Jaa


Manage encrypted data in Windows Azure Pack

 

Applies To: Windows Azure Pack

Windows Azure Pack for Windows Server uses encryption algorithms, encryption keys, and passwords to secure communications between the databases and users in the management portal. This data is stored in two or three locations.

In order to protect the security of your data, you need to change or rotate the data on a regular basis. When you change data in one location, you need to change it in all locations.

We provide a spreadsheet listing all of the encryption algorithms, keys, and passwords and their stored locations. This spreadsheet also contains information on how to change each data point. You can access the spreadsheet in the Windows Azure Pack technical documentation package (https://go.microsoft.com/fwlink/?LinkId=329811) available from the Microsoft Download Center. Click Download, select the WAPv1_encryption.xsl file, and then click Next to start downloading the file.

You can also use the Best Practice Analyzer for Windows Azure Pack to verify the security of your data. For information about the Best Practice Analyzer, see Scan components of Windows Azure Pack.

Use the following information to manage your encrypted data:

  • Changing a database password

  • Rotating encrypted data related to machine key

  • Rotating encryption algorithms and keys

  • Changing the Usage Admin API password

  • Changing passwords related to resource providers

  • Changing the password related to Service Reporting

Changing a database password

There are several databases in Windows Azure Pack, each of which has a database password. Use the following steps to rotate the database passwords:

To rotate a database password

  1. Obtain a new password. Run the following cmdlet:

    $password = New-MgmtSvcPassword –Length 64
    
  2. Use the data in the spreadsheet to find and rotate the database password in the first location. For example, if you are rotating the database password for the Admin API, the first location is the Secret config store (check column C for Location 1).

    Run the following cmdlet to change the password:

    Set-MgmtSvcDatabaseSetting <Service>  <Secret>  $password -Server <Server> -Passphrase <Passphrase> -Database “Microsoft.MgmtSvc.Config” -Force
    
  3. Next, locate the third location for the database password and rotate the database password. Using the example above, for the Admin API database password, this is the SQL Server security login (check column G for Location 3).

    Run the following cmdlet:

    Set-MgmtSvcDatabaseUser -Server <Server> -Database <Database> -Schema <Schema> -User <User> -UserPassword $password
    
  4. Finally, locate the second location for the database password and rotate the password. Again for the Admin API database password, this is the web.config connection string (check column E for Location 2).

    Run the following cmdlets:

    $setting = Get-MgmtSvcDatabaseSetting <Service> <Secret> -Server <Server> -Passphrase <Passphrase>
    $connectionString = Get-MgmtSvcSetting $namespace <ConnectionString>
    $builder = New-Object System.Data.SqlClient.SqlConnectionStringBuilder($connectionString.Value)
    $builder.Password = $setting.Value
    Set-MgmtSvcSetting <Service> <ConnectionString> $builder.ConnectionString
    

Decryption and validation settings and keys for the Admin API, management portal for administrators (AdminSite), authentication site (AuthSite), management portal for tenants (TenantSite), and Windows authentication site (WindowsAuthSite) are stored using the machine key. Use the following steps to rotate this data.

  1. Obtain a new machine key. The following example gets a new machine key for machineKey.decrytpion for the Admin API service. You can use these steps to change other values of machine key.

    Run the following cmdlets to obtain a new machine key:

    $machineKey = New-MgmtSvcMachineKey
    $decryption = $machineKey.Attribute('decryption').Value
    
  2. Use the data in the spreadsheet to find the first location for machineKey.decryption. For the Admin API service, this is the Secret Config Store.

    Run the following cmdlet to change the machineKey.decryption setting:

    Set-MgmtSvcDatabaseSetting <Service> "machineKey.decryption" $decryption -Server <Server> -Passphrase <Passphrase> -Force
    
  3. Locate the second location for the machineKey.decryption. For the Admin API service, this is the web.config machineKey section.

    Run the following cmdlets to change the machineKey.decryption setting:

    $decryption = Get-MgmtSvcDatabaseSetting <Service> “machineKey.decryption” –Server <Server> -Passphrase <Passphrase>
    Set-MgmtSvcSetting <Service> "machineKey.decryption" $decryption.Value
    

Rotating encryption algorithms and keys

Use the following steps to rotate encryption algorithms and encryption keys.

To rotate encryption algorithms and encryption keys

  1. Obtain a new machine key. The following example gets a new machine key for the Notification encryption algorithm and key for the Admin site. You can use these steps to change other encryption algorithms and keys.

    Note

    The same keys are used for both encrypting and decrypting. So they can be considered both encryption or decryption keys, depending on the operation performed. Because of this, we use the decryption value below, although the key that you are rotating is the encryption key.

