Turn off logging pfx passwords in Azure Operation Log

StackOverflow https://stackoverflow.com/questions/15440879

  •  24-03-2022
  •  | 
  •  

Pergunta

In "Operation Log" on Windows Azure Management Portal I've seen operation "AddCertificates". In details I can see pfx certificate in base64 format and password in plain text.

I think that it is not right to store certificates and passwords in log.

How I can disable this functionality?

UPD: log entry from operation log

<SubscriptionOperation xmlns="http://schemas.microsoft.com/windowsazure" xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
    <OperationId>7b52fbab-3cfe-40b4-9910-02d26d575503</OperationId>
    <OperationObjectId>/094cc12d-f8f7-4f5f-804a-57b16bc87f1b/services/hostedservices/MyServiceName</OperationObjectId>
    <OperationName>AddCertificates</OperationName>
    <OperationParameters xmlns:d2p1="http://schemas.datacontract.org/2004/07/Microsoft.WindowsAzure.ServiceManagement">
        <OperationParameter>
            <d2p1:Name>subscriptionID</d2p1:Name>
            <d2p1:Value>094cc12d-f8f7-4f5f-804a-57b16bc87f1b</d2p1:Value>
        </OperationParameter>
        <OperationParameter>
            <d2p1:Name>serviceName</d2p1:Name>
            <d2p1:Value>MyServiceName</d2p1:Value>
        </OperationParameter>
        <OperationParameter>
            <d2p1:Name>input</d2p1:Name>
            <d2p1:Value><?xml version="1.0" encoding="utf-16"?><CertificateFile xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.microsoft.com/windowsazure">
                <Data>**BASE64CertificateData**</Data>
                <CertificateFormat>pfx</CertificateFormat>
                <Password>**PLAIN_PASSWORD**</Password></CertificateFile></d2p1:Value>
        </OperationParameter>
    </OperationParameters>
    <OperationCaller>
        <UsedServiceManagementApi>true</UsedServiceManagementApi>
        <SubscriptionCertificateThumbprint>THUMBPRINT</SubscriptionCertificateThumbprint>
        <ClientIP>95.221.82.19</ClientIP>
    </OperationCaller>
    <OperationStatus>
        <ID>7b52fbab-3cfe-40b4-9910-02d26d575503</ID>
        <Status>Succeeded</Status>
        <HttpStatusCode>200</HttpStatusCode>
    </OperationStatus>
    <OperationStartedTime>2013-03-16T04:45:41Z</OperationStartedTime>
    <OperationCompletedTime>2013-03-16T04:45:44Z</OperationCompletedTime>
</SubscriptionOperation>
Foi útil?

Solução

Alexey, you are write that the operation log does show the PFX password in clear text also when deploying a certificate over PS the password is also in plain text even when the communication channel is encrypted over SSL similar to as below:

HTTP Method:
POST

Absolute Uri:
https://management.core.windows.net/*****/services/hostedservices/avkashnewpass/certificates

Headers:
x-ms-version                  : 2012-12-01
x-ms-client-id                : ***********
User-Agent                    : Windows Azure Powershell/v.0.6.11

Body:
 <?xml version="1.0" encoding="utf-16"?>
 <CertificateFile xmlns="http://schemas.microsoft.com/windowsazure"
    xmlns:i="http://www.w3.org/2001/XMLSchema-instance">

   <Data>*************************************</Data>
   <CertificateFormat>pfx</CertificateFormat>
   <Password>clear_text_password</Password>
 </CertificateFile>

I have taken your feedback and provided to proper folks who can address it properly.

Outras dicas

In new version of the Management Portal the Azure Team alread fix this bug.

At now log entry looks like

<SubscriptionOperation xmlns="http://schemas.microsoft.com/windowsazure" xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
    <OperationId>7e28942a-457b-4362-8fb5-f671e415cb4f</OperationId>
    <OperationObjectId>/094cc12d-f8f7-4f5f-804a-57b16bc87f1b/services/hostedservices/MyServiceName</OperationObjectId>
    <OperationName>AddCertificates</OperationName>
    <OperationParameters xmlns:d2p1="http://schemas.datacontract.org/2004/07/Microsoft.WindowsAzure.ServiceManagement">
        <OperationParameter>
            <d2p1:Name>subscriptionID</d2p1:Name>
            <d2p1:Value>094cc12d-f8f7-4f5f-804a-57b16bc87f1b</d2p1:Value>
        </OperationParameter>
        <OperationParameter>
            <d2p1:Name>serviceName</d2p1:Name>
            <d2p1:Value>MyServiceName</d2p1:Value>
        </OperationParameter>
        <OperationParameter>
            <d2p1:Name>input</d2p1:Name>
            <d2p1:Value i:nil="true" />
        </OperationParameter>
    </OperationParameters>
    <OperationCaller>
        <UsedServiceManagementApi>true</UsedServiceManagementApi>
        <SubscriptionCertificateThumbprint>1B1745A3F688994E4310025E6AC8502319142D0E</SubscriptionCertificateThumbprint>
        <ClientIP>91.103.66.206</ClientIP>
    </OperationCaller>
    <OperationStatus>
        <ID>7e28942a-457b-4362-8fb5-f671e415cb4f</ID>
        <Status>Succeeded</Status>
        <HttpStatusCode>200</HttpStatusCode>
    </OperationStatus>
    <OperationStartedTime>2013-03-18T02:24:50Z</OperationStartedTime>
    <OperationCompletedTime>2013-03-18T02:24:53Z</OperationCompletedTime>
</SubscriptionOperation>

Thanks!

Licenciado em: CC-BY-SA com atribuição
Não afiliado a StackOverflow
scroll top