Skip to main content
Solved

indicium issue with azure key

R
Sidekick

I tried to configure a different pool user identity. i made sure to follow the steps here: https://docs.thinkwisesoftware.com/docs/deployment/indicium_encryption
And then I logged in to Universal and Maintenance > IAM configurations to create the pool user. and i still get this error:
This environment has not been configured to allow data encryption. 

when you restart the web app after committing the changes in the appsettings file or adding them to the config page, you get this message:

This page isn’t working right now

serverurl.azurewebsites.net can't currently handle this request.HTTP ERROR 500

It's like adding the settign for encryption key breaks Indicium

Best answer by Dick van den Brink

We can make Indicium maybe a bit more lenient with invalid secret contents, to make it easier in case this happens.

Right now, it can be solved by deleting the key and let Indicium create it (which it does automatically when the secret does not exists).

(on first use, Indicium was not supposed to find anything and it would create a key with the correct contents - now it finds a key with no contents which it didn't expect).

View original
Did this topic help you find an answer to your question?
This topic has been closed for comments

15 replies

D
Moderator
Forum|alt.badge.img+3

Hi Rustie,

Did you restart Indicium after changing the appsettings.json?

 

**edit** This post can be ignored as the topic changed.

R
Sidekick
  • rustieSidekick
  • Author
  • Sidekick
  • 23 replies
  • December 29, 2022

i tried enabling data encryption by using the appsettings.json file:

"MetaSourceConnection": {
"Server": "",
"Database": ""
},
"Agent": {
"Enabled": true
},
"DataProtectionSettings": {
"AzureKeyVault": {
"KeyVaultSecretUrl": "https://myvault.vault.azure.net/secrets/myvault"
}
}

}

 

 

then I deleted the setting in the json file and used this option:
App Service, select Settings > Configuration from the menu.
Add the following Application settings:
name:

DataProtectionSettings:AzureKeyVault:KeyVaultSecretUrl
value:

https://myvault.vault.azure.net/secrets/myvault

will post the result of the indicium log

R
Sidekick
  • rustieSidekick
  • Author
  • Sidekick
  • 23 replies
  • December 29, 2022

