From 1b6eeb9588b04b4c155c82e9e87df1a6e2477a47 Mon Sep 17 00:00:00 2001 From: "Ionut E. Mihailescu" Date: Fri, 13 Dec 2019 13:40:58 +0200 Subject: [PATCH 01/18] added documentation for Tessera AWS Secrets Manager integration --- docs/Privacy/Tessera/Configuration/Keys.md | 21 ++++++++++++++++ .../Keys/Setting up an AWS Secrets Manager.md | 24 +++++++++++++++++++ 2 files changed, 45 insertions(+) create mode 100644 docs/Privacy/Tessera/Tessera Services/Keys/Setting up an AWS Secrets Manager.md diff --git a/docs/Privacy/Tessera/Configuration/Keys.md b/docs/Privacy/Tessera/Configuration/Keys.md index 0a07d6d89..f41305f87 100644 --- a/docs/Privacy/Tessera/Configuration/Keys.md +++ b/docs/Privacy/Tessera/Configuration/Keys.md @@ -159,6 +159,27 @@ Passwords must be provided so that Tessera can decrypt and use the private keys. | Direct | `"passwords": ["pwd1", "pwd2", ...]`
Empty strings should be used for unlocked keys. Passwords must be provided in the order that key pairs are defined in the config. Not recommended for production use. | | CLI | Tessera will prompt on the CLI for the passwords of any encrypted keys that have not had passwords provided in the config. This process only needs to be performed once, when starting the node. | +### AWS Secrets Manager key pairs +The keys in the pair are stored as secrets in the _AWS Secrets Manager_. This requires providing the secret IDs for both keys, while the endpoint is optional as the _AWS SDK_ can choose the right one based on _AWS_REGION_ environment variable value: +```json +"keys": { + "awsKeyVaultConfig":{ + "endpoint": "https://secretsmanager.us-west-2.amazonaws.com" + }, + "keyData": [ + { + "awsSecretsManagerPublicKeyId": "secretIdPub", + "awsSecretsManagerPrivateKeyId": "secretIdKey" + } + ] + } +``` + +This example configuration will retrieve the specified versions of the secrets `secretIdPub` and `secretIdKey` from the _AWS Secrets Manager_ using the endpoint `https://secretsmanager.us-west-2.amazonaws.com`. + +!!! info + Environment variables must be set if using an _AWS Secrets Manager_, for more information see [Setting up an AWS Secrets Manager](../../Tessera%20Services/Keys/Setting%20up%20an%20AWS%20Secrets%20Manager.md) + ### Azure Key Vault key pairs The keys in the pair are stored as secrets in an Azure Key Vault. This requires providing the vault url and the secret IDs for both keys: ```json diff --git a/docs/Privacy/Tessera/Tessera Services/Keys/Setting up an AWS Secrets Manager.md b/docs/Privacy/Tessera/Tessera Services/Keys/Setting up an AWS Secrets Manager.md new file mode 100644 index 000000000..93655312b --- /dev/null +++ b/docs/Privacy/Tessera/Tessera Services/Keys/Setting up an AWS Secrets Manager.md @@ -0,0 +1,24 @@ + +The private/public key pairs used by Tessera can be [stored](../Keys) in and [retrieved](../../../Configuration/Keys) from a key vault, preventing the need to store the keys locally. + +This page details how to set up and configure an _AWS Secrets Manager_ for use with Tessera. + +The _AWS Secrets Manager_ documentation provides much of the information needed to get started. The information in this section has been taken from the following pages of the _AWS_ documentation: + +* [AWS Secrets Manager User Guide](https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html) +* [AWS SDK for Java Developer Guide](https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/welcome.html) + +## Enabling Tessera to use the vault +### Environment Variables + +If using an _AWS Secrets Manager_, Tessera requires four environment variables to be set: + +1. `AWS_REGION`: region_to_connect_to (i.e. us-west-2) +1. `AWS_ACCESS_KEY_ID`: your_access_key_id +1. `AWS_SECRET_ACCESS_KEY`: your_secret_access_key +1. `AWS_SESSION_TOKEN`: your_session_token + +To retrieve the last three values you should log into your [AWS Managemenet Console](https://aws.amazon.com/) + +### Dependencies +The AWS Secrets Manager dependencies are included in the `tessera-app--app.jar`. If using the `tessera-simple--app.jar` then `aws-key-vault--all.jar` must be added to the classpath. From 86f3b4b1cd6f9c2ce2fa479247da74f8f78eb141 Mon Sep 17 00:00:00 2001 From: "Ionut E. Mihailescu" Date: Fri, 13 Dec 2019 13:43:14 +0200 Subject: [PATCH 02/18] added documentation for Tessera AWS Secrets Manager integration --- .../Tessera Services/Keys/Setting up an AWS Secrets Manager.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/Privacy/Tessera/Tessera Services/Keys/Setting up an AWS Secrets Manager.md b/docs/Privacy/Tessera/Tessera Services/Keys/Setting up an AWS Secrets Manager.md index 93655312b..c51809aeb 100644 --- a/docs/Privacy/Tessera/Tessera Services/Keys/Setting up an AWS Secrets Manager.md +++ b/docs/Privacy/Tessera/Tessera Services/Keys/Setting up an AWS Secrets Manager.md @@ -8,7 +8,7 @@ The _AWS Secrets Manager_ documentation provides much of the information needed * [AWS Secrets Manager User Guide](https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html) * [AWS SDK for Java Developer Guide](https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/welcome.html) -## Enabling Tessera to use the vault +## Enabling Tessera to use the _AWS Secrets Manager_ ### Environment Variables If using an _AWS Secrets Manager_, Tessera requires four environment variables to be set: From 01f09e070bebf3abc0e0468de93c7490ea67cdb0 Mon Sep 17 00:00:00 2001 From: "Ionut E. Mihailescu" Date: Mon, 16 Dec 2019 11:10:03 +0200 Subject: [PATCH 03/18] added documentation for Tessera AWS Secrets Manager integration --- .../Tessera Services/Keys/Setting up an AWS Secrets Manager.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/docs/Privacy/Tessera/Tessera Services/Keys/Setting up an AWS Secrets Manager.md b/docs/Privacy/Tessera/Tessera Services/Keys/Setting up an AWS Secrets Manager.md index c51809aeb..556ad1563 100644 --- a/docs/Privacy/Tessera/Tessera Services/Keys/Setting up an AWS Secrets Manager.md +++ b/docs/Privacy/Tessera/Tessera Services/Keys/Setting up an AWS Secrets Manager.md @@ -16,9 +16,8 @@ If using an _AWS Secrets Manager_, Tessera requires four environment variables t 1. `AWS_REGION`: region_to_connect_to (i.e. us-west-2) 1. `AWS_ACCESS_KEY_ID`: your_access_key_id 1. `AWS_SECRET_ACCESS_KEY`: your_secret_access_key -1. `AWS_SESSION_TOKEN`: your_session_token -To retrieve the last three values you should log into your [AWS Managemenet Console](https://aws.amazon.com/) +To retrieve the last two values you should log into your [AWS Managemenet Console](https://aws.amazon.com/) ### Dependencies The AWS Secrets Manager dependencies are included in the `tessera-app--app.jar`. If using the `tessera-simple--app.jar` then `aws-key-vault--all.jar` must be added to the classpath. From d4a474e10dc6526a78aff29505c8765ae2a8c583 Mon Sep 17 00:00:00 2001 From: Mihailescu Ionut Emanuel Date: Tue, 17 Dec 2019 13:38:01 +0200 Subject: [PATCH 04/18] Update docs/Privacy/Tessera/Configuration/Keys.md Co-Authored-By: chris-j-h <39617426+chris-j-h@users.noreply.github.com> --- docs/Privacy/Tessera/Configuration/Keys.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/Privacy/Tessera/Configuration/Keys.md b/docs/Privacy/Tessera/Configuration/Keys.md index f41305f87..8b01b83cc 100644 --- a/docs/Privacy/Tessera/Configuration/Keys.md +++ b/docs/Privacy/Tessera/Configuration/Keys.md @@ -175,7 +175,7 @@ The keys in the pair are stored as secrets in the _AWS Secrets Manager_. This r } ``` -This example configuration will retrieve the specified versions of the secrets `secretIdPub` and `secretIdKey` from the _AWS Secrets Manager_ using the endpoint `https://secretsmanager.us-west-2.amazonaws.com`. +This example configuration will retrieve the secrets `secretIdPub` and `secretIdKey` from the _AWS Secrets Manager_ using the endpoint `https://secretsmanager.us-west-2.amazonaws.com`. !!! info Environment variables must be set if using an _AWS Secrets Manager_, for more information see [Setting up an AWS Secrets Manager](../../Tessera%20Services/Keys/Setting%20up%20an%20AWS%20Secrets%20Manager.md) From 345d775b4082560094d14d05284820aa9cddb461 Mon Sep 17 00:00:00 2001 From: Mihailescu Ionut Emanuel Date: Tue, 17 Dec 2019 13:38:07 +0200 Subject: [PATCH 05/18] Update docs/Privacy/Tessera/Configuration/Keys.md Co-Authored-By: chris-j-h <39617426+chris-j-h@users.noreply.github.com> --- docs/Privacy/Tessera/Configuration/Keys.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/Privacy/Tessera/Configuration/Keys.md b/docs/Privacy/Tessera/Configuration/Keys.md index 8b01b83cc..cf24c8067 100644 --- a/docs/Privacy/Tessera/Configuration/Keys.md +++ b/docs/Privacy/Tessera/Configuration/Keys.md @@ -160,7 +160,7 @@ Passwords must be provided so that Tessera can decrypt and use the private keys. | CLI | Tessera will prompt on the CLI for the passwords of any encrypted keys that have not had passwords provided in the config. This process only needs to be performed once, when starting the node. | ### AWS Secrets Manager key pairs -The keys in the pair are stored as secrets in the _AWS Secrets Manager_. This requires providing the secret IDs for both keys, while the endpoint is optional as the _AWS SDK_ can choose the right one based on _AWS_REGION_ environment variable value: +The keys in the pair are stored as secrets in the _AWS Secrets Manager_. This requires providing the secret IDs for both keys. The endpoint is optional as the _AWS SDK_ can fallback to its inbuilt property retrieval chain (e.g. using the environment variable `AWS_REGION` or `~/.aws/config` file - see [the AWS docs](https://docs.aws.amazon.com/sdk-for-java/v2/developer-guide/credentials.html) for similar behaviour explained in the context of credentials): ```json "keys": { "awsKeyVaultConfig":{ From fa116befba4110aecbd0ad095b80effdb7e3d02e Mon Sep 17 00:00:00 2001 From: Mihailescu Ionut Emanuel Date: Tue, 17 Dec 2019 13:38:13 +0200 Subject: [PATCH 06/18] Update docs/Privacy/Tessera/Configuration/Keys.md Co-Authored-By: chris-j-h <39617426+chris-j-h@users.noreply.github.com> --- docs/Privacy/Tessera/Configuration/Keys.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/Privacy/Tessera/Configuration/Keys.md b/docs/Privacy/Tessera/Configuration/Keys.md index cf24c8067..e4e0c4a82 100644 --- a/docs/Privacy/Tessera/Configuration/Keys.md +++ b/docs/Privacy/Tessera/Configuration/Keys.md @@ -178,7 +178,7 @@ The keys in the pair are stored as secrets in the _AWS Secrets Manager_. This r This example configuration will retrieve the secrets `secretIdPub` and `secretIdKey` from the _AWS Secrets Manager_ using the endpoint `https://secretsmanager.us-west-2.amazonaws.com`. !!! info - Environment variables must be set if using an _AWS Secrets Manager_, for more information see [Setting up an AWS Secrets Manager](../../Tessera%20Services/Keys/Setting%20up%20an%20AWS%20Secrets%20Manager.md) + Environment variables must be set if using an _AWS Secrets Manager_, for more information see [Setting up an AWS Secrets Manager](../../Tessera%20Services/Keys/Setting%20up%20an%20AWS%20Secrets%20Manager) ### Azure Key Vault key pairs The keys in the pair are stored as secrets in an Azure Key Vault. This requires providing the vault url and the secret IDs for both keys: From cf6ca07f35f68c1d706348447baec9036c73f57b Mon Sep 17 00:00:00 2001 From: Mihailescu Ionut Emanuel Date: Tue, 17 Dec 2019 13:38:18 +0200 Subject: [PATCH 07/18] Update docs/Privacy/Tessera/Tessera Services/Keys/Setting up an AWS Secrets Manager.md Co-Authored-By: chris-j-h <39617426+chris-j-h@users.noreply.github.com> --- .../Keys/Setting up an AWS Secrets Manager.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/Privacy/Tessera/Tessera Services/Keys/Setting up an AWS Secrets Manager.md b/docs/Privacy/Tessera/Tessera Services/Keys/Setting up an AWS Secrets Manager.md index 556ad1563..2a6581312 100644 --- a/docs/Privacy/Tessera/Tessera Services/Keys/Setting up an AWS Secrets Manager.md +++ b/docs/Privacy/Tessera/Tessera Services/Keys/Setting up an AWS Secrets Manager.md @@ -11,7 +11,9 @@ The _AWS Secrets Manager_ documentation provides much of the information needed ## Enabling Tessera to use the _AWS Secrets Manager_ ### Environment Variables -If using an _AWS Secrets Manager_, Tessera requires four environment variables to be set: +If using an _AWS Secrets Manager_, configuration credentials can be provided in many ways as outlined in the [AWS docs - Supplying and Retrieving AWS Credentials](https://docs.aws.amazon.com/sdk-for-java/v2/developer-guide/credentials.html). + +To use environment variables set the following: 1. `AWS_REGION`: region_to_connect_to (i.e. us-west-2) 1. `AWS_ACCESS_KEY_ID`: your_access_key_id From fb148d6dc82a5f59cda8701b47dad58599f18d0a Mon Sep 17 00:00:00 2001 From: Mihailescu Ionut Emanuel Date: Tue, 17 Dec 2019 13:38:23 +0200 Subject: [PATCH 08/18] Update docs/Privacy/Tessera/Tessera Services/Keys/Setting up an AWS Secrets Manager.md Co-Authored-By: chris-j-h <39617426+chris-j-h@users.noreply.github.com> --- .../Tessera Services/Keys/Setting up an AWS Secrets Manager.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/Privacy/Tessera/Tessera Services/Keys/Setting up an AWS Secrets Manager.md b/docs/Privacy/Tessera/Tessera Services/Keys/Setting up an AWS Secrets Manager.md index 2a6581312..0ab8adc67 100644 --- a/docs/Privacy/Tessera/Tessera Services/Keys/Setting up an AWS Secrets Manager.md +++ b/docs/Privacy/Tessera/Tessera Services/Keys/Setting up an AWS Secrets Manager.md @@ -19,7 +19,7 @@ To use environment variables set the following: 1. `AWS_ACCESS_KEY_ID`: your_access_key_id 1. `AWS_SECRET_ACCESS_KEY`: your_secret_access_key -To retrieve the last two values you should log into your [AWS Managemenet Console](https://aws.amazon.com/) +The `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` for a particular user can be retrieved from the [AWS IAM Management Console](https://console.aws.amazon.com/iam). ### Dependencies The AWS Secrets Manager dependencies are included in the `tessera-app--app.jar`. If using the `tessera-simple--app.jar` then `aws-key-vault--all.jar` must be added to the classpath. From 8a357a862add1586eb7072e667aa515babe2b30d Mon Sep 17 00:00:00 2001 From: Mihailescu Ionut Emanuel Date: Tue, 17 Dec 2019 13:38:41 +0200 Subject: [PATCH 09/18] Update docs/Privacy/Tessera/Configuration/Keys.md Co-Authored-By: chris-j-h <39617426+chris-j-h@users.noreply.github.com> --- docs/Privacy/Tessera/Configuration/Keys.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/docs/Privacy/Tessera/Configuration/Keys.md b/docs/Privacy/Tessera/Configuration/Keys.md index e4e0c4a82..2e2f69ad2 100644 --- a/docs/Privacy/Tessera/Configuration/Keys.md +++ b/docs/Privacy/Tessera/Configuration/Keys.md @@ -177,6 +177,9 @@ The keys in the pair are stored as secrets in the _AWS Secrets Manager_. This r This example configuration will retrieve the secrets `secretIdPub` and `secretIdKey` from the _AWS Secrets Manager_ using the endpoint `https://secretsmanager.us-west-2.amazonaws.com`. +!!! info + A `Credential should be scoped to a valid region` error when starting means that the region specified in the `endpoint` differs from the region the AWS SDK has retrieved from its [property retrieval chain](https://docs.aws.amazon.com/sdk-for-java/v2/developer-guide/credentials.html). This can be resolved by setting the `AWS_REGION` environment variable to the same region as defined in the `endpoint`. + !!! info Environment variables must be set if using an _AWS Secrets Manager_, for more information see [Setting up an AWS Secrets Manager](../../Tessera%20Services/Keys/Setting%20up%20an%20AWS%20Secrets%20Manager) From 0ff7a68550026f5df5a48ac4e67d42e073380c7a Mon Sep 17 00:00:00 2001 From: "Ionut E. Mihailescu" Date: Tue, 17 Dec 2019 13:46:58 +0200 Subject: [PATCH 10/18] AWS Secrets Manager implementation docs - resolved PR conversation --- docs/Privacy/Tessera/Configuration/Keys.md | 51 ++++++++++--------- .../Keys/Setting up an AWS Secrets Manager.md | 4 ++ 2 files changed, 31 insertions(+), 24 deletions(-) diff --git a/docs/Privacy/Tessera/Configuration/Keys.md b/docs/Privacy/Tessera/Configuration/Keys.md index 2e2f69ad2..0bb1aa664 100644 --- a/docs/Privacy/Tessera/Configuration/Keys.md +++ b/docs/Privacy/Tessera/Configuration/Keys.md @@ -14,6 +14,9 @@ You can use existing private/public key pairs as well as use Tessera to generate "tlsKeyStorePath": "Path", "tlsTrustStorePath": "Path" }, + "awsKeyVaultConfig":{ + "endpoint": "Url" + } "keyData": [ { // The data for a private/public key pair @@ -159,30 +162,6 @@ Passwords must be provided so that Tessera can decrypt and use the private keys. | Direct | `"passwords": ["pwd1", "pwd2", ...]`
Empty strings should be used for unlocked keys. Passwords must be provided in the order that key pairs are defined in the config. Not recommended for production use. | | CLI | Tessera will prompt on the CLI for the passwords of any encrypted keys that have not had passwords provided in the config. This process only needs to be performed once, when starting the node. | -### AWS Secrets Manager key pairs -The keys in the pair are stored as secrets in the _AWS Secrets Manager_. This requires providing the secret IDs for both keys. The endpoint is optional as the _AWS SDK_ can fallback to its inbuilt property retrieval chain (e.g. using the environment variable `AWS_REGION` or `~/.aws/config` file - see [the AWS docs](https://docs.aws.amazon.com/sdk-for-java/v2/developer-guide/credentials.html) for similar behaviour explained in the context of credentials): -```json -"keys": { - "awsKeyVaultConfig":{ - "endpoint": "https://secretsmanager.us-west-2.amazonaws.com" - }, - "keyData": [ - { - "awsSecretsManagerPublicKeyId": "secretIdPub", - "awsSecretsManagerPrivateKeyId": "secretIdKey" - } - ] - } -``` - -This example configuration will retrieve the secrets `secretIdPub` and `secretIdKey` from the _AWS Secrets Manager_ using the endpoint `https://secretsmanager.us-west-2.amazonaws.com`. - -!!! info - A `Credential should be scoped to a valid region` error when starting means that the region specified in the `endpoint` differs from the region the AWS SDK has retrieved from its [property retrieval chain](https://docs.aws.amazon.com/sdk-for-java/v2/developer-guide/credentials.html). This can be resolved by setting the `AWS_REGION` environment