I am implementing registration process that implements cybersource as payment gateway with ASP MVC web API.
In web.config we have to specify the keys and logs directory.
<add key="cybs.keysDirectory" value= "E:\CyberSource\Keys/" />
<add key="cybs.logDirectory" value= "E:\CyberSource\Logs/" />
This works fine when we deploy the API on IIS and work locally. But when we deploy the API to Azure and for the registration part (Subscribe) that use the CyberSource gateway we get the 502 bad request error from the request.
We tried relative paths as well but still the same error.
Issue: We believe that the API is not getting the .p12 file from the keys directory.
Question: Where to put the .p12 file or where to create the keys directory and what should we specify in web.config to make it work.
Where to put the .p12 file or where to create the keys directory and what should we specify in web.config to make it work.
If you want to use the certificates in the Azure WebApp, please have a try to convert .p12 to .pfx and install it in the WebApp. About how to upload and use certificates in Azure WebApp, please refer to this blog.
I aslo find another similar SO thread.
Adding an app setting named WEBSITE_LOAD_CERTIFICATES with its value set to the thumbprint of the certificate will make it accessible to your web application. You can have multiple comma-separated thumbprint values or can set this value to “ * “ (without quotes) in which case all your certificates will be loaded to your web applications personal certificate store.
Relate link:
Azure Web App sandbox
Related
I am able to setup a static website using azure storage -> static website and map to a container blob. I used the link below
https://learn.microsoft.com/en-us/azure/storage/blobs/storage-blob-static-website
I want to know if its possible to map it to a https custom domain name ?
I was following the below link but i am bit confused if it needs CDN to do https custom host name mapping. If it requires CDN then i can remove static website hosting because CDN also does hosting which is same as Static WebSite?
Are there any security related features that change between Azure Static WebSite and CDN hosting? Our website doesnt have video content and its not open to global makrets just a country.
So my main question is, is Azure Static WebSite hosting enough and does it allow host name mapping with https?
https://microsoft.github.io/AzureTipsAndTricks/blog/tip138.html
Azure Static WebSite hosting is not enough to map with https, but it allow host name mapping with https by Azure CDN.
The document you are following described very clear about how to do that, and there is nothing to worry about the security after you enable https and set the certificate. Actually, Azure CDN support certificate management.
REST API in Postman
I builded a REST-API which uploads images to my azure storage container. My azure storage container is secured an access key, which I use in my POST method like this:
StorageCredentials storageCredentials = new StorageCredentials("[storage]", "[key]");
Now I want to deploy my service to the azure cloud - but I dont know how to manage the security issue with my plain written access key in the POST method.
Where should I save sensitive data like this? Or are my worries wrong
and this is not an issue?
Info:
The REST-API is a ASP.NET Web API Project
Azure portal => your web app => Configuration => Application Settings
That is the simplest.
You can also use a keyvault, but the application settings are the easiest by far, and perfectly fine for this case.
For ASP.NET and ASP.NET Core developers, setting app settings in App
Service are like setting them in in Web.config or
appsettings.json, but the values in App Service override the ones in
Web.config or appsettings.json
You can read more about it here: https://learn.microsoft.com/bs-latn-ba/azure/app-service/configure-common
I have an ASP.NET Core 2.2 web app running on Ubuntu. The web app is served by Kestrel configured as an Ubuntu service, running as www-data user.
The web app uses a PFX certificate for signing custom responses. So, obviously I need to give www-data full read access to the PFX certificate+key pair. This seems not safe enough.
I like how nginx is doing it (I have nginx running as a reverse proxy for the web app). Nginx reads private keys and their passwords as root user when nginx process is starting up, so it's possible to set the strictest permissions on the private key of my https cert+key pair, leaving only the public .crt part accessible to www-data, and it works just fine.
I'm wondering if there is some way to achieve similar mechanism with the ASP.NET Core app, so I don't have to give read access to the PFX private key to www-data user?
I have two server and in communication between servers I check Machine Key in IIS Level. Now I have a new project in net core and I want to check Machine Key like Asp.net projects. I search for this but can't find a solution
ASP.NET Core doesn't use Web.config, and even if it did, it doesn't use machine keys either. Cryptography is handled via the Data Protection API, which stores and generates keys in an entirely different way.
If you need to share things like cookies between ASP.NET and ASP.NET Core, you have to work in the opposite way and plug in the Data Protection API into your ASP.NET apps, so that they use the same system as ASP.NET Core. Microsoft has a guide for that.
Well, it kind of depends on exactly what you are doing. If your project uses Microsoft Identity, then Identity by default uses machine key as part of the hash. So, in my case, my site sends off an email asking a user to verify their email. The link includes what is basically a password hash encrypted - in part - with the machine key from the server it originated from.
So if the user clicked the link, and then ended up on a different server on the farm, the validation check fails unless the machine keys are set to be the same on the various servers behind the load balancer.
So at this point I haven't found any good way to set the machine key when publishing to IIS. The web.config is auto-generated during publish from my ASP.NET core project. The only solution I have found at this point is to manually open the web.config after publishing the project and insert the machine key section before deploying to the servers in the farm.
Before writing this question I have gone through a lot of questions and answers but I can't seem to find a solution. What I'm trying to do is host an application as a Azure App Service that needs to make a call to the Swish API.
Please see this thread for how my implementation runs locally which works fine:
C# HttpClient with X509Certificate2 - WebException: The request was aborted: Could not create SSL/TLS secure channel
System diagnostics log from Azure:
https://pastebin.com/EBFb3zrA
I have tried the solutions from Microsoft forums and SO but none seem to do the trick:
https://social.msdn.microsoft.com/Forums/azure/en-US/ca6372be-3169-4fb5-870f-bfbea605faf6/azure-webapp-webjob-exception-could-not-create-ssltls-secure-channel?forum=windowsazurewebsitespreview
//Tested both, none of them work
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12
//ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls11
Since a lot of the questions are based on accessing an external service and not sending a client certificate the complexity rises a bit as well.
What I have done is in the SSL certificates tab on Azure import the Test certificate. Since .p12 and .pfx are both PKCS #12 files I just renamed the .p12-file. The application runs as B1 Basic App Service Plan so most functionality should be present.
https://stackoverflow.com/a/6821061/3850405
I have also tried this guide to add the certificate to the certificate store in Azure -> Application settings -> App Settings:
https://azure.microsoft.com/en-us/blog/using-certificates-in-azure-websites-applications/
When this did not work I tried to add WEBSITE_LOAD_CERTIFICATES to appSettings in my application but it resulted in a HTTP 503.
Swish certificate and English guide:
https://www.getswish.se/content/uploads/2015/06/Guide-Testverktyg_20151210.zip
We were able to make this work in an Azure Web App. The trick was the appSetting WEBSITE_LOAD_CERTIFICATES and to upload all Swish certificates in the Azure portal. That is, the .pfx file from Swish contains three certs where two of them are root certs. So we exported the root certs and uploaded the .cer files under TLS/SSL settings -> Public Key Certificates (.cer) and then it started to work. You also need to upload them to all deployment slots since the certs will not be automatically copied to the slots.
According to your scenario, I also checked by adding cert file to a Resources File and construct the X509Certificate2 instance by the following code snippet:
var certBytes=(byte[])ResourceManager.GetObject("Swish_Certificate");
var certificate = new X509Certificate2(certBytes, "swish");
Per my test, I assumed that you could not implement Swish payment on Azure Web App. Additionally, you could add your feedback for azure web app here.