Question
Lloyds Banking Group PLC
GB
Last activity: 13 Apr 2022 5:01 EDT
Encryption with Azure key vault
Trying to enable encryption using platform cipher and while creating the keystore instance to get the CMK from azure key vault, it requires the following:
1) Client ID
2) Client Key
3) Customer Master Key ID
Our Azure team have provided the values for each and using this in the key store instance throws an error (below) and doesn't save it.
Customer master key ID — Provide valid Customer master key ID
Did come across this article with a similar issue and it does mention that there might be a pega product bug (though it was on a different version) and was going to raise a support ticket. But before doing that, just wanted to confirm what the values for client id and key would have to be? For the customer master key id, we have created a key in an azure key vault and using the "Key Identifier" value from it.
***Edited by Moderator Marije to add Support Case Details; update capability tags***
Pegasystems Inc.
GB
@LEELABIRAMS6337 within the forum post that you reference our SME provided the below details:
"
To create a Microsoft Azure Key Vault keystore please follow the steps on this documentation to firstly create the keystore type:
https://docs-previous.pega.com/security/86/creating-keystore-application-data-encryption
Next, you want to configure a Microsoft Azure Key Vault keystore. The following document will walk you through that process:
For details in creating the master key ID, please refer to the Azure key documentation
https://docs.microsoft.com/en-us/azure/key-vault/keys/quick-create-portal"
Can you clarify which information is missing?
@LEELABIRAMS6337 within the forum post that you reference our SME provided the below details:
"
To create a Microsoft Azure Key Vault keystore please follow the steps on this documentation to firstly create the keystore type:
https://docs-previous.pega.com/security/86/creating-keystore-application-data-encryption
Next, you want to configure a Microsoft Azure Key Vault keystore. The following document will walk you through that process:
For details in creating the master key ID, please refer to the Azure key documentation
https://docs.microsoft.com/en-us/azure/key-vault/keys/quick-create-portal"
Can you clarify which information is missing?
The full error should specify the issue, but usually it simply involves adding the 'client id' and 'secret' from the application which is created in the Azure. Access policy in Azure should also be configured to allow the access.
I found the BUG mentioned in the previous post: BUG-709715 will be resolved in Pega 8.7.2
Did you already test the suggested workaround?
"
Import nimbus-oauth-sdk jar version 6.18.1 and add it to Customer rulset and restart the system. This will take care of the issue.
https://mvnrepository.com/artifact/com.nimbusds/oauth2-oidc-sdk/6.18.1
"
Lloyds Banking Group PLC
GB
@MarijeSchillern Thanks for your response.
Just wanted to clarify that the values we were given for the client id and secret were correct and the team have also confirmed that they have updated the access policies accordingly. Wanted to ensure our setup is ok before I raise a support ticket (which I've now: INC-220109) to understand if the issue we have is similar to the one mentioned on the other article referred in this post.
The workaround is not tested yet as any external components would have to go through our security checks for vulnerabilities which we we'll do in parallel. Also, weren't sure if that applied to v8.7.x as well.
Updated: 13 Apr 2022 5:01 EDT
Pegasystems Inc.
GB
@LEELABIRAMS6337 many thanks for sharing the support ID, that is a good way forwards.
I'm confident it is the same issue we identified but it is a good idea to have the support team confirm this.
I'll make sure the engineer is aware of our discussion here on the forum. Keep us posted!