2022-12-29T13:15:17.5601005+00:00 [inf] License refresh not required. Current license state: Valid. "License valid until 2023-03-29T11:18:13" (6a3d1cf0)
2022-12-29T13:15:17.5791293+00:00 [inf] License refresh scheduled for 2023-01-05 11:18:13. (09ff7cde)
2022-12-29T13:15:59.9885403+00:00 [inf] Initiating startup license check (a070e428)
2022-12-29T13:16:00.1276582+00:00 [inf] Reading license from IAM. (d4563d62)
2022-12-29T13:16:00.1848274+00:00 [inf] License successfully read from IAM. (66b06fb5)
2022-12-29T13:16:01.1409965+00:00 [inf] License refresh not required. Current license state: Valid. "License valid until 2023-03-29T11:18:13" (6a3d1cf0)
2022-12-29T13:16:01.1594351+00:00 [inf] License refresh scheduled for 2023-01-05 11:18:13. (09ff7cde)
2022-12-29T13:16:01.8123211+00:00 [err] An error occurred while reading the key ring. (54b25ea0)
System.Xml.XmlException: Data at the root level is invalid. Line 1, position 1.
at System.Xml.XmlTextReaderImpl.Throw(Exception e)
at System.Xml.XmlTextReaderImpl.Throw(String res, String arg)
at System.Xml.XmlTextReaderImpl.ParseRootLevelWhitespace()
at System.Xml.XmlTextReaderImpl.ParseDocumentContent()
at System.Xml.XmlTextReaderImpl.Read()
at System.Xml.XmlReader.MoveToContent()
at System.Xml.Linq.XElement.Load(XmlReader reader, LoadOptions options)
at System.Xml.Linq.XElement.Parse(String text, LoadOptions options)
at Indicium.DataProtection.AzureKeyVaultRepository.GetAllElements() in C:\azp\agent\_work\1\s\src\DataProtection\Indicium.DataProtection\AzureKeyVaultRepository.cs:line 41
at Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager.GetAllKeys()
at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingProvider.CreateCacheableKeyRingCore(DateTimeOffset now, IKey keyJustAdded)
at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingProvider.Microsoft.AspNetCore.DataProtection.KeyManagement.Internal.ICacheableKeyRingProvider.GetCacheableKeyRing(DateTimeOffset now)
at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingProvider.GetCurrentKeyRingCore(DateTime utcNow, Boolean forceRefresh)
at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingProvider.GetCurrentKeyRing()
at Microsoft.AspNetCore.DataProtection.Internal.DataProtectionHostedService.StartAsync(CancellationToken token)
2022-12-29T13:16:02.3070829+00:00 00000000-0000-0000-b63f-84710c7967bb [err] An error occurred while reading the key ring. (54b25ea0)
System.Xml.XmlException: Data at the root level is invalid. Line 1, position 1.
at System.Xml.XmlTextReaderImpl.Throw(Exception e)
at System.Xml.XmlTextReaderImpl.Throw(String res, String arg)
at System.Xml.XmlTextReaderImpl.ParseRootLevelWhitespace()
at System.Xml.XmlTextReaderImpl.ParseDocumentContent()
at System.Xml.XmlTextReaderImpl.Read()
at System.Xml.XmlReader.MoveToContent()
at System.Xml.Linq.XElement.Load(XmlReader reader, LoadOptions options)
at System.Xml.Linq.XElement.Parse(String text, LoadOptions options)
at Indicium.DataProtection.AzureKeyVaultRepository.GetAllElements() in C:\azp\agent\_work\1\s\src\DataProtection\Indicium.DataProtection\AzureKeyVaultRepository.cs:line 41
at Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager.GetAllKeys()
at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingProvider.CreateCacheableKeyRingCore(DateTimeOffset now, IKey keyJustAdded)
at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingProvider.Microsoft.AspNetCore.DataProtection.KeyManagement.Internal.ICacheableKeyRingProvider.GetCacheableKeyRing(DateTimeOffset now)
at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingProvider.GetCurrentKeyRingCore(DateTime utcNow, Boolean forceRefresh)
at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingProvider.GetCurrentKeyRing()
at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.Protect(Byte[] plaintext)
2022-12-29T13:16:02.4236153+00:00 00000000-0000-0000-b63f-84710c7967bb [err] An unhandled exception occurred while processing the request. (ffba027a)
System.Security.Cryptography.CryptographicException: An error occurred while trying to encrypt the provided data. Refer to the inner exception for more information. For more information go to http://aka.ms/dataprotectionwarning
---> System.Xml.XmlException: Data at the root level is invalid. Line 1, position 1.
at System.Xml.XmlTextReaderImpl.Throw(Exception e)
at System.Xml.XmlTextReaderImpl.Throw(String res, String arg)
at System.Xml.XmlTextReaderImpl.ParseRootLevelWhitespace()
at System.Xml.XmlTextReaderImpl.ParseDocumentContent()
at System.Xml.XmlTextReaderImpl.Read()
at System.Xml.XmlReader.MoveToContent()
at System.Xml.Linq.XElement.Load(XmlReader reader, LoadOptions options)
at System.Xml.Linq.XElement.Parse(String text, LoadOptions options)
at Indicium.DataProtection.AzureKeyVaultRepository.GetAllElements() in C:\azp\agent\_work\1\s\src\DataProtection\Indicium.DataProtection\AzureKeyVaultRepository.cs:line 41
at Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager.GetAllKeys()
at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingProvider.CreateCacheableKeyRingCore(DateTimeOffset now, IKey keyJustAdded)
at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingProvider.Microsoft.AspNetCore.DataProtection.KeyManagement.Internal.ICacheableKeyRingProvider.GetCacheableKeyRing(DateTimeOffset now)
at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingProvider.GetCurrentKeyRingCore(DateTime utcNow, Boolean forceRefresh)
at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingProvider.GetCurrentKeyRing()
at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.Protect(Byte[] plaintext)
--- End of inner exception stack trace ---
at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.Protect(Byte[] plaintext)
at Microsoft.AspNetCore.Session.CookieProtection.Protect(IDataProtector protector, String data)
at Microsoft.AspNetCore.Session.SessionMiddleware.Invoke(HttpContext context)
at Indicium.Middleware.Security.AuthenticationHeadersMiddleware.InvokeAsync(HttpContext context) in C:\azp\agent\_work\1\s\src\Indicium\Middleware\Authentication\AuthenticationHeadersMiddleware.cs:line 47
at Indicium.Middleware.Security.SecurityHeadersMiddleware.InvokeAsync(HttpContext context, ContentSecurityPolicyBuilder cspBuilder) in C:\azp\agent\_work\1\s\src\Indicium\Middleware\Security\SecurityHeadersMiddleware.cs:line 54
at Indicium.Middleware.Messages.TSFMessagesMiddleware.Invoke(HttpContext context, IRootApplicationLoader rootApplicationLoader, TSFRequestContext requestContext) in C:\azp\agent\_work\1\s\src\Indicium\Middleware\Messages\TSFMessageMiddleware.cs:line 44
at Indicium.Middleware.Telemetry.ServerTimings.ServerTimingsMiddleware.InvokeAsync(HttpContext context, ServerTimingsBuilder serverTimingsBuilder) in C:\azp\agent\_work\1\s\src\Indicium\Middleware\Telemetry\ServerTimings\ServerTimingsMiddleware.cs:line 41
at Indicium.Middleware.ExceptionHandlingMiddleware.Invoke(HttpContext context, TSFRequestContext requestContext) in C:\azp\agent\_work\1\s\src\Indicium\Middleware\ExceptionHandlingMiddleware.cs:line 34

