From 094a9be8384f3a987669d09349103466ae0f9470 Mon Sep 17 00:00:00 2001 From: Tiago Brenck Date: Thu, 17 Oct 2019 14:57:53 -0700 Subject: [PATCH 1/2] Added steps explaining token cache on distributed environment --- 6-Deploy-to-Azure/README.md | 79 ++++++++++++++++++++++++++++++++++++- 1 file changed, 78 insertions(+), 1 deletion(-) diff --git a/6-Deploy-to-Azure/README.md b/6-Deploy-to-Azure/README.md index 02496578..c82f6b94 100644 --- a/6-Deploy-to-Azure/README.md +++ b/6-Deploy-to-Azure/README.md @@ -52,7 +52,84 @@ In the left-hand navigation pane, select the **Azure Active Directory** service, Secure key management is essential to protect data in the cloud. Use [Azure Key Vault](https://azure.microsoft.com/en-ca/services/key-vault/) to encrypt keys and small secrets like passwords that use keys stored in hardware security modules (HSMs). -You can follow [this sample](https://github.com/Azure-Samples/app-service-msi-keyvault-dotnet) as a guide on how to use Azure KeyVault from App Service with Managed Service Identity (MSI). +You can follow [this sample](https://github.com/Azure-Samples/app-service-msi-keyvault-dotnet) as a guide on how to use Azure Key Vault from App Service with Managed Service Identity (MSI). + +## MSAL token cache on distributed environments + +The samples in this tutorial have their token cache providers configured for apps running on a single machine. On production environment, these apps could be deployed in many machines for scalability purpose, so the token cache provider needs to be configured accordingly to this distributed architecture. + +These are the necessary changes for each cache provider option: + +### In memory + +If you want to use in memory cache, use this configuration on `Startup.cs`: + +```csharp +services.AddDistributedTokenCaches() +.AddDistributedMemoryCache(); +``` + +### Redis + +If you want to use distributed Redis cache, use this configuration on `Startup.cs`: + +```csharp +services.AddDistributedTokenCaches() +.AddStackExchangeRedisCache(options => +{ + options.Configuration = ""; + options.InstanceName = ""; +}); +``` + +### SQL Server + +There are two options for distributed SQL cache: + +- [using .Net Core distributed cache extensions](https://docs.microsoft.com/en-us/aspnet/core/performance/caching/distributed?view=aspnetcore-2.2) +- [configuring DataProtection for distributed environments](https://docs.microsoft.com/en-us/aspnet/core/security/data-protection/configuration/overview?view=aspnetcore-2.2) + +#### If you want to use .Net Core distributed cache extensions + +Create the cache database by running the CLI (change the parameters according to your configurations) + +```csharp +dotnet sql-cache create "" dbo +``` + +Then use this configuration on `Startup.cs`: + +```csharp +services.AddDistributedTokenCaches() +.AddDistributedSqlServerCache(options => +{ + options.ConnectionString = ""; + options.SchemaName = "dbo"; + options.TableName = ""; +}); +``` + +#### If you want to configure `DataProtection` for distributed environments + +You have to configure the key ring storage to a centralized location. It could be in [Azure Key Vault](https://azure.microsoft.com/services/key-vault/) or on a [UNC share](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dfsc/149a3039-98ce-491a-9268-2f5ddef08192). + +> **Note**: If you change the key persistence location, the system no longer automatically encrypts keys at rest. It is recommended that you use one of the ProtectKeysWith* methods listed [in this doc](https://docs.microsoft.com/en-us/aspnet/core/security/data-protection/configuration/overview?view=aspnetcore-2.2). + +For Azure Key Vault, configure the system with [PersistKeysToAzureBlobStorage](https://docs.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.dataprotection.azuredataprotectionbuilderextensions.persistkeystoazureblobstorage?view=aspnetcore-2.2) (also consider using [ProtectKeysWithAzureKeyVault](https://docs.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.dataprotection.azuredataprotectionbuilderextensions.protectkeyswithazurekeyvault)) in the `Startup` class: + +```csharp +services.AddDataProtection() +.PersistKeysToAzureBlobStorage(""); +``` + +> **Note**: Your app must have **Unwrap Key** and **Wrap Key** permissions to the Azure Key Vault. + +For UNC share, configure the system with [PersistKeysToFileSystem](https://docs.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.dataprotection.dataprotectionbuilderextensions.persistkeystofilesystem) (also consider using [ProtectKeysWithCertificate](https://docs.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.dataprotection.dataprotectionbuilderextensions.protectkeyswithcertificate?view=aspnetcore-2.2)) in the `Startup` class: + +```csharp +services.AddDataProtection() +.PersistKeysToFileSystem(new DirectoryInfo(@"\\server\share\directory\")); +``` ## Community Help and Support From 400e28db701b9d9ac0088d77d3710ad8785513da Mon Sep 17 00:00:00 2001 From: Tiago Brenck Date: Wed, 23 Oct 2019 15:08:38 -0700 Subject: [PATCH 2/2] Addressed PR reviews --- 6-Deploy-to-Azure/README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/6-Deploy-to-Azure/README.md b/6-Deploy-to-Azure/README.md index c82f6b94..3ebc3f19 100644 --- a/6-Deploy-to-Azure/README.md +++ b/6-Deploy-to-Azure/README.md @@ -52,11 +52,11 @@ In the left-hand navigation pane, select the **Azure Active Directory** service, Secure key management is essential to protect data in the cloud. Use [Azure Key Vault](https://azure.microsoft.com/en-ca/services/key-vault/) to encrypt keys and small secrets like passwords that use keys stored in hardware security modules (HSMs). -You can follow [this sample](https://github.com/Azure-Samples/app-service-msi-keyvault-dotnet) as a guide on how to use Azure Key Vault from App Service with Managed Service Identity (MSI). +Use [this sample](https://github.com/Azure-Samples/app-service-msi-keyvault-dotnet) as a guide on how to use Azure Key Vault from App Service with Managed Service Identity (MSI). ## MSAL token cache on distributed environments -The samples in this tutorial have their token cache providers configured for apps running on a single machine. On production environment, these apps could be deployed in many machines for scalability purpose, so the token cache provider needs to be configured accordingly to this distributed architecture. +The samples in this tutorial have their token cache providers configured for apps running on a single machine. On a production environment, these apps could be deployed in many machines for scalability purpose, so the token cache provider needs to be configured accordingly for this distributed architecture. These are the necessary changes for each cache provider option: @@ -71,7 +71,7 @@ services.AddDistributedTokenCaches() ### Redis -If you want to use distributed Redis cache, use this configuration on `Startup.cs`: +If you want to use a distributed Redis cache, use this configuration on `Startup.cs`: ```csharp services.AddDistributedTokenCaches()