2022-12-29T13:15:17.5791293+00:00 [inf] License refresh scheduled for 2023-01-05 11:18:13. (09ff7cde)
2022-12-29T13:15:59.9885403+00:00 [inf] Initiating startup license check (a070e428)
2022-12-29T13:16:00.1276582+00:00 [inf] Reading license from IAM. (d4563d62)
2022-12-29T13:16:00.1848274+00:00 [inf] License successfully read from IAM. (66b06fb5)
2022-12-29T13:16:01.1409965+00:00 [inf] License refresh not required. Current license state: Valid. "License valid until 2023-03-29T11:18:13" (6a3d1cf0)
2022-12-29T13:16:01.1594351+00:00 [inf] License refresh scheduled for 2023-01-05 11:18:13. (09ff7cde)
2022-12-29T13:16:01.8123211+00:00 [err] An error occurred while reading the key ring. (54b25ea0)
System.Xml.XmlException: Data at the root level is invalid. Line 1, position 1.
at System.Xml.XmlTextReaderImpl.Throw(Exception e)
at System.Xml.XmlTextReaderImpl.Throw(String res, String arg)
at System.Xml.XmlTextReaderImpl.ParseRootLevelWhitespace()
at System.Xml.XmlTextReaderImpl.ParseDocumentContent()
at System.Xml.XmlTextReaderImpl.Read()
at System.Xml.XmlReader.MoveToContent()
at System.Xml.Linq.XElement.Load(XmlReader reader, LoadOptions options)
at System.Xml.Linq.XElement.Parse(String text, LoadOptions options)
at Indicium.DataProtection.AzureKeyVaultRepository.GetAllElements() in C:\azp\agent\_work\1\s\src\DataProtection\Indicium.DataProtection\AzureKeyVaultRepository.cs:line 41
at Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager.GetAllKeys()
at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingProvider.CreateCacheableKeyRingCore(DateTimeOffset now, IKey keyJustAdded)
at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingProvider.Microsoft.AspNetCore.DataProtection.KeyManagement.Internal.ICacheableKeyRingProvider.GetCacheableKeyRing(DateTimeOffset now)
at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingProvider.GetCurrentKeyRingCore(DateTime utcNow, Boolean forceRefresh)
at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingProvider.GetCurrentKeyRing()
at Microsoft.AspNetCore.DataProtection.Internal.DataProtectionHostedService.StartAsync(CancellationToken token)
2022-12-29T13:16:02.3070829+00:00 00000000-0000-0000-b63f-84710c7967bb [err] An error occurred while reading the key ring. (54b25ea0)
System.Xml.XmlException: Data at the root level is invalid. Line 1, position 1.
at System.Xml.XmlTextReaderImpl.Throw(Exception e)
at System.Xml.XmlTextReaderImpl.Throw(String res, String arg)
at System.Xml.XmlTextReaderImpl.ParseRootLevelWhitespace()
at System.Xml.XmlTextReaderImpl.ParseDocumentContent()
at System.Xml.XmlTextReaderImpl.Read()
at System.Xml.XmlReader.MoveToContent()
at System.Xml.Linq.XElement.Load(XmlReader reader, LoadOptions options)
at System.Xml.Linq.XElement.Parse(String text, LoadOptions options)
at Indicium.DataProtection.AzureKeyVaultRepository.GetAllElements() in C:\azp\agent\_work\1\s\src\DataProtection\Indicium.DataProtection\AzureKeyVaultRepository.cs:line 41
at Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager.GetAllKeys()
at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingProvider.CreateCacheableKeyRingCore(DateTimeOffset now, IKey keyJustAdded)
at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingProvider.Microsoft.AspNetCore.DataProtection.KeyManagement.Internal.ICacheableKeyRingProvider.GetCacheableKeyRing(DateTimeOffset now)
at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingProvider.GetCurrentKeyRingCore(DateTime utcNow, Boolean forceRefresh)
at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingProvider.GetCurrentKeyRing()
at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.Protect(Byte[] plaintext)
2022-12-29T13:16:02.4236153+00:00 00000000-0000-0000-b63f-84710c7967bb [err] An unhandled exception occurred while processing the request. (ffba027a)
System.Security.Cryptography.CryptographicException: An error occurred while trying to encrypt the provided data. Refer to the inner exception for more information. For more information go to http://aka.ms/dataprotectionwarning
---> System.Xml.XmlException: Data at the root level is invalid. Line 1, position 1.
at System.Xml.XmlTextReaderImpl.Throw(Exception e)
at System.Xml.XmlTextReaderImpl.Throw(String res, String arg)
at System.Xml.XmlTextReaderImpl.ParseRootLevelWhitespace()
at System.Xml.XmlTextReaderImpl.ParseDocumentContent()
at System.Xml.XmlTextReaderImpl.Read()
at System.Xml.XmlReader.MoveToContent()
at System.Xml.Linq.XElement.Load(XmlReader reader, LoadOptions options)
at System.Xml.Linq.XElement.Parse(String text, LoadOptions options)
at Indicium.DataProtection.AzureKeyVaultRepository.GetAllElements() in C:\azp\agent\_work\1\s\src\DataProtection\Indicium.DataProtection\AzureKeyVaultRepository.cs:line 41
at Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager.GetAllKeys()
at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingProvider.CreateCacheableKeyRingCore(DateTimeOffset now, IKey keyJustAdded)
at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingProvider.Microsoft.AspNetCore.DataProtection.KeyManagement.Internal.ICacheableKeyRingProvider.GetCacheableKeyRing(DateTimeOffset now)
at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingProvider.GetCurrentKeyRingCore(DateTime utcNow, Boolean forceRefresh)
at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingProvider.GetCurrentKeyRing()
at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.Protect(Byte[] plaintext)
--- End of inner exception stack trace ---
at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.Protect(Byte[] plaintext)
at Microsoft.AspNetCore.Session.CookieProtection.Protect(IDataProtector protector, String data)
at Microsoft.AspNetCore.Session.SessionMiddleware.Invoke(HttpContext context)
at Indicium.Middleware.Security.AuthenticationHeadersMiddleware.InvokeAsync(HttpContext context) in C:\azp\agent\_work\1\s\src\Indicium\Middleware\Authentication\AuthenticationHeadersMiddleware.cs:line 47
at Indicium.Middleware.Security.SecurityHeadersMiddleware.InvokeAsync(HttpContext context, ContentSecurityPolicyBuilder cspBuilder) in C:\azp\agent\_work\1\s\src\Indicium\Middleware\Security\SecurityHeadersMiddleware.cs:line 54
at Indicium.Middleware.Messages.TSFMessagesMiddleware.Invoke(HttpContext context, IRootApplicationLoader rootApplicationLoader, TSFRequestContext requestContext) in C:\azp\agent\_work\1\s\src\Indicium\Middleware\Messages\TSFMessageMiddleware.cs:line 44
at Indicium.Middleware.Telemetry.ServerTimings.ServerTimingsMiddleware.InvokeAsync(HttpContext context, ServerTimingsBuilder serverTimingsBuilder) in C:\azp\agent\_work\1\s\src\Indicium\Middleware\Telemetry\ServerTimings\ServerTimingsMiddleware.cs:line 41
at Indicium.Middleware.ExceptionHandlingMiddleware.Invoke(HttpContext context, TSFRequestContext requestContext) in C:\azp\agent\_work\1\s\src\Indicium\Middleware\ExceptionHandlingMiddleware.cs:line 34