R
Sidekick
  • rustieSidekick
  • Author
  • Sidekick
  • 23 replies
  • December 29, 2022
Dick van den Brink wrote:

Hi Rustie,

Did you restart Indicium after changing the appsettings.json?

yes i did. always do

R
Sidekick
  • rustieSidekick
  • Author
  • Sidekick
  • 23 replies
  • December 29, 2022

and when i remove the configurations for the encryption key my indicium is back to normal. 

R
Sidekick
  • rustieSidekick
  • Author
  • Sidekick
  • 23 replies
  • December 29, 2022

@Freddy @Zachery 

D
Moderator
Forum|alt.badge.img+3

Did you manually created the secret with the name: `myvault`? 
If so, that might be the problem - Indicium needs to create the key with the correct contents.
Can you check the secret and validate that the content is an xml document? If not, (and nothing is encrypted with this key), you can delete it and let Indicium recreate the secret with the correct contents.

R
Sidekick
  • rustieSidekick
  • Author
  • Sidekick
  • 23 replies
  • December 29, 2022
Dick van den Brink wrote:

Did you manually created the secret with the name: `myvault`? 
If so, that might be the problem - Indicium needs to create the key with the correct contents.
Can you check the secret and validate that the content is an xml document? If not, (and nothing is encrypted with this key), you can delete it and let Indicium recreate the secret with the correct contents.

Yes i did, because the documentation says to add a URL which end in a key file. e.g.: 

So i had to create a file otherwise the URL wouldn’t be able to find anything 

 

D
Moderator
Forum|alt.badge.img+3

We can make Indicium maybe a bit more lenient with invalid secret contents, to make it easier in case this happens.

Right now, it can be solved by deleting the key and let Indicium create it (which it does automatically when the secret does not exists).

(on first use, Indicium was not supposed to find anything and it would create a key with the correct contents - now it finds a key with no contents which it didn't expect).

R
Sidekick
  • rustieSidekick
  • Author
  • Sidekick
  • 23 replies
  • December 29, 2022
Dick van den Brink wrote:

We can make Indicium maybe a bit more lenient with invalid secret contents, to make it easier in case this happens.

Right now, it can be solved by deleting the key and let Indicium create it (which it does automatically when the secret does not exists).

(on first use, Indicium was not supposed to find anything and it would create a key with the correct contents - now it finds a key with no contents which it didn't expect).

Okay understood. i will do that and let you know what happens.

R
Sidekick
  • rustieSidekick
  • Author
  • Sidekick
  • 23 replies
  • December 29, 2022

I deleted the secret, restarted the web app. Indicium created the secret and I was able to create pool user. Thanks

 

D
1 person likes this
  • D
    Dick van den Brink
R
Sidekick
  • rustieSidekick
  • Author
  • Sidekick
  • 23 replies
  • December 29, 2022

will let you know if the creation from azure to onprem works.

R
Sidekick
  • rustieSidekick
  • Author
  • Sidekick
  • 23 replies
  • December 30, 2022

So i attempted a creation but i keep receiving this error in the last step to execute the source code:

 

/*  Login failed for Indicium pool user.  */
/*  Please make sure the Indicium pool user has sufficient rights.  */

 

I am sure the pooluser account is db_owner on the app database and also has root admin, db_owner and end user rights on the IAM database. so i don’t know why this message keeps returning

D
Moderator
Forum|alt.badge.img+3

The Indicium log might show some more information regarding to this issue. Can you post it here?

Edit: Also, you are connecting from an Azure Web App to OnPremise database if I understand correctly? Did you configure an hybrid connection endpoint or how did you make your database server accessible?

R
Sidekick
  • rustieSidekick
  • Author
  • Sidekick
  • 23 replies
  • January 2, 2023
Dick van den Brink wrote:

The Indicium log might show some more information regarding to this issue. Can you post it here?

Edit: Also, you are connecting from an Azure Web App to OnPremise database if I understand correctly? Did you configure an hybrid connection endpoint or how did you make your database server accessible?

Yes, we are connecting from azure web app to on-premise. we have a site-to-site tunnel setup between our corporate network and Azure.

Indicium didn’t show anything. 

I’m going to attempt this again, but for now we can close this ticket. I’ve shutdown this test environment to focus on something else.

 

Terms & ConditionsCookie settings

Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings