Solved: How to access encrypted key value using reference ...

bhargavakarumur · 04-19-2021 01:34 PM

Hello,

I could not able to access the encrypted key value map using a variable. Below is the code I am using in the policy. Any help is appreciated.

NOT WORKING (Encrypted Key Value Map):

<Get assignTo="private.privKey">
<Key>
	<Parameter ref="privKey.variable"/>
</Key>
</Get>

privKey.variable is a custom variable which holds the key name (privKey).

privKey is the Key name and Value of the key is encrypted.

WORKING (NON Encrypted Key Value Map):

<Get assignTo="private.privKey">
<Key>
	<Parameter ref="privKey.variable"/>
</Key>
</Get>

WORKING (Encrypted Key Value Map):

<Get assignTo="private.privKey">
<Key>
	<Parameter>privKey</Parameter>
</Key>
</Get>

But the same code is working if the value is not encrypted.

Thank you!

dchiesa1

It's hard for me to know what's wrong, looking only at the fragments you are showing. Those look correct, as far as they go. But there are many other details, and if any of those other details are not correct, then you may see the behavior you do not understand, or behavior you are not expecting.

In particular,

if you use KVM Get or Put, using a large cache lifetime, then a KVM Get may retrieve the cached value, even if you have updated the value via the administrative UI or API.
if you use the incorrect mapName attribute.
if your key variable is not exactly as you expect.

My advice to you is to check through all the details carefully.

I've put together an example API proxy in case it helps. attached here. It does PUT and GET with fixed and variable (referenced) keys. It works as you would expect. (It depends on an encrypted KVM map named "secrets" in your environment)

apiproxy-kvm-try-20210419-174111.zip

example run:

$ curl -i -X POST $endpoint/kvm-try/fixed-key -d value=your-choice-here
HTTP/1.1 204 No Content
Date: Tue, 20 Apr 2021 00:38:29 GMT
Connection: keep-alive
apiproxy: kvm-try r5



$ curl -i -X GET $endpoint/kvm-try/key-variable
HTTP/1.1 200 OK
Date: Tue, 20 Apr 2021 00:38:36 GMT
Content-Type: text/plain
Content-Length: 16
Connection: keep-alive
apiproxy: kvm-try r5


your-choice-here


$ curl -i -X GET $endpoint/kvm-try/fixed-key
HTTP/1.1 200 OK
Date: Tue, 20 Apr 2021 00:38:41 GMT
Content-Type: text/plain
Content-Length: 16
Connection: keep-alive
apiproxy: kvm-try r5


your-choice-here

View solution in original post

dchiesa1

It's hard for me to know what's wrong, looking only at the fragments you are showing. Those look correct, as far as they go. But there are many other details, and if any of those other details are not correct, then you may see the behavior you do not understand, or behavior you are not expecting.

In particular,

if you use KVM Get or Put, using a large cache lifetime, then a KVM Get may retrieve the cached value, even if you have updated the value via the administrative UI or API.
if you use the incorrect mapName attribute.
if your key variable is not exactly as you expect.

My advice to you is to check through all the details carefully.

I've put together an example API proxy in case it helps. attached here. It does PUT and GET with fixed and variable (referenced) keys. It works as you would expect. (It depends on an encrypted KVM map named "secrets" in your environment)

apiproxy-kvm-try-20210419-174111.zip

example run:

$ curl -i -X POST $endpoint/kvm-try/fixed-key -d value=your-choice-here
HTTP/1.1 204 No Content
Date: Tue, 20 Apr 2021 00:38:29 GMT
Connection: keep-alive
apiproxy: kvm-try r5



$ curl -i -X GET $endpoint/kvm-try/key-variable
HTTP/1.1 200 OK
Date: Tue, 20 Apr 2021 00:38:36 GMT
Content-Type: text/plain
Content-Length: 16
Connection: keep-alive
apiproxy: kvm-try r5


your-choice-here


$ curl -i -X GET $endpoint/kvm-try/fixed-key
HTTP/1.1 200 OK
Date: Tue, 20 Apr 2021 00:38:41 GMT
Content-Type: text/plain
Content-Length: 16
Connection: keep-alive
apiproxy: kvm-try r5


your-choice-here

bhargavakarumur

Thank you so much for the detailed explanation. Really appreciate your quick response and help.

It is working now. But I didn't fix anything. I am kind of confused. Below are the steps I followed to troubleshoot for more details.

Created a new encrypted KVM with a new key name and updated the Assign Message Policy variable name. When I made this change it worked.

Then I switched back to original code and tested. Now it is working like a miracle.

As you mentioned about the cache, I have set the ExpiryTimeInSecs to 2 and tested after 30 mins. Make sure it's not cached. Also I have added a JavaScript to print the actual encrypted value it is printing correctly earlier it was printing null.

dchiesa1

It is working now. But I didn't fix anything.

The cause of this phenomenon is likely, as you guessed, the cache. As you waited, the cache expired, and subsequently it was filled with the expected value.

If you update the KVM value with the UI.... it does not affect the cache. You can write to the KVM with the UI and if your proxy performed a prior GET, with a TTL of 86400 seconds (1 day), then your proxy will not see the updates you made via the UI, for a full day.

The way to flush the cache is with a KVM PUT policy. In other words, write to the KVM from within the runtime, not via the administrative layer.

Anyway I'm glad it's working for you.

Report Inappropriate Content

you need to try as below for encrypted KVM.

<Key>

</Key>

</Get>

Your parameter doesn't need to have private in reference. Only the value you assign to is private.

How to access encrypted key value using reference (ref)