R
Rank

Hi Rustie,

Did you restart Indicium after changing the appsettings.json?

yes i did. always do

R
Rank

and when i remove the configurations for the encryption key my indicium is back to normal. 

R
Rank

@Freddy @Zachery 

D
Rank
Userlevel 4
Badge +2

Did you manually created the secret with the name: `myvault`? 
If so, that might be the problem - Indicium needs to create the key with the correct contents.
Can you check the secret and validate that the content is an xml document? If not, (and nothing is encrypted with this key), you can delete it and let Indicium recreate the secret with the correct contents.

R
Rank

Did you manually created the secret with the name: `myvault`? 
If so, that might be the problem - Indicium needs to create the key with the correct contents.
Can you check the secret and validate that the content is an xml document? If not, (and nothing is encrypted with this key), you can delete it and let Indicium recreate the secret with the correct contents.

Yes i did, because the documentation says to add a URL which end in a key file. e.g.: 

So i had to create a file otherwise the URL wouldn’t be able to find anything 

 

D
Rank
Userlevel 4
Badge +2

We can make Indicium maybe a bit more lenient with invalid secret contents, to make it easier in case this happens.

Right now, it can be solved by deleting the key and let Indicium create it (which it does automatically when the secret does not exists).

(on first use, Indicium was not supposed to find anything and it would create a key with the correct contents - now it finds a key with no contents which it didn't expect).

R
Rank

We can make Indicium maybe a bit more lenient with invalid secret contents, to make it easier in case this happens.

Right now, it can be solved by deleting the key and let Indicium create it (which it does automatically when the secret does not exists).

(on first use, Indicium was not supposed to find anything and it would create a key with the correct contents - now it finds a key with no contents which it didn't expect).

Okay understood. i will do that and let you know what happens.

R
Rank

I deleted the secret, restarted the web app. Indicium created the secret and I was able to create pool user. Thanks

 

R
Rank

will let you know if the creation from azure to onprem works.

R
Rank

So i attempted a creation but i keep receiving this error in the last step to execute the source code:

 

/*  Login failed for Indicium pool user.  */
/*  Please make sure the Indicium pool user has sufficient rights.  */

 

I am sure the pooluser account is db_owner on the app database and also has root admin, db_owner and end user rights on the IAM database. so i don’t know why this message keeps returning

D
Rank
Userlevel 4
Badge +2

The Indicium log might show some more information regarding to this issue. Can you post it here?

Edit: Also, you are connecting from an Azure Web App to OnPremise database if I understand correctly? Did you configure an hybrid connection endpoint or how did you make your database server accessible?

R
Rank

The Indicium log might show some more information regarding to this issue. Can you post it here?

Edit: Also, you are connecting from an Azure Web App to OnPremise database if I understand correctly? Did you configure an hybrid connection endpoint or how did you make your database server accessible?

Yes, we are connecting from azure web app to on-premise. we have a site-to-site tunnel setup between our corporate network and Azure.

Indicium didn’t show anything. 

I’m going to attempt this again, but for now we can close this ticket. I’ve shutdown this test environment to focus on something else.

 

Terms & ConditionsCookie settings