Turn off logging pfx passwords in Azure Operation Log

StackOverflow https://stackoverflow.com/questions/15440879

  •  24-03-2022
  •  | 
  •  

Question

In "Operation Log" on Windows Azure Management Portal I've seen operation "AddCertificates". In details I can see pfx certificate in base64 format and password in plain text.

I think that it is not right to store certificates and passwords in log.

How I can disable this functionality?

UPD: log entry from operation log

<SubscriptionOperation xmlns="http://schemas.microsoft.com/windowsazure" xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
    <OperationId>7b52fbab-3cfe-40b4-9910-02d26d575503</OperationId>
    <OperationObjectId>/094cc12d-f8f7-4f5f-804a-57b16bc87f1b/services/hostedservices/MyServiceName</OperationObjectId>
    <OperationName>AddCertificates</OperationName>
    <OperationParameters xmlns:d2p1="http://schemas.datacontract.org/2004/07/Microsoft.WindowsAzure.ServiceManagement">
        <OperationParameter>
            <d2p1:Name>subscriptionID</d2p1:Name>
            <d2p1:Value>094cc12d-f8f7-4f5f-804a-57b16bc87f1b</d2p1:Value>
        </OperationParameter>
        <OperationParameter>
            <d2p1:Name>serviceName</d2p1:Name>
            <d2p1:Value>MyServiceName</d2p1:Value>
        </OperationParameter>
        <OperationParameter>
            <d2p1:Name>input</d2p1:Name>
            <d2p1:Value><?xml version="1.0" encoding="utf-16"?><CertificateFile xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.microsoft.com/windowsazure">
                <Data>**BASE64CertificateData**</Data>
                <CertificateFormat>pfx</CertificateFormat>
                <Password>**PLAIN_PASSWORD**</Password></CertificateFile></d2p1:Value>
        </OperationParameter>
    </OperationParameters>
    <OperationCaller>
        <UsedServiceManagementApi>true</UsedServiceManagementApi>
        <SubscriptionCertificateThumbprint>THUMBPRINT</SubscriptionCertificateThumbprint>
        <ClientIP>95.221.82.19</ClientIP>
    </OperationCaller>
    <OperationStatus>
        <ID>7b52fbab-3cfe-40b4-9910-02d26d575503</ID>
        <Status>Succeeded</Status>
        <HttpStatusCode>200</HttpStatusCode>
    </OperationStatus>
    <OperationStartedTime>2013-03-16T04:45:41Z</OperationStartedTime>
    <OperationCompletedTime>2013-03-16T04:45:44Z</OperationCompletedTime>
</SubscriptionOperation>
Was it helpful?

Solution

Alexey, you are write that the operation log does show the PFX password in clear text also when deploying a certificate over PS the password is also in plain text even when the communication channel is encrypted over SSL similar to as below:

HTTP Method:
POST

Absolute Uri:
https://management.core.windows.net/*****/services/hostedservices/avkashnewpass/certificates

Headers:
x-ms-version                  : 2012-12-01
x-ms-client-id                : ***********
User-Agent                    : Windows Azure Powershell/v.0.6.11

Body:
 <?xml version="1.0" encoding="utf-16"?>
 <CertificateFile xmlns="http://schemas.microsoft.com/windowsazure"
    xmlns:i="http://www.w3.org/2001/XMLSchema-instance">

   <Data>*************************************</Data>
   <CertificateFormat>pfx</CertificateFormat>
   <Password>clear_text_password</Password>
 </CertificateFile>

I have taken your feedback and provided to proper folks who can address it properly.

OTHER TIPS

In new version of the Management Portal the Azure Team alread fix this bug.

At now log entry looks like

<SubscriptionOperation xmlns="http://schemas.microsoft.com/windowsazure" xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
    <OperationId>7e28942a-457b-4362-8fb5-f671e415cb4f</OperationId>
    <OperationObjectId>/094cc12d-f8f7-4f5f-804a-57b16bc87f1b/services/hostedservices/MyServiceName</OperationObjectId>
    <OperationName>AddCertificates</OperationName>
    <OperationParameters xmlns:d2p1="http://schemas.datacontract.org/2004/07/Microsoft.WindowsAzure.ServiceManagement">
        <OperationParameter>
            <d2p1:Name>subscriptionID</d2p1:Name>
            <d2p1:Value>094cc12d-f8f7-4f5f-804a-57b16bc87f1b</d2p1:Value>
        </OperationParameter>
        <OperationParameter>
            <d2p1:Name>serviceName</d2p1:Name>
            <d2p1:Value>MyServiceName</d2p1:Value>
        </OperationParameter>
        <OperationParameter>
            <d2p1:Name>input</d2p1:Name>
            <d2p1:Value i:nil="true" />
        </OperationParameter>
    </OperationParameters>
    <OperationCaller>
        <UsedServiceManagementApi>true</UsedServiceManagementApi>
        <SubscriptionCertificateThumbprint>1B1745A3F688994E4310025E6AC8502319142D0E</SubscriptionCertificateThumbprint>
        <ClientIP>91.103.66.206</ClientIP>
    </OperationCaller>
    <OperationStatus>
        <ID>7e28942a-457b-4362-8fb5-f671e415cb4f</ID>
        <Status>Succeeded</Status>
        <HttpStatusCode>200</HttpStatusCode>
    </OperationStatus>
    <OperationStartedTime>2013-03-18T02:24:50Z</OperationStartedTime>
    <OperationCompletedTime>2013-03-18T02:24:53Z</OperationCompletedTime>
</SubscriptionOperation>

Thanks!

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top