    Run the following cmdlets to obtain a new machine key:

    $machineKey = New-MgmtSvcMachineKey
    $encryption = $machineKey.Attribute('decryption').Value
    $encryptionKey = $machineKey.Attribute('decryptionKey').Value
    
  2. Use the data in the spreadsheet to find the first location for the encryption algorithm or key. For the Notification encryption algorithm and key for the Admin site, this is the Secret Config Store.

    Run the following cmdlets to change the encryption algorithm and key:

    Set-MgmtSvcDatabaseSetting <Service> "NotificationEncryptionAlgorithm " $encryption -Server <Server> -Passphrase <Passphrase> -Force
    Set-MgmtSvcDatabaseSetting <Service> "EncryptionKey " $encryptionKey -Server <Server> -Passphrase <Passphrase> -Force
    
  3. Locate the second location for the encryption algorithm or key. For the Notification encryption algorithm and key for the Admin site, this is the web.config app settings section.

    Run the following cmdlets to change the encryption algorithm and key:

    $encryption = Get-MgmtSvcDatabaseSetting <Service> “NotificationEncryptionAlgorithm” –Server <Server> -Passphrase <Passphrase>
    Set-MgmtSvcSetting <Service> "NotificationEncryptionAlgorithm" $encryption.Value
    $encryptionKey = Get-MgmtSvcDatabaseSetting <Service> “EncryptionKey” –Server <Server> -Passphrase <Passphrase>
    Set-MgmtSvcSetting <Service> "EncryptionKey" $encryptionKey.Value
    

Changing the Usage Admin API password

Unlike the passwords used by resource providers (which are described in the next section), the password for the Usage Admin API is stored in the Secret Config store and the web.config app settings section. Use the following steps to change the Usage Admin API password.

To rotate the Usage Admin API password

  1. Obtain a new password. Run the following cmdlet:

    $password = New-MgmtSvcPassword
    
  2. Change the password in the first location, the Secret Config store. Run the following cmdlet:

    Set-MgmtSvcDatabaseSetting <Service>  <Secret>  $password -Server <Server> -Passphrase <Passphrase> -Force
    
  3. Change the password in the second location, the web.config app settings section. Run the following cmdlets:

    $setting = Get-MgmtSvcDatabaseSetting <Service> <Secret> -Server <Server> -Passphrase <Passphrase>
    Set-MgmtSvcSetting <Service> <Secret> $setting.Value
    

Use the following information to rotate the passwords for the Monitoring, MySQL, SQL Server, and Usage resource providers.

To rotate resource provider passwords

  1. Obtain a new password for the resource provider. Run the following cmdlet:

    $password = New-MgmtSvcPassword
    
  2. Change the password in the first location. Run the following cmdlet:

    Set-MgmtSvcDatabaseSetting <Service> “Password” $pw -Server <Server> -Passphrase <Passphrase> -Force
    
  3. Change the password in the third location.

    Note

    For the Monitoring service, the password is called “MonitoringRestBasicAuthKnownPassword”. For the other resource providers, the password is called “Password.”

    Run the following cmdlet:

    Set-MgmtSvcSetting <Service>  “Password” $pw -Encode
    
  4. Change the password in the second location.

    Note

    The following cmdlets change the password for all four endpoints, but not all resource providers have all of these endpoints. Look at the results of $rp to identify the endpoints for each resource provider, and then adjust the AuthenticationPassword values appropriately.

    Run the following cmdlets:

    $rp = Get-MgmtSvcResourceProviderConfiguration <Resource Provider Name> -DecryptPassword
    $rp.AdminEndpoint.AuthenticationPassword = $pw
    $rp.TenantEndpoint.AuthenticationPassword = $pw
    $rp.UsageEndpoint.AuthenticationPassword = $pw
    $rp.NotificationEndpoint.AuthenticationPassword = $pw
    Add-MgmtSvcResourceProviderConfiguration $rp -Force
    

If you are using Service Reporting with Windows Azure Pack, then you must update the password in the SQL VMs for Service Reporting when you change the password for the Usage service.

Use the following steps to reset the password.

To change the SQL VM passwords for Service Reporting

  1. On the VM where you have installed the SQL database that supports Service Reporting, insure that the Service Reporting SQL agent job is not running. Use the following steps to view the status of the job:

    1. Connect to the <prefix>-DW-SQL\CPSDW database instance.

    2. In the Object Explorer, expand SQL Server Agent.

    3. Click Jobs.

    4. On the View tab, click Object Explorer Details.

      Check the Status column to see whether the agent job is running.

  2. Service Reporting includes a script that you can run to change the password. Run the following cmdlet from a PowerShell command prompt to run this script.

    \\<Service reporting host>\ServiceReporting\Maintenance\PostDeploymentConfig.ps1 -User UsageClient –Password $newPassword