variable to the same region as defined in the `endpoint`. - -!!! info - Environment variables must be set if using an _AWS Secrets Manager_, for more information see [Setting up an AWS Secrets Manager](../../Tessera%20Services/Keys/Setting%20up%20an%20AWS%20Secrets%20Manager) - ### Azure Key Vault key pairs The keys in the pair are stored as secrets in an Azure Key Vault. This requires providing the vault url and the secret IDs for both keys: ```json @@ -238,6 +217,30 @@ Tessera requires TLS certificates and keys to be stored in `.jks` Java keystore !!! info If using a Hashicorp Vault additional environment variables must be set and a version 2 K/V secret engine must be enabled. For more information see [Setting up a Hashicorp Vault](../../Tessera%20Services/Keys/Setting%20up%20a%20Hashicorp%20Vault). +### AWS Secrets Manager key pairs +The keys in the pair are stored as secrets in the _AWS Secrets Manager_. This requires providing the secret IDs for both keys. The endpoint is optional as the _AWS SDK_ can fallback to its inbuilt property retrieval chain (e.g. using the environment variable `AWS_REGION` or `~/.aws/config` file - see [the AWS docs](https://docs.aws.amazon.com/sdk-for-java/v2/developer-guide/credentials.html) for similar behaviour explained in the context of credentials): +```json +"keys": { + "awsKeyVaultConfig":{ + "endpoint": "https://secretsmanager.us-west-2.amazonaws.com" + }, + "keyData": [ + { + "awsSecretsManagerPublicKeyId": "secretIdPub", + "awsSecretsManagerPrivateKeyId": "secretIdKey" + } + ] + } +``` + +This example configuration will retrieve the secrets `secretIdPub` and `secretIdKey` from the _AWS Secrets Manager_ using the endpoint `https://secretsmanager.us-west-2.amazonaws.com`. + +!!! info + A `Credential should be scoped to a valid region` error when starting means that the region specified in the `endpoint` differs from the region the AWS SDK has retrieved from its [property retrieval chain](https://docs.aws.amazon.com/sdk-for-java/v2/developer-guide/credentials.html). This can be resolved by setting the `AWS_REGION` environment variable to the same region as defined in the `endpoint`. + +!!! info + Environment variables must be set if using an _AWS Secrets Manager_, for more information see [Setting up an AWS Secrets Manager](../../Tessera%20Services/Keys/Setting%20up%20an%20AWS%20Secrets%20Manager) + ## Multiple Keys If wished, multiple key pairs can be specified for a Tessera node. In this case, any one of the public keys can be used to address a private transaction to that node. Tessera will sequentially try each key to find one that can decrypt the payload. This can be used, for example, to simplify key rotation. diff --git a/docs/Privacy/Tessera/Tessera Services/Keys/Setting up an AWS Secrets Manager.md b/docs/Privacy/Tessera/Tessera Services/Keys/Setting up an AWS Secrets Manager.md index 0ab8adc67..bd434c0b2 100644 --- a/docs/Privacy/Tessera/Tessera Services/Keys/Setting up an AWS Secrets Manager.md +++ b/docs/Privacy/Tessera/Tessera Services/Keys/Setting up an AWS Secrets Manager.md @@ -8,6 +8,10 @@ The _AWS Secrets Manager_ documentation provides much of the information needed * [AWS Secrets Manager User Guide](https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html) * [AWS SDK for Java Developer Guide](https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/welcome.html) +## Creating the AWS Secrets Manager + +Once you have set up your AWS profile, you will be able to use AWS Secrets Manager. + ## Enabling Tessera to use the _AWS Secrets Manager_ ### Environment Variables From ccbd83a65719b8948d9e633e3d6a626e19fe743e Mon Sep 17 00:00:00 2001 From: "Ionut E. Mihailescu" Date: Tue, 17 Dec 2019 13:55:31 +0200 Subject: [PATCH 11/18] AWS Secrets Manager implementation docs - resolved PR conversation --- docs/Privacy/Tessera/Tessera Services/Keys/Keys.md | 14 ++++++++++++++ mkdocs.yml | 1 + 2 files changed, 15 insertions(+) diff --git a/docs/Privacy/Tessera/Tessera Services/Keys/Keys.md b/docs/Privacy/Tessera/Tessera Services/Keys/Keys.md index d3611a715..9c49819fb 100644 --- a/docs/Privacy/Tessera/Tessera Services/Keys/Keys.md +++ b/docs/Privacy/Tessera/Tessera Services/Keys/Keys.md @@ -56,6 +56,20 @@ If you wish to generate an unlocked key, `/dev/null` can be used for stdin to te > Environment variables must be set if using a Hashicorp Vault, and a version 2 K/V secret engine must be enabled. For more information see [Setting up a Hashicorp Vault](../Setting%20up%20a%20Hashicorp%20Vault). +1. Generate a key pair and save to an AWS Secrets Manager, with endpoint ``, as secrets with IDs `Pub` and `Key`: + + ```bash + tessera -keygen -keygenvaulttype AWS -keygenvaulturl + ``` + + The `-filename` option can be used to specify alternate IDs. Multiple key pairs can be generated at the same time by providing a comma-separated list of values: + + ```bash + tessera -keygen -keygenvaulttype AWS -keygenvaulturl -filename id1,id2 + ``` + + >Environment variables must be set if using an AWS Secrets Manager, for more information see [Setting up an AWS Secrets Manager](../Setting%20up%20an%20AWS%20Secrets%20Manager) + 1. Generate a key pair, save to files and then start Tessera using a provided config ``` tessera -keygen -configfile /path/to/config.json diff --git a/mkdocs.yml b/mkdocs.yml index 0986894fd..f65030b0e 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -61,6 +61,7 @@ nav: - Key Generation: Privacy/Tessera/Tessera Services/Keys/Keys.md - Setting up Hashicorp Vault: Privacy/Tessera/Tessera Services/Keys/Setting up a Hashicorp Vault.md - Setting up Azure Key Vault: Privacy/Tessera/Tessera Services/Keys/Setting up an Azure Key Vault.md + - Setting up AWS Secrets Manager: Privacy/Tessera/Tessera Services/Keys/Setting up an AWS Secrets Manager.md - Usage: - Interfaces & API: Privacy/Tessera/Usage/Interface & API.md - Admin Usage: Privacy/Tessera/Usage/Admin Usage.md From a44815465369666b2f4c2708e956daf3c64afcfc Mon Sep 17 00:00:00 2001 From: "Ionut E. Mihailescu" Date: Tue, 17 Dec 2019 13:55:31 +0200 Subject: [PATCH 12/18] AWS Secrets Manager implementation docs - resolved PR conversation --- docs/Features/dns.md | 16 +- .../Configuration/Configuration Overview.md | 84 +++++++++- docs/Privacy/Tessera/Configuration/Keys.md | 20 +++ .../Configuration/Sample Configuration.md | 3 +- .../Tessera v0.10.2 sample settings.md | 153 ++++++++++++++++++ .../Using CLI to override config.md | 15 +- .../Tessera/Tessera Services/Keys/Keys.md | 12 +- 7 files changed, 295 insertions(+), 8 deletions(-) create mode 100644 docs/Privacy/Tessera/Configuration/Tessera v0.10.2 sample settings.md diff --git a/docs/Features/dns.md b/docs/Features/dns.md index c4a008241..2d5642c76 100644 --- a/docs/Features/dns.md +++ b/docs/Features/dns.md @@ -17,7 +17,15 @@ DNS is not supported for the discovery protocol. Use a bootnode instead, which c resolved. ## Compatibility -For Raft, the whole network must be on version 2.3.1 of Quorum for DNS to function properly; because of this, DNS must -be explicitly enabled using the `--raftdnsenable` flag. -The network will support older nodes mixed with newer nodes if DNS is not enabled via this flag, and it is safe to -enable DNS only on some nodes if all nodes are on at least version 2.3.1. This allows for a clear upgrade path. \ No newline at end of file +For Raft, the whole network must be on version 2.4.0 of Quorum for DNS to function properly. DNS must +be explicitly enabled using the `--raftdnsenable` flag for each node once the node has migrated to version 2.4.0 of Quorum +The network runs fine when some nodes are in 2.4.0 version and some in older version as long as this feature is not enabled. For safe migration the recommended approach is as below: +* migrate the nodes to `geth` 2.4.0 version without using `--raftdnsenable` flag +* once the network is fully migrated, restart the nodes with `--raftdnsenable` to enable the feature + +Please note that in a partially migrated network (where some nodes are on version 2.4.0 and others on lower version) **with DNS feature enabled** for migrated nodes, `raft.addPeer` should not be invoked with Hostname till entire network migrates to 2.4.0 version. If invoked, this call will crash all nodes running in older version and these nodes will have to restarted with `geth` of version 2.4.0 of Quorum. `raft.addPeer` can still be invoked with IP address and network will work fine. + +### Note +In a network where all nodes are running on Quorum version 2.4.0, with few nodes enabled for DNS, we recommend the + `--verbosity` to be 3 or below. We have observed that nodes which are not enabled for DNS fail to restart if + `raft.addPeer` is invoked with host name if `--verbosity` is set above 3. \ No newline at end of file diff --git a/docs/Privacy/Tessera/Configuration/Configuration Overview.md b/docs/Privacy/Tessera/Configuration/Configuration Overview.md index c448bc2fe..63660addb 100644 --- a/docs/Privacy/Tessera/Configuration/Configuration Overview.md +++ b/docs/Privacy/Tessera/Configuration/Configuration Overview.md @@ -29,6 +29,54 @@ Tessera's database uses JDBC to connect to an external database. Any valid JDBC } ``` +#### Obfuscate database password in config file + +Certain entries in the Tessera config file must be obfuscated in order to prevent any attempts from attackers to gain access to critical parts of the application (e.g. database). The database password can be encrypted using [Jasypt](http://www.jasypt.org) to avoid it being exposed as plain text in the configuration file. + +To enable this feature, simply replace your plain-text database password with its encrypted value and wrap it inside an `ENC()` function. + +```json +"jdbc": { + "username": "sa", + "password": "ENC(ujMeokIQ9UFHSuBYetfRjQTpZASgaua3)", + "url": "jdbc:h2:/qdata/c1/db1", + "autoCreateTables": true +} +``` + +Being a Password-Based Encryptor, Jasypt requires a secret key (password) and a configured algorithm to encrypt/decrypt this config entry. This password can either be loaded into Tessera from file system or user input. For file system input, the location of this secret file needs to be set in Environment Variable `TESSERA_CONFIG_SECRET` + +If the database password is not wrapped inside `ENC()`, Tessera will simply treat it as a plain-text password however this approach is not recommended for production environments. + +!!! note + Jasypt encryption is currently only available for the `jdbc.password` field + +##### How to encrypt database password + +1. Download and unzip [Jasypt](http://www.jasypt.org) and redirect to the `bin` directory +1. Encrypt the password + ``` bash + $ ./encrypt.sh input=dbpassword password=quorum + + ----ENVIRONMENT----------------- + + Runtime: Oracle Corporation Java HotSpot(TM) 64-Bit Server VM 25.171-b11 + + + + ----ARGUMENTS------------------- + + input: dbpassword + password: quorum + + + + ----OUTPUT---------------------- + + rJ70hNidkrpkTwHoVn2sGSp3h3uBWxjb + ``` +1. Place the wrapped output, `ENC(rJ70hNidkrpkTwHoVn2sGSp3h3uBWxjb)`, in the config json file + --- ### Server @@ -151,7 +199,8 @@ For the ThirdParty server type it may be relevant to configure CORS. } }, ``` -The configurale fields are: +The configurable fields are: + * `allowedMethods` - the list of allowed HTTP methods. If omitted the default list containing `"GET", "POST", "PUT", "DELETE", "OPTIONS", "HEAD"` is used. * `allowedOrigins` - the list of domains from which to accept cross origin requests (browser enforced). Each entry in the list can contain the "*" (wildcard) character which matches any sequence of characters. Ex: "*locahost" would match "http://localhost" or "https://localhost". There is no default for this field. * `allowedHeaders` - the list of allowed headers. If omitted the request `Access-Control-Request-Headers` are copied into the response as `Access-Control-Allow-Headers`. @@ -216,4 +265,37 @@ Default configuration for this is `false` as this is BREAKABLE change to lower v --- +### Encryptor - Supporting alternative curves in Tessera +By default Tessera uses the [NaCl(salt)](https://nacl.cr.yp.to/) library in order to encrypt private payloads (which uses a particular combination of Curve25519, Salsa20, and