Customer masterkey ID in Keystore using Azure KMS Key Vault
We are trying to configure a KMS key store ( and eventually refer in platform cipher in application data encryption). The Key store rule form is not able to recognize the customer master key ID of the key that we create in an Azure key vault.
we tried to give full identifier , just key ID ..either way it is throwing error saying "Provide valid Customer master key ID" ..Any inputs on what should be correct format or if we are missing anything
any suggestions/ideas are welcome. Thanks!
Pegasystems Inc.
US
To create a Microsoft Azure Key Vault keystore please follow the steps on this documentation to firstly create the keystore type:
https://docs-previous.pega.com/security/86/creating-keystore-application-data-encryption
Next, you want to configure a Microsoft Azure Key Vault keystore. The following document will walk you through that process:
For details in creating the master key ID, please refer to the Azure key documentation
https://docs.microsoft.com/en-us/azure/key-vault/keys/quick-create-portal
Thank you
Rulesware LLC
US
@khanu Thank you for quick response
we created the KMS vault and key like above . From the azure documentation link give above we did create a key like that but pega is not accepting the key identifier ( http:/...../) or just the key ( dfxxxxxxx) in customer master key ID as a valid value
Selective Insurance
US
I confirmed with Pega there is a bug in 8.6.x that prevents saving this rule due to a mismatch in the imbus-oauth-sdk jar. It should be resolved in 8.6.4 but as a work around importing nimbus-oauth-sdk jar version 6.18.1 to the Customer ruleset and restarting the system should resolve it. - https://mvnrepository.com/artifact/com.nimbusds/oauth2-oidc-sdk/6.18.1
Capgemini
FR
Hi have you been able to make it work ?
I have the same error in 8.7.0
in the logs I have an issue the it could not connect using the configured credentials. And honestly I am surprised it could work because to get a token, we should also provide a tenant id and there is no field to provide it to Pega.
Thanks
Regards,
Marc-Antoine
Rulesware LLC
US
These are steps we followed
Pre-steps
- Download code package from https://mvnrepository.com/artifact/com.nimbusds/oauth2-oidc-sdk/6.18.1
- Import in Pega environment. (Configure → Application → Distribution → Import) and restart
Pega-cloud steps
1.Create static route in VPN for the hosts ( ipaddress) involved.
2.Created private hosted zone to the hosts ( ipaddress) involved and created a DNS mapping
Note : we are able to then create and use the keystore and test connectivity is successful and use it with above to encrypt certain properties
Side note : However we have seen during POC testing if something goes wrong and system is unable to access for encryption, this encryption scope is going beyond for what we wanted to ( for example if pega cant connect , it is effecting email account passwords and listeners are failing. )
Also looks like( which i posted here https://collaborate.pega.com/question/data-encryption-how-deactivate-platform-cipher-after-activation) once activated there is no going back to no encryption type at all and it has to be considered . For now we paused this at POC level and will revisit in future.