Poly1305 under the hood). + +Alternative curves/symmetric ciphers can be used by configuring the EC Encryptor (which relies on JCA to perform a similar logic to NaCl). + +This is a feature introduced in Tessera v0.10.2. Providing no `encryptor` configuration results in the standard pre-v0.10.2 Tessera behaviour. + +``` +"encryptor": { + "type":"EC", + "properties":{ + "symmetricCipher":"AES/GCM/NoPadding", + "ellipticCurve":"secp256r1", + "nonceLength":"24", + "sharedKeyLength":"32" + } +} +``` + +Field|Default Value|Description +-------------|-------------|----------- +`type`|`NACL`|The encryptor type. Possible values are `EC` or `NACL`. + +If `type` is set to `EC`, the following `properties` fields can also be configured: + +Field|Default Value|Description +-------------|-------------|----------- +`ellipticCurve`|`secp256r1`|The elliptic curve to use. See [SunEC provider](https://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SunEC) for other options. Depending on the JCE provider you are using there may be additional curves available. +`symmetricCipher`|`AES/GCM/NoPadding`|The symmetric cipher to use for encrypting data (GCM IS MANDATORY as an initialisation vector is supplied during encryption). +`nonceLength`|`24`|The nonce length (used as the initialization vector - IV - for symmetric encryption). +`sharedKeyLength`|`32`|The key length used for symmetric encryption (keep in mind the key derivation operation always produces 32 byte keys - so the encryption algorithm must support it). + +--- diff --git a/docs/Privacy/Tessera/Configuration/Keys.md b/docs/Privacy/Tessera/Configuration/Keys.md index 0bb1aa664..b2efc9aba 100644 --- a/docs/Privacy/Tessera/Configuration/Keys.md +++ b/docs/Privacy/Tessera/Configuration/Keys.md @@ -1,3 +1,8 @@ +!!! warning "Change from Tessera v0.10.2+" + The `keys.keyData.passwords` field is no longer supported as of Tessera v0.10.2. + + Instead, use `keys.keyData.passwordFile` or utilise the [CLI password prompt](#providing-key-passwords-at-runtime) when starting the node. + Tessera uses cryptographic keys to provide transaction privacy. You can use existing private/public key pairs as well as use Tessera to generate new key pairs for you. See [Generating & securing keys](../../Tessera%20Services/Keys/Keys) for more info. @@ -241,6 +246,21 @@ This example configuration will retrieve the secrets `secretIdPub` and `secretId !!! info Environment variables must be set if using an _AWS Secrets Manager_, for more information see [Setting up an AWS Secrets Manager](../../Tessera%20Services/Keys/Setting%20up%20an%20AWS%20Secrets%20Manager) +## Providing key passwords at runtime +Tessera will start a CLI password prompt if it has incomplete password data for its locked keys. This prompt can be used to provide the required passwords for each key without having to provide them in the configfile itself. + +For example: + +```bash +tessera -configfile path/to/config.json +Password for key[0] missing or invalid. +Attempt 1 of 2. Enter a password for the key + +2019-12-09 13:48:16.159 [main] INFO c.q.t.config.keys.KeyEncryptorImpl - Decrypting private key +2019-12-09 13:48:19.364 [main] INFO c.q.t.config.keys.KeyEncryptorImpl - Decrypted private key +# Tessera startup continues as normal +``` + ## Multiple Keys If wished, multiple key pairs can be specified for a Tessera node. In this case, any one of the public keys can be used to address a private transaction to that node. Tessera will sequentially try each key to find one that can decrypt the payload. This can be used, for example, to simplify key rotation. diff --git a/docs/Privacy/Tessera/Configuration/Sample Configuration.md b/docs/Privacy/Tessera/Configuration/Sample Configuration.md index 83a191525..a633b763a 100644 --- a/docs/Privacy/Tessera/Configuration/Sample Configuration.md +++ b/docs/Privacy/Tessera/Configuration/Sample Configuration.md @@ -4,7 +4,8 @@ Tessera configuration varies by version as new features are added or changed. Be | Version | | ------------- | -| [0.10 - latest release](../Tessera%20v0.10.0%20sample%20settings) | +| [0.10.2 - latest release](../Tessera%20v0.10.2%20sample%20settings) | +| [0.10](../Tessera%20v0.10.0%20sample%20settings) | | [0.9](../Tessera%20v0.9%20sample%20settings) | | [0.8](../Tessera%20v0.8%20sample%20settings) | | [0.7.3](../Tessera%20v0.7.3%20sample%20settings) | diff --git a/docs/Privacy/Tessera/Configuration/Tessera v0.10.2 sample settings.md b/docs/Privacy/Tessera/Configuration/Tessera v0.10.2 sample settings.md new file mode 100644 index 000000000..03df107bc --- /dev/null +++ b/docs/Privacy/Tessera/Configuration/Tessera v0.10.2 sample settings.md @@ -0,0 +1,153 @@ +**Changes:** + +- The `keys.keyData.passwords` field is no longer supported. Instead, use `keys.keyData.passwordFile` or utilise the [CLI password prompt](../Keys#providing-key-passwords-at-runtime) when starting the node. + +- Added configuration to choose alternative curves/symmetric ciphers. If no encryptor configuration is provided it will default to NaCl (see [Supporting alternative curves in Tessera](../Configuration Overview#supporting-alternative-curves-in-tessera) for more details). + + e.g. + ``` + "encryptor": { + "type":"EC", + "properties":{ + "symmetricCipher":"AES/GCM/NoPadding", + "ellipticCurve":"secp256r1", + "nonceLength":"24", + "sharedKeyLength":"32" + } + } + ``` + +**Sample:** + +```json +{ + "useWhiteList": "boolean", + "jdbc": { + "url": "String", + "username": "String", + "password": "String" + }, + "serverConfigs": [ + { + "app": "ENCLAVE", + // Defines us using a remote enclave, leave out if using built-in enclave + "enabled": true, + "serverAddress": "http://localhost:9081", + //Where to find the remote enclave + "communicationType": "REST" + }, + { + "app": "ThirdParty", + "enabled": true, + "serverAddress": "http://localhost:9081", + "bindingAddress": "String - url with port e.g. http://127.0.0.1:9081", + "communicationType": "REST" + }, + { + "app": "Q2T", + "enabled": true, + "serverAddress": "unix:/tmp/tm.ipc", + "communicationType": "REST" + }, + { + "app": "P2P", + "enabled": true, + "serverAddress": "http://localhost:9001", + "bindingAddress": "String - url with port e.g. http://127.0.0.1:9001", + "sslConfig": { + "tls": "enum STRICT,OFF", + "generateKeyStoreIfNotExisted": "boolean", + "serverKeyStore": "Path", + "serverTlsKeyPath": "Path", + "serverTlsCertificatePath": "Path", + "serverKeyStorePassword": "String", + "serverTrustStore": "Path", + "serverTrustCertificates": [ + "Path..." + ], + "serverTrustStorePassword": "String", + "serverTrustMode": "Enumeration: CA, TOFU, WHITELIST, CA_OR_TOFU, NONE", + "clientKeyStore": "Path", + "clientTlsKeyPath": "Path", + "clientTlsCertificatePath": "Path", + "clientKeyStorePassword": "String", + "clientTrustStore": "Path", + "clientTrustCertificates": [ + "Path..." + ], + "clientTrustStorePassword": "String", + "clientTrustMode": "Enumeration: CA, TOFU, WHITELIST, CA_OR_TOFU, NONE", + "knownClientsFile": "Path", + "knownServersFile": "Path" + }, + "communicationType": "REST" + } + ], + "peer": [ + { + "url": "url e.g. http://127.0.0.1:9000/" + } + ], + "keys": { + "passwordFile": "Path", + "azureKeyVaultConfig": { + "url": "Azure Key Vault url" + }, + "hashicorpKeyVaultConfig": { + "url": "Hashicorp Vault url", + "approlePath": "String (defaults to 'approle' if not set)", + "tlsKeyStorePath": "Path to jks key store", + "tlsTrustStorePath": "Path to jks trust store" + }, + "keyData": [ + { + "config": { + "data": { + "aopts": { + "variant": "Enum : id,d or i", + "memory": "int", + "iterations": "int", + "parallelism": "int" + }, + "bytes": "String", + "snonce": "String", + "asalt": "String", + "sbox": "String", + "password": "String" + }, + "type": "Enum: argon2sbox or unlocked. If unlocked is defined then config data is required. " + }, + "privateKey": "String", + "privateKeyPath": "Path", + "azureVaultPrivateKeyId": "String", + "azureVaultPrivateKeyVersion": "String", + "publicKey": "String", + "publicKeyPath": "Path", + "azureVaultPublicKeyId": "String", + "azureVaultPublicKeyVersion": "String", + "hashicorpVaultSecretEngineName": "String", + "hashicorpVaultSecretName": "String", + "hashicorpVaultSecretVersion": "Integer (defaults to 0 (latest) if not set)", + "hashicorpVaultPrivateKeyId": "String", + "hashicorpVaultPublicKeyId": "String" + } + ] + }, + "alwaysSendTo": [ + "String..." + ], + "unixSocketFile": "Path", + "features": { + "enableRemoteKeyValidation": false + }, + "encryptor": { + "type": "Enumeration: NACL, EC", + "properties":{ + "symmetricCipher":"String (defaults to AES/GCM/NoPadding if type = EC)", + "ellipticCurve": "String (defaults to secp256r1 if type = EC)", + "nonceLength": "String (defaults to 24 if type = EC)", + "sharedKeyLength": "String (defaults to 32 if type = EC)" + } + } +} +``` diff --git a/docs/Privacy/Tessera/Configuration/Using CLI to override config.md b/docs/Privacy/Tessera/Configuration/Using CLI to override config.md index 15d1be27d..3f3534d15 100644 --- a/docs/Privacy/Tessera/Configuration/Using CLI to override config.md +++ b/docs/Privacy/Tessera/Configuration/Using CLI to override config.md @@ -1,4 +1,4 @@ -CLI options can be used to add to, or override, configuration defined in a `configfile`. +CLI options can be used to add to, or override, configuration defined in a `configfile` or for `keygen`. Standard Tessera CLI options are prefixed with a single hyphen (e.g. `-configfile `), whilst the config override options are prefixed with a double hyphen (e.g. `--alwaysSendTo `). Use `tessera help` to see a complete list of CLI options. @@ -45,3 +45,16 @@ then Tessera will be started with the following equivalent configuration: } ``` As demonstrated in this example, in certain cases multiple values can be provided by repeating the CLI option. This is supported for the `peer.url`, `alwaysSendTo`, `server.sslConfig.serverTrustCertificates` and `server.sslConfig.clientTrustCertificates` options. + +If you want to generate a key with alternative curve other than default NaCl, use the `encryptor.type` override as follows: + +``` +tessera -keygen --encryptor.type EC +``` +The override could also be used to override the value in the config file +``` +tessera -configfile --encryptor.type EC +``` + +!!! info + Please note with the above config, the default curve properties will be used. To update properties such as using a different curve or length, etc... please use the config file - click [here](../Tessera v0.10.2 sample settings) for sample diff --git a/docs/Privacy/Tessera/Tessera Services/Keys/Keys.md b/docs/Privacy/Tessera/Tessera Services/Keys/Keys.md index 9c49819fb..12468a9b9 100644 --- a/docs/Privacy/Tessera/Tessera Services/Keys/Keys.md +++ b/docs/Privacy/Tessera/Tessera Services/Keys/Keys.md @@ -1,5 +1,5 @@ ## Generating keys - + Key generation can be used in multiple ways: 1. Generate a key pair and save in new files `.pub` and `.key`: @@ -81,6 +81,11 @@ If you wish to generate an unlocked key, `/dev/null` can be used for stdin to te An updated `.json` configfile is printed to the terminal (or to a file if using the `-output` CLI option). No changes are made to the `config.json` file itself. +!!! note + By default the `-keygen` commands generate [NaCl](https://nacl.cr.yp.to/) compatible keys. + + As of Tessera v0.10.2, the `--encryptor.type=EC` CLI option can be provided to generate keys of different types. See [encryptor config](../../../Configuration/Configuration Overview/#encryptor-supporting-alternative-curves-in-tessera) for more details. + ## Securing private keys Generated private keys can be encrypted with a password. This is prompted for on the console during key generation. After generating password-protected keys, the password must be added to your configuration to ensure Tessera can read the keys. The password is not saved anywhere but must be added to the configuration else the key will not be able to be decrypted. @@ -126,3 +131,8 @@ Password update can be used in multiple ways. Running any of these commands wil tessera --keys.keyData.privateKeyPath --keys.keyData.config.data.aopts.algorithm --keys.keyData.config.data.aopts.iterations --keys.keyData.config.data.aopts.memory --keys.keyData.config.data.aopts.parallelism ``` All options have been overriden here but only the options you wish to alter from their defaults need to be provided. + +!!! note + By default the `-updatepassword` commands can be used to update the password of [NaCl](https://nacl.cr.yp.to/) compatible keys. + + As of Tessera v0.10.2, the `--encryptor.type=EC` CLI option can be provided to update keys of different types. See [encryptor config](../../../Configuration/Configuration Overview/#encryptor-supporting-alternative-curves-in-tessera) for more details. From 52977dffb8c0c06803109505e3427641ae9f58f8 Mon Sep 17 00:00:00 2001 From: Mihailescu Ionut Emanuel Date: Fri, 10 Jan 2020 09:06:52 +0200 Subject: [PATCH 13/18] Update docs/Privacy/Tessera/Configuration/Keys.md Co-Authored-By: chris-j-h <39617426+chris-j-h@users.noreply.github.com> --- docs/Privacy/Tessera/Configuration/Keys.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/docs/Privacy/Tessera/Configuration/Keys.md b/docs/Privacy/Tessera/Configuration/Keys.md index b2efc9aba..eaa07f6b1 100644 --- a/docs/Privacy/Tessera/Configuration/Keys.md +++ b/docs/Privacy/Tessera/Configuration/Keys.md @@ -19,7 +19,12 @@ You can use existing private/public key pairs as well as use Tessera to generate "tlsKeyStorePath": "Path", "tlsTrustStorePath": "Path" }, - "awsKeyVaultConfig":{ + "keyVaultConfig": { + "keyVaultConfigType": "AWS", + "properties": { + "endpoint": "Url" + } + }, "endpoint": "Url" } "keyData": [ From 1ae7b23f9d7e0e5afe5544834688b016ef5b2bb3 Mon Sep 17 00:00:00 2001 From: Mihailescu Ionut Emanuel Date: Fri, 10 Jan 2020 09:07:05 +0200 Subject: [PATCH 14/18] Update docs/Privacy/Tessera/Configuration/Keys.md Co-Authored-By: chris-j-h <39617426+chris-j-h@users.noreply.github.com> --- docs/Privacy/Tessera/Configuration/Keys.md | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/Privacy/Tessera/Configuration/Keys.md b/docs/Privacy/Tessera/Configuration/Keys.md index eaa07f6b1..e00da1050 100644 --- a/docs/Privacy/Tessera/Configuration/Keys.md +++ b/docs/Privacy/Tessera/Configuration/Keys.md @@ -232,7 +232,6 @@ The keys in the pair are stored as secrets in the _AWS Secrets Manager_. This r ```json "keys": { "awsKeyVaultConfig":{ - "endpoint": "https://secretsmanager.us-west-2.amazonaws.com" }, "keyData": [ { From 93d4e2c7f06fc9f9b99b2a9a80ecf80d79a9e229 Mon Sep 17 00:00:00 2001 From: Mihailescu Ionut Emanuel Date: Fri, 10 Jan 2020 09:07:12 +0200 Subject: [PATCH 15/18] Update docs/Privacy/Tessera/Configuration/Keys.md Co-Authored-By: chris-j-h <39617426+chris-j-h@users.noreply.github.com> --- docs/Privacy/Tessera/Configuration/Keys.md | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/Privacy/Tessera/Configuration/Keys.md b/docs/Privacy/Tessera/Configuration/Keys.md index e00da1050..cc3dc527a 100644 --- a/docs/Privacy/Tessera/Configuration/Keys.md +++ b/docs/Privacy/Tessera/Configuration/Keys.md @@ -26,7 +26,6 @@ You can use existing private/public key pairs as well as use Tessera to generate } }, "endpoint": "Url" - } "keyData": [ { // The data for a private/public key pair From 7dd35f75d7509d3a369131c2a6770311591726ab Mon Sep 17 00:00:00 2001 From: Mihailescu Ionut Emanuel Date: Fri, 10 Jan 2020 09:07:24 +0200 Subject: [PATCH 16/18] Update docs/Privacy/Tessera/Configuration/Keys.md Co-Authored-By: chris-j-h <39617426+chris-j-h@users.noreply.github.com> --- docs/Privacy/Tessera/Configuration/Keys.md | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/Privacy/Tessera/Configuration/Keys.md b/docs/Privacy/Tessera/Configuration/Keys.md index cc3dc527a..f77d6e1c8 100644 --- a/docs/Privacy/Tessera/Configuration/Keys.md +++ b/docs/Privacy/Tessera/Configuration/Keys.md @@ -231,7 +231,6 @@ The keys in the pair are stored as secrets in the _AWS Secrets Manager_. This r ```json "keys": { "awsKeyVaultConfig":{ - }, "keyData": [ { "awsSecretsManagerPublicKeyId": "secretIdPub", From dd6eb12d903105a0977166b97cee90300b668e51 Mon Sep 17 00:00:00 2001 From: Mihailescu Ionut Emanuel Date: Fri, 10 Jan 2020 09:07:38 +0200 Subject: [PATCH 17/18] Update docs/Privacy/Tessera/Configuration/Keys.md Co-Authored-By: chris-j-h <39617426+chris-j-h@users.noreply.github.com> --- docs/Privacy/Tessera/Configuration/Keys.md | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/Privacy/Tessera/Configuration/Keys.md b/docs/Privacy/Tessera/Configuration/Keys.md index f77d6e1c8..5f09903e1 100644 --- a/docs/Privacy/Tessera/Configuration/Keys.md +++ b/docs/Privacy/Tessera/Configuration/Keys.md @@ -25,7 +25,6 @@ You can use existing private/public key pairs as well as use Tessera to generate "endpoint": "Url" } }, - "endpoint": "Url" "keyData": [ { // The data for a private/public key pair From 70a99e06c8fc69bafbdb9dcd5a29938b3cac000d Mon Sep 17 00:00:00 2001 From: Mihailescu Ionut Emanuel Date: Fri, 10 Jan 2020 09:07:49 +0200 Subject: [PATCH 18/18] Update docs/Privacy/Tessera/Configuration/Keys.md Co-Authored-By: chris-j-h <39617426+chris-j-h@users.noreply.github.com> --- docs/Privacy/Tessera/Configuration/Keys.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/docs/Privacy/Tessera/Configuration/Keys.md b/docs/Privacy/Tessera/Configuration/Keys.md index 5f09903e1..3271bec67 100644 --- a/docs/Privacy/Tessera/Configuration/Keys.md +++ b/docs/Privacy/Tessera/Configuration/Keys.md @@ -229,7 +229,12 @@ Tessera requires TLS certificates and keys to be stored in `.jks` Java keystore The keys in the pair are stored as secrets in the _AWS Secrets Manager_. This requires providing the secret IDs for both keys. The endpoint is optional as the _AWS SDK_ can fallback to its inbuilt property retrieval chain (e.g. using the environment variable `AWS_REGION` or `~/.aws/config` file - see [the AWS docs](https://docs.aws.amazon.com/sdk-for-java/v2/developer-guide/credentials.html) for similar behaviour explained in the context of credentials): ```json "keys": { - "awsKeyVaultConfig":{ + "keyVaultConfig": { + "keyVaultConfigType": "AWS", + "properties": { + "endpoint": "https://secretsmanager.us-west-2.amazonaws.com" + } + }, "keyData": [ { "awsSecretsManagerPublicKeyId": "secretIdPub",